Re: Active Directory user enumeration

From: jmk (jmk@foofus.net)
Date: Mon Jan 30 2006 - 09:51:11 EST


On Tue, 2006-01-24 at 09:42 +0000, Uno Mille wrote:
> Hello,
> I need to perform a pentest on an 2003 Active Directory environment and I
> could not find a way to anonymously enumerate users, password policy and etc
> as we normally do in a NT environment.
> Any way of doing it through LDAP without any authentication ?
> Regards,
> Uno

You have a number of options...

Ldapenum: I haven't personally used this, but from sf.net... ldapenum is
a perl script designed to enumerate system and password information from
domain controllers using the LDAP service when IPC$ is locked.

https://sourceforge.net/projects/ldapenum

OWNR: OWNR is modular system which can enumerate user, group, and
password information from NT-based systems or AD. An older version of
OWNR can be found in Foofus's DC12 presentation materials.

http://www.foofus.net/defcon/foofus-DC12-v2.tar.bz2

Rpcclient: SAMBA's rpcclient is useful for performing reverse SID
enumeration. Using the "lookupsids" command along with the domain SID,
it's often possible to anonymously enumerate users and groups via
brute-force ID guessing.

Joe

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:25 EDT