most of the time you can get a list of name context by connecting to the LDAP server on it's rootdse ( if it's a compliant ldapv3 server). You can get a small tool to get the rootdse data from http://www.severus.org/sacha/ldap/ldaprootdse/ . LdapMiner is able to dump usefull information on exchange and netscape directory server ( more to come ). You can also grab some stuff on LDAP from my home page http://www.severus.org/sacha/ . I will add more things soon to it. A quick introduction on basic LDAP security can be found from http://www.tisc2001.com/newsletters/318.html If my memory is correct, I was able to dump a user list from Active Directory without Administrator credentials when I ran a few queries at it a year ago but I completely forgot witch. Anyone as a done tests on information that can be collected from AD via null sessions? -----Original Message----- From: Patrick Patterson [mailto:ppattersat_private]On Behalf Of Patrick Patterson Sent: Saturday, October 13, 2001 2:18 PM To: Tim Russo; pen-testat_private Subject: Re: LDAP + Active Directory -----BEGIN PGP SIGNED MESSAGE----- On Saturday 13 October 2001 00:13, Tim Russo wrote: > I have discovered that I am able to connect anonymously to my clients > active directory/LDAP port (389). Using an LDAP client I can connect, but I > do not see any information. Is this because the directory is empty or that > I am not using the correct protocol version (3?) and/or BaseDN? Is their a > way to get a listing not knowing the correct DC? > We were actually playing with this last night in our lab, and here is what we found: Using an LDAP Browser that we found called GQ (Requires GNOME and Linux) (http://biot.com/gq/) - we were able to get a listing of the top level of the Active Directory Tree: (no need to feed a base DN) cn=Schema,cn=Configuration,dc=example,dc=com cn=Configuration,dc=example,dc=com dc=example,dc=com This appears to be the extent of the anonymous browse capabilities (we only played with it for a few hours, so YMMV) If you are able to connect as the Administrator: cn=Administrator,cn=Users,dc=example,dc=com then you can enumerate the users, and all sorts of other fun things ;) Users are under cn=Users,dc=example,dc=com Computers are under cn=Computers,dc=example,dc=com Anyways, hope this helps ;) - -- Patrick Patterson Tel: (514) 485-0789 Chief Security Architect Fax: (514) 485-4737 Carillon Information Security Inc. E-Mail: ppattersonat_private - ----------------------------------------------------------------------- The New Sound of Network Security http://www.carillonIS.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: u9lk+xQIFEUSLRN0QznTUvV9wP8nOu2X iQCVAwUBO8iFRrqc3sMKNyclAQFE/AQAn7Kpaiu8lGgSUkBA7eG4bZnoDLamwLUK +YgKyLGddyBcEJcu40V8qyzQr/8cDzO13nWA2HRpWE34sfXDs3yHOCqH1UwAX+4R l8Y8vx9S6lB+qfjmqQ+tX8hzMGi7guOPrYRUNnJKUF/4ZR2uMOv7hOcsL1SoLzwB MO0nJy1UXwQ= =tUMW -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sun Oct 14 2001 - 15:20:21 PDT