Re: Query for blank passwords in Active Directory

From: Marco Ivaldi (raptor@mediaservice.net)
Date: Thu Apr 05 2007 - 06:43:00 EDT

• Next message: Isaac Perez: "Re: DROP or REJECT that is the question..."
• Previous message: Teh Fizzgig: "Re: Query for blank passwords in Active Directory"
• In reply to: Teh Fizzgig: "Re: Query for blank passwords in Active Directory"
• Next in thread: SD List: "Re: Query for blank passwords in Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Igor,

On Thu, 5 Apr 2007, Teh Fizzgig wrote:

> igor.mamuzic@koncar-inem.hr wrote:
>> Hi all,
>>
>> Is there any way to get a list of Active Directory users with blank
>> passwords? Of course, I'm attempting to discover such user accounts
>> with domain admin privileges.
>
> Do you have a list of users already or are you seeking that information
> as well?

Depending on your Domain Controllers configuration, it may be extremely
easy to enumerate users, even without having credentials for accessing the
AD domain. For a basic example take a look at:

http://www.0xdeadbeef.info/code/smbenum

If rpcclient's "enumusers" command doesn't work, it may still be possible
to get the users list scanning for SIDs. You can do that using "lsaquery"
and "lookupsids" commands, or switching to other tools such as Nessus or
GetAcct.exe. If you're stuck on Windows as testing plaform, you should
also take a look at enum.exe.

Furthermore, some (widespread) configurations allow user enumeration via
SNMP (a read-only community is enough to perform the attack). Finally,
LDAP may also leak such information.

> If you already have the user list, might I suggest medusa:
>
> http://www.foofus.net/jmk/medusa/medusa.html
>
> You want the smbnt module along with the -ns option (tests for blank
> username as well as username = password). It's multithreaded and pretty
> quick with these things.

Once you got the users list, you may use medusa/hydra as suggested, or
even write your own script, such as:

http://www.0xdeadbeef.info/code/smbrute
(this currently enumerates users with username == password, thus it
requires some modification to fulfill your specific needs)

On Windows, you may write a batch script using the "NET USE" command.

Finally, if you have domain administration privileges as you say, it may
be even easier to dump and crack the passwords, using programs such as:

http://www.foofus.net/fizzgig/pwdump/
http://www.foofus.net/fizzgig/fgdump/
[your favorite Windows password cracker goes here;)]

Hope this helps,

-- 
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Isaac Perez: "Re: DROP or REJECT that is the question..."
• Previous message: Teh Fizzgig: "Re: Query for blank passwords in Active Directory"
• In reply to: Teh Fizzgig: "Re: Query for blank passwords in Active Directory"
• Next in thread: SD List: "Re: Query for blank passwords in Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:41 EDT