Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] LDAP-nullbase
From: Brian Conte <michael.conte () DIGEX COM>
Date: Wed, 20 Sep 2000 16:41:05 -0400

I did some testing with windows LDAP a while ago (not recently so please
correct me if you have new information) and found that it was willing to
give up information, way too much information.

Microsoft provides a real easy tool to access ldap on the windows
2000  full CD . It is called LDP.

I was able to pull security policies, user ID's and other active directory
information.  The LDAP was only there once active directory was installed.
Using this tool, a seach for "object class = *" showed LOTS of information.

Using Activestate perl and there is a perl module for LDAP
perl-ldap [0.15] perl-ldap is a library of modules implementing an LDAP client.
                 The aim of the perl-ldap project is to implement a very
                 portable LDAP client in perl by relying on as little compiled
                 code as possible.

I used this to write a few scripts that would search and dump what I could
from LDAP.  One thing that had to be found out was the DN, DC's and
such.  I recommend reading the RFC's for LDAP.  RFC1777, RFC1779, RFC1558,
and  RFC 2255 for URL LDAP, though I was not able to get this to work under 2k.

At the time, there was no tracking on LDAP (it may be an option that was
not set up) so you could attempt to bruteforce it for as long as you
liked.  Though it would be noticed if someone was watching the ports (389
and 3268).  It can be done remotely if those ports are open to the world.

I believe to fix it was to remove anonymous browse from the root of the
active directory tree.  I was told this by a microsoft rep but was unable
to test it.

BTW this was actually found out to be a problem on other programs that use
LDAP.  One that I recall was the mail program by rockliffe, if LDAP was
turned on it would give out all the information anyone could want about the
mail users.

At 07:01 AM 9/20/2000 -0500, krisk wrote:
A recent scan on our beta Win 2000 network came up showing a ldap-nullbase
If I understand this correctly, this is similar to a Win netbios null
session, allowing enumeration of users, shares, etc.
Does anyone have more info on this? What tools or commands are used to pull
down directory listings etc. using this? Can this be done remotely? Ports
used? Other methods to test for this? How to secure this?

Kris Kistler
Security Admin.
St. Louis, MO

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]