RE: Active Directory user enumeration

From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Tue Jan 31 2006 - 18:45:29 EST


If you are on Windows, MS has free DSML packages for various client
OS versions you can use in writing custom ldap/sid enumeration scripts
using SOAP access over HTTP.

This is what I use:

http://www.microsoft.com/technet/downloads/winsrvr/featurepacks/default.mspx

Several of the packages used to come with pre-built scripts that only
required a little tweaking for this purpose...but they seem to have
removed the brute-force-me-now templates.

Same caveats as anon ldap browsing apply.

-ae

> -----Original Message-----
> From: Robert Petrunic [mailto:robert@petrunic.com]
> Sent: Sunday, January 29, 2006 5:00 AM
> To: MOpsitos; Sam Evans; ilaiy
> Cc: Frederic Charpentier; pen-test@securityfocus.com; Uno Mille
> Subject: Re: Active Directory user enumeration
>
>
> Windows 2000 AD allows anonymous user enumeration, 2k3 AD
> does not. If you
> upgraded your domain from 2k to 2k3 AD - it allows anonymous user
> enumeration. Of corse all you want to prevent this, all you
> have to do is to
> change the policy.
> If you happend to know only one SID from this domain, you
> could enumerate
> users in it with any "hack" tool anonymously, because all
> SID's have common
> root. You know that admin account has 500 at the end, and all
> you have to do
> is to try to "guess" the SID's for the rest of accounts. So
> you start asking
> AD for username that belongs to SID 501, 502 .... 1000...
> 2000 ...3000 etc.
> It will return to you the names for the accounts if this SID exists.
>
> Robert
>
> ----- Original Message -----
> From: "MOpsitos" <mopsitos@zbzoom.net>
> To: "Robert Petrunic" <robert@petrunic.com>; "Sam Evans"
> <wintrmte@gmail.com>; "ilaiy" <ilaiy.e@gmail.com>
> Cc: "Frederic Charpentier" <fcharpen@xmcopartners.com>;
> <pen-test@securityfocus.com>; "Uno Mille" <umil@hotmail.com>
> Sent: Saturday, January 28, 2006 3:36 PM
> Subject: Re: Active Directory user enumeration
>
>
> > I'm fairly certain that by default AD does not allow
> anonymous browsing
> > below the root level of the directory. Only authenticated
> users can
> > browse
> > beyond the root.
> >
> > Matt
> >
> > ----- Original Message -----
> > From: "Robert Petrunic" <robert@petrunic.com>
> > To: "Sam Evans" <wintrmte@gmail.com>; "ilaiy" <ilaiy.e@gmail.com>
> > Cc: "Frederic Charpentier" <fcharpen@xmcopartners.com>;
> > <pen-test@securityfocus.com>; "Uno Mille" <umil@hotmail.com>
> > Sent: Friday, January 27, 2006 3:40 AM
> > Subject: Re: Active Directory user enumeration
> >
> >
> >> Try with Cain&Abel.
> >> If administrator disabled anonymous user enumeration
> trough group policy
> > you
> >> can't do it.
> >>
> >> Robert
> >>
> >> ----- Original Message -----
> >> From: "Sam Evans" <wintrmte@gmail.com>
> >> To: "ilaiy" <ilaiy.e@gmail.com>
> >> Cc: "Frederic Charpentier" <fcharpen@xmcopartners.com>;
> >> <pen-test@securityfocus.com>; "Uno Mille" <umil@hotmail.com>
> >> Sent: Friday, January 27, 2006 6:50 AM
> >> Subject: Re: Active Directory user enumeration
> >>
> >>
> >> I'm not sure there is a way to enumerate AD through LDAP without
> >> having to authenticate first. I have not tried it, but I
> am guessing
> >> that Anonymous Bind is turned off by default (man, now I'm kinda
> >> paranoid, I'll have to check!)
> >>
> >> -Sam
> >>
> >>
> >> On 1/26/06, ilaiy <ilaiy.e@gmail.com> wrote:
> >> > Try this one for linux
> >> >
> >> > http://www-unix.mcs.anl.gov/~gawor/ldap/
> >> >
> >> > ./thanks
> >> > ilaiy
> >> >
> >> > On 1/24/06, Frederic Charpentier
> <fcharpen@xmcopartners.com> wrote:
> >> > > you can try the Softerra LDAP browser if the server
> allows anonymous
> >> > > read access (which is often the case).
> >> > >
> >> > > http://download.softerra.com/files/ldapbrowser26.msi
> >> > >
> >> > > Fred
> >> > >
> >> > > Uno Mille wrote:
> >> > > > Hello,
> >> > > > I need to perform a pentest on an 2003 Active
> Directory environment
> >> > > > and I
> >> > > > could not find a way to anonymously enumerate users,
> password
> >> > > > policy
> >> > > > and etc
> >> > > > as we normally do in a NT environment.
> >> > > > Any way of doing it through LDAP without any authentication ?
> >> > > > Regards,
> >> > > > Uno
> >> > >
> >> > > --
> >> > > Frederic Charpentier - Xmco Partners
> >> > > Security Consulting / Pentest
> >> > > web : http://www.xmcopartners.com/tests-intrusion.html
> >> > >
> >> > >
> >> >
> >>
> --------------------------------------------------------------
> ------------
> > ----
> >> > > Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >> > >
> >> > > Hackers are concentrating their efforts on attacking
> applications on
> >> > > your
> >> > > website. Up to 75% of cyber attacks are launched on
> shopping carts,
> >> > > forms,
> >> > > login pages, dynamic content etc. Firewalls, SSL and
> locked-down
> > servers
> >> > > are
> >> > > futile against web application hacking. Check your website for
> >> > > vulnerabilities
> >> > > to SQL injection, Cross site scripting and other web
> attacks before
> >> > > hackers do!
> >> > > Download Trial at:
> >> > >
> >> > > http://www.securityfocus.com/sponsor/pen-test_050831
> >> >
> >>
> --------------------------------------------------------------
> ------------
> > -----
> >> > >
> >> > >
> >> >
> >>
> >>
> --------------------------------------------------------------
> ------------
> > ----
> >> > Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >> >
> >> > Hackers are concentrating their efforts on attacking
> applications on
> > your
> >> > website. Up to 75% of cyber attacks are launched on
> shopping carts,
> > forms,
> >> > login pages, dynamic content etc. Firewalls, SSL and locked-down
> >> > servers
> >> > are
> >> > futile against web application hacking. Check your website for
> >> > vulnerabilities
> >> > to SQL injection, Cross site scripting and other web
> attacks before
> >> > hackers do!
> >> > Download Trial at:
> >> >
> >> > http://www.securityfocus.com/sponsor/pen-test_050831
> >>
> >>
> --------------------------------------------------------------
> ------------
> > -----
> >> >
> >> >
> >>
> >>
> --------------------------------------------------------------
> ------------
> > ----
> >> Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >>
> >> Hackers are concentrating their efforts on attacking
> applications on your
> >> website. Up to 75% of cyber attacks are launched on
> shopping carts,
> >> forms,
> >> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers
> > are
> >> futile against web application hacking. Check your website for
> >> vulnerabilities
> >> to SQL injection, Cross site scripting and other web attacks before
> > hackers
> >> do!
> >> Download Trial at:
> >>
> >> http://www.securityfocus.com/sponsor/pen-test_050831
> >>
> --------------------------------------------------------------
> ------------
> > -----
> >>
> >>
> >>
> >>
> >>
> --------------------------------------------------------------
> ------------
> > ----
> >> Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >>
> >> Hackers are concentrating their efforts on attacking
> applications on your
> >> website. Up to 75% of cyber attacks are launched on
> shopping carts,
> >> forms,
> >> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers
> > are
> >> futile against web application hacking. Check your website for
> > vulnerabilities
> >> to SQL injection, Cross site scripting and other web attacks before
> > hackers do!
> >> Download Trial at:
> >>
> >> http://www.securityfocus.com/sponsor/pen-test_050831
> >>
> --------------------------------------------------------------
> ------------
> > -----
> >>
> >>
> >>
> >
> >
> >
> >
>
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your
> website. Up to 75% of cyber attacks are launched on shopping
> carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks
> before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:26 EDT