Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Query for blank passwords in Active Directory
From: Marco Ivaldi <raptor () mediaservice net>
Date: Thu, 5 Apr 2007 12:43:00 +0200 (ora solare Europa occidentale)


On Thu, 5 Apr 2007, Teh Fizzgig wrote:

igor.mamuzic () koncar-inem hr wrote:
Hi all,

Is there any way to get a list of Active Directory users with blank passwords? Of course, I'm attempting to discover such user accounts with domain admin privileges.

Do you have a list of users already or are you seeking that information
as well?

Depending on your Domain Controllers configuration, it may be extremely easy to enumerate users, even without having credentials for accessing the AD domain. For a basic example take a look at:


If rpcclient's "enumusers" command doesn't work, it may still be possible to get the users list scanning for SIDs. You can do that using "lsaquery" and "lookupsids" commands, or switching to other tools such as Nessus or GetAcct.exe. If you're stuck on Windows as testing plaform, you should also take a look at enum.exe.

Furthermore, some (widespread) configurations allow user enumeration via SNMP (a read-only community is enough to perform the attack). Finally, LDAP may also leak such information.

If you already have the user list, might I suggest medusa:


You want the smbnt module along with the -ns option (tests for blank
username as well as username = password). It's multithreaded and pretty
quick with these things.

Once you got the users list, you may use medusa/hydra as suggested, or even write your own script, such as:

(this currently enumerates users with username == password, thus it requires some modification to fulfill your specific needs)

On Windows, you may write a batch script using the "NET USE" command.

Finally, if you have domain administration privileges as you say, it may be even easier to dump and crack the passwords, using programs such as:

[your favorite Windows password cracker goes here;)]

Hope this helps,

Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]