Penetration Testing mailing list archives
Re: Query for blank passwords in Active Directory
From: Marco Ivaldi <raptor () mediaservice net>
Date: Thu, 5 Apr 2007 12:43:00 +0200 (ora solare Europa occidentale)
Igor, On Thu, 5 Apr 2007, Teh Fizzgig wrote:
igor.mamuzic () koncar-inem hr wrote:Hi all,Is there any way to get a list of Active Directory users with blank passwords? Of course, I'm attempting to discover such user accounts with domain admin privileges.Do you have a list of users already or are you seeking that information as well?
Depending on your Domain Controllers configuration, it may be extremely easy to enumerate users, even without having credentials for accessing the AD domain. For a basic example take a look at:
http://www.0xdeadbeef.info/code/smbenumIf rpcclient's "enumusers" command doesn't work, it may still be possible to get the users list scanning for SIDs. You can do that using "lsaquery" and "lookupsids" commands, or switching to other tools such as Nessus or GetAcct.exe. If you're stuck on Windows as testing plaform, you should also take a look at enum.exe.
Furthermore, some (widespread) configurations allow user enumeration via SNMP (a read-only community is enough to perform the attack). Finally, LDAP may also leak such information.
If you already have the user list, might I suggest medusa: http://www.foofus.net/jmk/medusa/medusa.html You want the smbnt module along with the -ns option (tests for blank username as well as username = password). It's multithreaded and pretty quick with these things.
Once you got the users list, you may use medusa/hydra as suggested, or even write your own script, such as:
http://www.0xdeadbeef.info/code/smbrute(this currently enumerates users with username == password, thus it requires some modification to fulfill your specific needs)
On Windows, you may write a batch script using the "NET USE" command.Finally, if you have domain administration privileges as you say, it may be even easier to dump and crack the passwords, using programs such as:
http://www.foofus.net/fizzgig/pwdump/ http://www.foofus.net/fizzgig/fgdump/ [your favorite Windows password cracker goes here;)] Hope this helps, -- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Query for blank passwords in Active Directory igor . mamuzic (Apr 04)
- Re: Query for blank passwords in Active Directory Teh Fizzgig (Apr 04)
- Re: Query for blank passwords in Active Directory Marco Ivaldi (Apr 06)
- Message not available
- Re: Query for blank passwords in Active Directory Thor (Hammer of God) (Apr 08)
- Re: Query for blank passwords in Active Directory Teh Fizzgig (Apr 04)
- Re: Query for blank passwords in Active Directory SD List (Apr 06)
- How to find the users with local admin rights? WALI (Apr 08)
- Re: How to find the users with local admin rights? Teh Fizzgig (Apr 10)
- How to find the users with local admin rights? WALI (Apr 08)