While this thread is a bit old, I'll throw in a shameless plug for my current article series on Sfocus (An Audit of Active Directory Security)... you should be able to find it in the library. There are a number of things that you can do to gather information on a null session to the directory. While I'm sure that there's much more than can be done than what I have done, I can throw a few ideas out here. I also have a recommendation that you check out Nomad Mobile Research Center's site (www.nmrc.com I think) and read up on how Pandora does some of what it does and why the vulnerabilities that pandora exploits exist. Much of it is based more on LDAP/DAP than AD in and of itself. On to the ideas... One thing you can do to enumerate the existence of certain user accounts is to attempt to find objects in the tree matching that user name. For instance... If I attempt to declare an object in the directory as a base that does exist (a user, for instance), I get this: user ----------- Expanding base 'CN=joebob2,CN=Users,DC=dgs,DC=com'... Result <0>: (null) Matched DNs: Getting 0 entries: If I attempt to declare an object in the directory as a base that does not exist (also a user in this case), I get this: no user ----------- Expanding base 'CN=joebob19,CN=Users,DC=dgs,DC=com'... Error: Search: No Such Object. <32> Result <32>: 0000208D: NameErr: DSID-031001C9, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=dgs,DC=com' Matched DNs: CN=Users,DC=dgs,DC=com Getting 0 entries: This was all done under an anonymous attachment... Your searching priveledges go WAY up as an authenticated user... You can pretty much at least LOOK anywhere you want (by default)... Bridge servers, other domains, lots of configuration stuff, the whole shebang. It is important to note that turning on event logging for events like this (especially if they are in anonymous connections) in most cases will cause your log files to explode... As these are treated as simple access requests to the directory. As you get to thinking about this, I think you'll find that security in AD (or any LDAP/DAP based server for that matter) can get to be a real hairball... Though there are quite a few tools that one can automate the process with to some extent... but a little slow hand tweaking will be required as well. Aaron -----Original Message----- From: juan.francisco.falconat_private [mailto:juan.francisco.falconat_private] Sent: Monday, October 15, 2001 9:11 AM To: pen-testat_private Subject: RE: LDAP + Active Directory LDAP uses an anonymous access for reading the tree, so if using a Netscape browser you type: ldap://machine.com:<port>/o=suffix??sub? you should see all the tree, including the ACI´s port is usually # 389 and the machine.com must be the FQN. hope this help Sacha Faust <sachaat_private> on 14/10/2001 07:00:52 p.m. To: ppattersonat_private, 'Tim Russo' <trussoat_private>, pen-testat_private cc: Subject: RE: LDAP + Active Directory most of the time you can get a list of name context by connecting to the LDAP server on it's rootdse ( if it's a compliant ldapv3 server). You can get a small tool to get the rootdse data from http://www.severus.org/sacha/ldap/ldaprootdse/ . LdapMiner is able to dump usefull information on exchange and netscape directory server ( more to come ). You can also grab some stuff on LDAP from my home page http://www.severus.org/sacha/ . I will add more things soon to it. A quick introduction on basic LDAP security can be found from http://www.tisc2001.com/newsletters/318.html If my memory is correct, I was able to dump a user list from Active Directory without Administrator credentials when I ran a few queries at it a year ago but I completely forgot witch. Anyone as a done tests on information that can be collected from AD via null sessions? -----Original Message----- From: Patrick Patterson [mailto:ppattersat_private]On Behalf Of Patrick Patterson Sent: Saturday, October 13, 2001 2:18 PM To: Tim Russo; pen-testat_private Subject: Re: LDAP + Active Directory -----BEGIN PGP SIGNED MESSAGE----- On Saturday 13 October 2001 00:13, Tim Russo wrote: > I have discovered that I am able to connect anonymously to my clients > active directory/LDAP port (389). Using an LDAP client I can connect, > but I > do not see any information. Is this because the directory is empty or that > I am not using the correct protocol version (3?) and/or BaseDN? Is > their a > way to get a listing not knowing the correct DC? > We were actually playing with this last night in our lab, and here is what we found: Using an LDAP Browser that we found called GQ (Requires GNOME and Linux) (http://biot.com/gq/) - we were able to get a listing of the top level of the Active Directory Tree: (no need to feed a base DN) cn=Schema,cn=Configuration,dc=example,dc=com cn=Configuration,dc=example,dc=com dc=example,dc=com This appears to be the extent of the anonymous browse capabilities (we only played with it for a few hours, so YMMV) If you are able to connect as the Administrator: cn=Administrator,cn=Users,dc=example,dc=com then you can enumerate the users, and all sorts of other fun things ;) Users are under cn=Users,dc=example,dc=com Computers are under cn=Computers,dc=example,dc=com Anyways, hope this helps ;) - -- Patrick Patterson Tel: (514) 485-0789 Chief Security Architect Fax: (514) 485-4737 Carillon Information Security Inc. E-Mail: ppattersonat_private - ----------------------------------------------------------------------- The New Sound of Network Security http://www.carillonIS.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: u9lk+xQIFEUSLRN0QznTUvV9wP8nOu2X iQCVAwUBO8iFRrqc3sMKNyclAQFE/AQAn7Kpaiu8lGgSUkBA7eG4bZnoDLamwLUK +YgKyLGddyBcEJcu40V8qyzQr/8cDzO13nWA2HRpWE34sfXDs3yHOCqH1UwAX+4R l8Y8vx9S6lB+qfjmqQ+tX8hzMGi7guOPrYRUNnJKUF/4ZR2uMOv7hOcsL1SoLzwB MO0nJy1UXwQ= =tUMW -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 10:48:42 PST