RE: LDAP + Active Directory

From: Sacha Faust (sacha@severus.org)
Date: 10/15/01 

From: "Sacha Faust" <sacha@severus.org>
To: <ppatterson@carillonis.com>, "'Tim Russo'" <trusso@wireguided.com>, <pen-test@securityfocus.com>
Subject: RE: LDAP + Active Directory
Date: Sun, 14 Oct 2001 18:00:52 -0400
Message-ID: <000001c154fb$b1df4b10$01000001@kidgnaped>

most of the time you can get a list of name context by connecting to the
LDAP server on it's rootdse ( if it's a compliant ldapv3 server). You can
get a small tool to get the rootdse data from
http://www.severus.org/sacha/ldap/ldaprootdse/ . LdapMiner is able to dump
usefull information on exchange and netscape directory server ( more to
come ). You can also grab some stuff on LDAP from my home page
http://www.severus.org/sacha/ .
I will add more things soon to it. A quick introduction on basic LDAP
security can be found from http://www.tisc2001.com/newsletters/318.html

If my memory is correct, I was able to dump a user list from Active
Directory without Administrator credentials when I ran a few queries at it a
year ago but I completely forgot witch. Anyone as a done tests on
information that can be collected from AD via null sessions?

-----Original Message-----
From: Patrick Patterson [mailto:ppatters@carillonis.com]On Behalf Of
Patrick Patterson
Sent: Saturday, October 13, 2001 2:18 PM
To: Tim Russo; pen-test@securityfocus.com
Subject: Re: LDAP + Active Directory

-----BEGIN PGP SIGNED MESSAGE-----

On Saturday 13 October 2001 00:13, Tim Russo wrote:
> I have discovered that I am able to connect anonymously to my clients
> active directory/LDAP port (389). Using an LDAP client I can connect, but
I
> do not see any information. Is this because the directory is empty or that
> I am not using the correct protocol version (3?) and/or BaseDN? Is their a
> way to get a listing not knowing the correct DC?
>

We were actually playing with this last night in our lab, and here is what
we
found:

Using an LDAP Browser that we found called GQ (Requires GNOME and Linux)
(http://biot.com/gq/) - we were able to get a listing of the top level of
the
Active Directory Tree: (no need to feed a base DN)

cn=Schema,cn=Configuration,dc=example,dc=com
cn=Configuration,dc=example,dc=com
dc=example,dc=com

This appears to be the extent of the anonymous browse capabilities (we only
played with it for a few hours, so YMMV)

If you are able to connect as the Administrator:

cn=Administrator,cn=Users,dc=example,dc=com

then you can enumerate the users, and all sorts of other fun things ;)

Users are under cn=Users,dc=example,dc=com
Computers are under cn=Computers,dc=example,dc=com

Anyways, hope this helps ;)

- --

Patrick Patterson Tel: (514) 485-0789
Chief Security Architect Fax: (514) 485-4737
Carillon Information Security Inc. E-Mail: ppatterson@carillonIS.com
- -----------------------------------------------------------------------
                The New Sound of Network Security
                     http://www.carillonIS.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: u9lk+xQIFEUSLRN0QznTUvV9wP8nOu2X

iQCVAwUBO8iFRrqc3sMKNyclAQFE/AQAn7Kpaiu8lGgSUkBA7eG4bZnoDLamwLUK
+YgKyLGddyBcEJcu40V8qyzQr/8cDzO13nWA2HRpWE34sfXDs3yHOCqH1UwAX+4R
l8Y8vx9S6lB+qfjmqQ+tX8hzMGi7guOPrYRUNnJKUF/4ZR2uMOv7hOcsL1SoLzwB
MO0nJy1UXwQ=
=tUMW
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: LDAP + Active Directory
    ... Subject: LDAP + Active Directory ... LDAP uses an anonymous access for reading the tree, ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • [NT] Vulnerability in Active Directory Allows Code Execution (MS08-060)
    ... Get your security news from a reliable source. ... Vulnerability in Active Directory Allows Code Execution ... implementations of Active Directory on Microsoft Windows 2000 Server. ... not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP ...
    (Securiteam)
  • RE: LDAP + Active Directory
    ... Subject: LDAP + Active Directory ... current article series on Sfocus (An Audit of Active Directory Security)... ... that security in AD can get ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: New DC behind a firewall
    ... Active Directory Replication over Firewalls ... Connecting to directory service on server mydc. ... DcDiag: a dcdiag exception raised, ... "LDAP query to speficied LDAP server on TCP port 389 failed ...
    (microsoft.public.windows.server.active_directory)
  • Re: Customizing Security
    ... > We have data center that has server running in multiple operating ... > centralizing all the security information on one security and policy ... LDAP and your environment are a perfect match, ... can store email and contact info of users (not only internal ones, ...
    (comp.os.linux.security)