LDAP uses an anonymous access for reading the tree, so if using a Netscape browser you type: ldap://machine.com:<port>/o=suffix??sub? you should see all the tree, including the ACI´s port is usually # 389 and the machine.com must be the FQN. hope this help Sacha Faust <sachaat_private> on 14/10/2001 07:00:52 p.m. To: ppattersonat_private, 'Tim Russo' <trussoat_private>, pen-testat_private cc: Subject: RE: LDAP + Active Directory most of the time you can get a list of name context by connecting to the LDAP server on it's rootdse ( if it's a compliant ldapv3 server). You can get a small tool to get the rootdse data from http://www.severus.org/sacha/ldap/ldaprootdse/ . LdapMiner is able to dump usefull information on exchange and netscape directory server ( more to come ). You can also grab some stuff on LDAP from my home page http://www.severus.org/sacha/ . I will add more things soon to it. A quick introduction on basic LDAP security can be found from http://www.tisc2001.com/newsletters/318.html If my memory is correct, I was able to dump a user list from Active Directory without Administrator credentials when I ran a few queries at it a year ago but I completely forgot witch. Anyone as a done tests on information that can be collected from AD via null sessions? -----Original Message----- From: Patrick Patterson [mailto:ppattersat_private]On Behalf Of Patrick Patterson Sent: Saturday, October 13, 2001 2:18 PM To: Tim Russo; pen-testat_private Subject: Re: LDAP + Active Directory -----BEGIN PGP SIGNED MESSAGE----- On Saturday 13 October 2001 00:13, Tim Russo wrote: > I have discovered that I am able to connect anonymously to my clients > active directory/LDAP port (389). Using an LDAP client I can connect, but I > do not see any information. Is this because the directory is empty or that > I am not using the correct protocol version (3?) and/or BaseDN? Is their a > way to get a listing not knowing the correct DC? > We were actually playing with this last night in our lab, and here is what we found: Using an LDAP Browser that we found called GQ (Requires GNOME and Linux) (http://biot.com/gq/) - we were able to get a listing of the top level of the Active Directory Tree: (no need to feed a base DN) cn=Schema,cn=Configuration,dc=example,dc=com cn=Configuration,dc=example,dc=com dc=example,dc=com This appears to be the extent of the anonymous browse capabilities (we only played with it for a few hours, so YMMV) If you are able to connect as the Administrator: cn=Administrator,cn=Users,dc=example,dc=com then you can enumerate the users, and all sorts of other fun things ;) Users are under cn=Users,dc=example,dc=com Computers are under cn=Computers,dc=example,dc=com Anyways, hope this helps ;) - -- Patrick Patterson Tel: (514) 485-0789 Chief Security Architect Fax: (514) 485-4737 Carillon Information Security Inc. E-Mail: ppattersonat_private - ----------------------------------------------------------------------- The New Sound of Network Security http://www.carillonIS.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: u9lk+xQIFEUSLRN0QznTUvV9wP8nOu2X iQCVAwUBO8iFRrqc3sMKNyclAQFE/AQAn7Kpaiu8lGgSUkBA7eG4bZnoDLamwLUK +YgKyLGddyBcEJcu40V8qyzQr/8cDzO13nWA2HRpWE34sfXDs3yHOCqH1UwAX+4R l8Y8vx9S6lB+qfjmqQ+tX8hzMGi7guOPrYRUNnJKUF/4ZR2uMOv7hOcsL1SoLzwB MO0nJy1UXwQ= =tUMW -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 15:50:59 PDT