Penetration Testing mailing list archives

Re: Active Directory user enumeration

From: "Robert Petrunic" <robert () petrunic com>
Date: Sun, 29 Jan 2006 11:59:44 +0100

Windows 2000 AD allows anonymous user enumeration, 2k3 AD does not. If youupgraded your domain from 2k to 2k3 AD - it allows anonymous userenumeration. Of corse all you want to prevent this, all you have to do is tochange the policy.If you happend to know only one SID from this domain, you could enumerateusers in it with any "hack" tool anonymously, because all SID's have commonroot. You know that admin account has 500 at the end, and all you have to dois to try to "guess" the SID's for the rest of accounts. So you start askingAD for username that belongs to SID 501, 502 .... 1000... 2000 ...3000 etc.It will return to you the names for the accounts if this SID exists.


Robert

----- Original Message -----From: "MOpsitos" <mopsitos () zbzoom net>To: "Robert Petrunic" <robert () petrunic com>; "Sam Evans"<wintrmte () gmail com>; "ilaiy" <ilaiy.e () gmail com>Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>;<pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com>

Sent: Saturday, January 28, 2006 3:36 PM
Subject: Re: Active Directory user enumeration

I'm fairly certain that by default AD does not allow anonymous browsing

below the root level of the directory. Only authenticated users canbrowse

beyond the root.

Matt

----- Original Message -----
From: "Robert Petrunic" <robert () petrunic com>
To: "Sam Evans" <wintrmte () gmail com>; "ilaiy" <ilaiy.e () gmail com>
Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>;
<pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com>
Sent: Friday, January 27, 2006 3:40 AM
Subject: Re: Active Directory user enumeration

Try with Cain&Abel.
If administrator disabled anonymous user enumeration trough group policy

you

can't do it.

Robert

----- Original Message -----
From: "Sam Evans" <wintrmte () gmail com>
To: "ilaiy" <ilaiy.e () gmail com>
Cc: "Frederic Charpentier" <fcharpen () xmcopartners com>;
<pen-test () securityfocus com>; "Uno Mille" <umil () hotmail com>
Sent: Friday, January 27, 2006 6:50 AM
Subject: Re: Active Directory user enumeration


I'm not sure there is a way to enumerate AD through LDAP without
having to authenticate first.  I have not tried it, but I am guessing
that Anonymous Bind is turned off by default (man, now I'm kinda
paranoid, I'll have to check!)

-Sam


On 1/26/06, ilaiy <ilaiy.e () gmail com> wrote:
> Try this one for linux
>
> http://www-unix.mcs.anl.gov/~gawor/ldap/
>
> ./thanks
> ilaiy
>
> On 1/24/06, Frederic Charpentier <fcharpen () xmcopartners com> wrote:
> > you can try the Softerra LDAP browser if the server allows anonymous
> > read access (which is often the case).
> >
> > http://download.softerra.com/files/ldapbrowser26.msi
> >
> > Fred
> >
> > Uno Mille wrote:
> > > Hello,
> > > I need to perform a pentest on an 2003 Active Directory environment
> > > and I

> > > could not find a way to anonymously enumerate users, password> > > policy

> > > and etc
> > > as we normally do in a NT environment.
> > > Any way of doing it through LDAP without any authentication ?
> > > Regards,
> > > Uno
> >
> > --
> > Frederic Charpentier - Xmco Partners
> > Security Consulting / Pentest
> > web  : http://www.xmcopartners.com/tests-intrusion.html
> >
> >
>
--------------------------------------------------------------------------

----

> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on
> > your
> > website. Up to 75% of cyber attacks are launched on shopping carts,
> > forms,
> > login pages, dynamic content etc. Firewalls, SSL and locked-down

servers

> > are
> > futile against web application hacking. Check your website for
> > vulnerabilities
> > to SQL injection, Cross site scripting and other web attacks before
> > hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
>
--------------------------------------------------------------------------

-----

> >
> >
>

--------------------------------------------------------------------------

----

> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on

your

> website. Up to 75% of cyber attacks are launched on shopping carts,

forms,

> login pages, dynamic content etc. Firewalls, SSL and locked-down> servers

> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831

--------------------------------------------------------------------------

-----

>
>

--------------------------------------------------------------------------

----

Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your

website. Up to 75% of cyber attacks are launched on shopping carts,forms,

login pages, dynamic content etc. Firewalls, SSL and locked-down servers

are

futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before

hackers

do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------------------

-----





--------------------------------------------------------------------------

----

Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your

website. Up to 75% of cyber attacks are launched on shopping carts,forms,

login pages, dynamic content etc. Firewalls, SSL and locked-down servers

are

futile against web application hacking. Check your website for

vulnerabilities

to SQL injection, Cross site scripting and other web attacks before

hackers do!

Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------------------

-----



------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Active Directory user enumeration Uno Mille (Jan 24)
- Re: Active Directory user enumeration Frederic Charpentier (Jan 26)
  - Re: Active Directory user enumeration ilaiy (Jan 26)
    - Re: Active Directory user enumeration Sam Evans (Jan 27)
    - Re: Active Directory user enumeration Robert Petrunic (Jan 27)
    - Re: Active Directory user enumeration MOpsitos (Jan 30)
    - Re: Active Directory user enumeration Robert Petrunic (Jan 30)
- Re: Active Directory user enumeration Louis Lerman (Jan 29)
- <Possible follow-ups>
- RE: Active Directory user enumeration Michael Scheidell (Jan 29)
- RE: Active Directory user enumeration Free, Bob (Jan 30)