Re: Active Directory user enumeration

From: Robert Petrunic (robert@petrunic.com)
Date: Sun Jan 29 2006 - 05:59:44 EST

• Next message: Ivan .: "Re: Pen Testing Novell"
• Previous message: FocusHacks: "Re: Different methods of obtaining exploits"
• In reply to: MOpsitos: "Re: Active Directory user enumeration"
• Next in thread: Michael Scheidell: "RE: Active Directory user enumeration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Windows 2000 AD allows anonymous user enumeration, 2k3 AD does not. If you
upgraded your domain from 2k to 2k3 AD - it allows anonymous user
enumeration. Of corse all you want to prevent this, all you have to do is to
change the policy.
If you happend to know only one SID from this domain, you could enumerate
users in it with any "hack" tool anonymously, because all SID's have common
root. You know that admin account has 500 at the end, and all you have to do
is to try to "guess" the SID's for the rest of accounts. So you start asking
AD for username that belongs to SID 501, 502 .... 1000... 2000 ...3000 etc.
It will return to you the names for the accounts if this SID exists.

Robert

----- Original Message -----
From: "MOpsitos" <mopsitos@zbzoom.net>
To: "Robert Petrunic" <robert@petrunic.com>; "Sam Evans"
<wintrmte@gmail.com>; "ilaiy" <ilaiy.e@gmail.com>
Cc: "Frederic Charpentier" <fcharpen@xmcopartners.com>;
<pen-test@securityfocus.com>; "Uno Mille" <umil@hotmail.com>
Sent: Saturday, January 28, 2006 3:36 PM
Subject: Re: Active Directory user enumeration

> I'm fairly certain that by default AD does not allow anonymous browsing
> below the root level of the directory. Only authenticated users can
> browse
> beyond the root.
>
> Matt
>
> ----- Original Message -----
> From: "Robert Petrunic" <robert@petrunic.com>
> To: "Sam Evans" <wintrmte@gmail.com>; "ilaiy" <ilaiy.e@gmail.com>
> Cc: "Frederic Charpentier" <fcharpen@xmcopartners.com>;
> <pen-test@securityfocus.com>; "Uno Mille" <umil@hotmail.com>
> Sent: Friday, January 27, 2006 3:40 AM
> Subject: Re: Active Directory user enumeration
>
>
>> Try with Cain&Abel.
>> If administrator disabled anonymous user enumeration trough group policy
> you
>> can't do it.
>>
>> Robert
>>
>> ----- Original Message -----
>> From: "Sam Evans" <wintrmte@gmail.com>
>> To: "ilaiy" <ilaiy.e@gmail.com>
>> Cc: "Frederic Charpentier" <fcharpen@xmcopartners.com>;
>> <pen-test@securityfocus.com>; "Uno Mille" <umil@hotmail.com>
>> Sent: Friday, January 27, 2006 6:50 AM
>> Subject: Re: Active Directory user enumeration
>>
>>
>> I'm not sure there is a way to enumerate AD through LDAP without
>> having to authenticate first. I have not tried it, but I am guessing
>> that Anonymous Bind is turned off by default (man, now I'm kinda
>> paranoid, I'll have to check!)
>>
>> -Sam
>>
>>
>> On 1/26/06, ilaiy <ilaiy.e@gmail.com> wrote:
>> > Try this one for linux
>> >
>> > http://www-unix.mcs.anl.gov/~gawor/ldap/
>> >
>> > ./thanks
>> > ilaiy
>> >
>> > On 1/24/06, Frederic Charpentier <fcharpen@xmcopartners.com> wrote:
>> > > you can try the Softerra LDAP browser if the server allows anonymous
>> > > read access (which is often the case).
>> > >
>> > > http://download.softerra.com/files/ldapbrowser26.msi
>> > >
>> > > Fred
>> > >
>> > > Uno Mille wrote:
>> > > > Hello,
>> > > > I need to perform a pentest on an 2003 Active Directory environment
>> > > > and I
>> > > > could not find a way to anonymously enumerate users, password
>> > > > policy
>> > > > and etc
>> > > > as we normally do in a NT environment.
>> > > > Any way of doing it through LDAP without any authentication ?
>> > > > Regards,
>> > > > Uno
>> > >
>> > > --
>> > > Frederic Charpentier - Xmco Partners
>> > > Security Consulting / Pentest
>> > > web : http://www.xmcopartners.com/tests-intrusion.html
>> > >
>> > >
>> >
>> --------------------------------------------------------------------------
> ----
>> > > Audit your website security with Acunetix Web Vulnerability Scanner:
>> > >
>> > > Hackers are concentrating their efforts on attacking applications on
>> > > your
>> > > website. Up to 75% of cyber attacks are launched on shopping carts,
>> > > forms,
>> > > login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers
>> > > are
>> > > futile against web application hacking. Check your website for
>> > > vulnerabilities
>> > > to SQL injection, Cross site scripting and other web attacks before
>> > > hackers do!
>> > > Download Trial at:
>> > >
>> > > http://www.securityfocus.com/sponsor/pen-test_050831
>> >
>> --------------------------------------------------------------------------
> -----
>> > >
>> > >
>> >
>>
>> --------------------------------------------------------------------------
> ----
>> > Audit your website security with Acunetix Web Vulnerability Scanner:
>> >
>> > Hackers are concentrating their efforts on attacking applications on
> your
>> > website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
>> > login pages, dynamic content etc. Firewalls, SSL and locked-down
>> > servers
>> > are
>> > futile against web application hacking. Check your website for
>> > vulnerabilities
>> > to SQL injection, Cross site scripting and other web attacks before
>> > hackers do!
>> > Download Trial at:
>> >
>> > http://www.securityfocus.com/sponsor/pen-test_050831
>>
>> --------------------------------------------------------------------------
> -----
>> >
>> >
>>
>> --------------------------------------------------------------------------
> ----
>> Audit your website security with Acunetix Web Vulnerability Scanner:
>>
>> Hackers are concentrating their efforts on attacking applications on your
>> website. Up to 75% of cyber attacks are launched on shopping carts,
>> forms,
>> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
>> futile against web application hacking. Check your website for
>> vulnerabilities
>> to SQL injection, Cross site scripting and other web attacks before
> hackers
>> do!
>> Download Trial at:
>>
>> http://www.securityfocus.com/sponsor/pen-test_050831
>> --------------------------------------------------------------------------
> -----
>>
>>
>>
>>
>> --------------------------------------------------------------------------
> ----
>> Audit your website security with Acunetix Web Vulnerability Scanner:
>>
>> Hackers are concentrating their efforts on attacking applications on your
>> website. Up to 75% of cyber attacks are launched on shopping carts,
>> forms,
>> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
>> futile against web application hacking. Check your website for
> vulnerabilities
>> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
>> Download Trial at:
>>
>> http://www.securityfocus.com/sponsor/pen-test_050831
>> --------------------------------------------------------------------------
> -----
>>
>>
>>
>
>
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Ivan .: "Re: Pen Testing Novell"
• Previous message: FocusHacks: "Re: Different methods of obtaining exploits"
• In reply to: MOpsitos: "Re: Active Directory user enumeration"
• Next in thread: Michael Scheidell: "RE: Active Directory user enumeration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:25 EDT