Penetration Testing mailing list archives
RE: Active Directory user enumeration
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Sat, 4 Feb 2006 17:16:54 -0500
A small addition... This behaviour is initially deturmined during Domain Controller installation. When you run dcpromo you get to configure this option on the Permissions page where you can select either "Permissions compatible with pre-Windows 2000 servers" or "Permissions compatible only with WIndows 2000 servers."/ "Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems" (on 2003). By default, the second option is selected on 2003, which doesn't allow anonymous LDAP operations other than reading the RootDSE container, which is required for LDAP v3 compatibility. So the buttom line is that unless your DC is a windows 2000 machine that wasn't explicitly set to disallow anonymous read access to AD or your DC is a windows 2003 that was explicitly set to allow anonymous read access to AD you are out of luck and you have to resort to various tricks (already mentioned in at least one of the replies). If you are paranoid the easiest way to check is to use the LDP.EXE utility, which is one of the support tools (downloadable from microsoft.com). Run it, Bind with the user name and password fields set to nothing (and uncheck the domain checkbox) and in advanced setting choose Simple Function Type. This will show you the RootDSE container. After that choose Tree View and select any of the available containers. If anonymous access is not allowed you'll see "No children" if you try to expand your selected container tree and in the main windows you'll see a message like this: "res = ldap_simple_bind_s(ld, 'NULL', <unavailable>); // v.3 Authenticated as dn:'NULL'. Expanding base 'CN=Configuration,DC=yyyyyy,DC=xxxxx,DC=com'... Error: Search: Operations Error. <1> Result <1>: 00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece Matched DNs: Getting 0 entries:" Kyle -----Original Message----- From: Free, Bob [mailto:RWF4 () pge com] Sent: Friday, January 27, 2006 4:44 PM To: Sam Evans; ilaiy Cc: Frederic Charpentier; pen-test () securityfocus com; Uno Mille Subject: RE: Active Directory user enumeration The default behavior was changed in 2003. 2000 generally allowed anonymous connections and then the results were based on the individual objects' permissions. By default, anonymous LDAP operations, except rootDSE searches and binds, are not permitted on Windows 2003 domain controllers, any other query will result in domain controller requesting authenticated bind to LDAP. Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers: http://support.microsoft.com/?kbid=326690 hth ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Active Directory user enumeration jmk (Feb 01)
- <Possible follow-ups>
- RE: Active Directory user enumeration Evans, Arian (Feb 04)
- RE: Active Directory user enumeration Kyle Quest (Feb 04)