Re: Active Directory user enumeration

[jmk <jmk () foofus net>]

On Tue, 2006-01-24 at 09:42 +0000, Uno Mille wrote:
> Hello,
> I need to perform a pentest on an 2003 Active Directory environment and I
> could not find a way to anonymously enumerate users, password policy and etc
> as we normally do in a NT environment.
> Any way of doing it through LDAP without any authentication ?
> Regards,
> Uno

You have a number of options...

Ldapenum: I haven't personally used this, but from sf.net... ldapenum is
a perl script designed to enumerate system and password information from
domain controllers using the LDAP service when IPC$ is locked.

https://sourceforge.net/projects/ldapenum

OWNR: OWNR is modular system which can enumerate user, group, and
password information from NT-based systems or AD. An older version of
OWNR can be found in Foofus's DC12 presentation materials.

http://www.foofus.net/defcon/foofus-DC12-v2.tar.bz2


Rpcclient: SAMBA's rpcclient is useful for performing reverse SID
enumeration. Using the "lookupsids" command along with the domain SID,
it's often possible to anonymously enumerate users and groups via
brute-force ID guessing.

Joe


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------