-
All the existing users and groups could be enumerated with a simple LDAP query.
-
The only thing required to perform this enumeration is to create an authenticated session via LDAP.
-
Connect to any AD server using ldp.exe port 389
-
Authenticate yourself using Guest /pr any domain account
-
Now all the users and built in groups could be enumerated
The active directory is a lot like any normal windows registry, except that the directory exists on the network and a windows network depends on the directory to function well. A cause for concern is that by default, authenticated users can view a number of things within the directory which they should not be able to view in a secure environment. For instance, users can view the domain configuration (DC=domain, DC=com), the schema (CN=Schema, CN=Configuration, DC=domain, DC=com), the configuration naming context (CN=Configuration, DC=domain, DC=com) etc. The schema is a section of the directory that defines what else can be stored in the directory.
AD is designed to contain a unified, logical representation of all the objects relevant to the corporate technology infrastructure. The Windows 2000 simple LDAP client called the Active Directory Administration Tool (ldp.exe) that connects to an AD server and browses the contents of the directory.
Threat Simply pointing ldp at a Win 2000 domain controller will enumerate all of the existing usersand groups with a simple LDAP query.
Attack Methods It connects over TCP port 389. An attacker finding this can use ldp.exe to create an authenticated session with the target using a known domain user account or a built in account or even a null session. This will give him the opportunity to enumerate all domain users and explore for other vulnerabilities. This is a real threat when the default setting of using clear text authentication is not changed. Other things available on the default settings include X.500 naming, DNS names and internal IP addresses, system time etc.
The attacker runs Ldp.exe (found in the Support \Reskit\Netmgmt\Dstool folder on the Windows 2000 CD-ROM). He can also write a script and run it against the target machine. He connects to the target server and verifies that the port setting is set to 389. Once the connection is complete, server-specific data is displayed in the right pane.
These are sensitive material stored in a nicely centralized, organized, viewable container. For example, from here, the attacker can list all domain controllers. Information such as the drive and path of the sysvol on a particular domain controller, will aid an attacker to place files he needs to be replicated across the domain. Once this information has been obtained, these servers can be targeted individually if desired, as they are all listed within the DNS.
CounterMeasure Countermeasures include closing ports 389 and 3268 and upgrading all systems to Win2k before migrating to Active Directory.
Countermeasure This will allow the sysadmin to "set permissions compatibility with Win2k only" when the dcpromo installation screen runs the option to allow legacy servers to perform look up.
If the AD network is installed with permissions compatible with pre-Windows 2000 networks, it grants most of the enumeration options that were available on NT 4 networks when an attacker established a null or IPC$ connection. This connection allows an attacker to gather information about users on the domain and can include listing of services on the server, which ones are running, descriptions of those services, and several other things.
---
Amarjit Singh
0 Visitor Reactions & Comments: