January 24th, 2010, 02:53 AM
So i was reading a magazine (Hackinthebox) an article regarding LDAP and it got me thinking, would it be possible to query an Active directory domain anonymously? After a little search i found that it was not enabled by default in Windows 2003, well actually you can get some info but not much. So if i was logged into the network with a domain account (just basic user level permissions) would i be able to perform an LDAP query requesting password hashes? I'm not at home to try on my test network. If i had to guess i would say that it's not possible to get the hashes but possibly other useful information for a pentester. Anyone know if it is possible to get the password hashes via this method?
January 24th, 2010, 01:18 PM
January 25th, 2010, 03:43 AM
Thanks, but that's not really what i'm looking for. I was just wondering if it is possible to query the AD server and get password hashes for any user in the domain.
January 25th, 2010, 11:48 AM
I found this when I googled "query the AD server and get password hashes" .....
[edit=decided to comment further]
What he is really looking for Dinowuff, is for someone to give him the answer on a silver platter, only to find that he needs yet someone else to dish it up and serve.
Thanks, but that's not really what i'm looking for
Last edited by CybertecOne; January 25th, 2010 at 11:52 AM.
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
January 25th, 2010, 01:38 PM
Wow, some people here are .... wont finish that. Did you read the article? How about the first post? Because i couldnt find anything in the article useful to this post? I could be wrong (and have been wrong, i'm only human).
Originally Posted by CybertecOne
January 25th, 2010, 03:46 PM
CTO You crack me up!
The M$ link I gave you tells you where and how the HASHES are stored. The security levels and even the friggin registry key.
Yes you could use LDAP to find local copies of LM HASH; but why would you? If you're anonymous, you cant do anything with them.
January 27th, 2010, 01:26 AM
Well i'm thinking if i was logged into a domain as just a normal user i could grab the password hashes along with the usernames and use some sort of pass the hash tool to escalate my permission to possibly a domain admin.
January 31st, 2010, 05:55 PM
Sorry, work got in my way of surfing Pr0n and answering posts!
If you take a 2003 server CD and install it on a server, follow default prompts and then run the wizards to configure roles, a user with no domain admin rights can capture the hashes.
That being said, with metasploit and a few other tools, you can capture account information over the wire. You will also need a detailed understanding of TCP and http://web.mit.edu/Kerberos/
It is possible to craft a packet wrapper to force information about accounts and passwords to a dmp file. However, using this type of method you would need access to the local dmp file. And a real good understanding of dot net and c sharp. For windows that is.
LDAP. Probably not the what I would use. LDAP will give you this as a regular user
not really anything useful
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
manager: cn=Barbara Doe,dc=example,dc=com
By heatwave in forum AntiOnline's General Chit Chat
Last Post: October 12th, 2012, 08:53 AM
By killerbeesateme in forum *nix Security Discussions
Last Post: April 17th, 2006, 09:09 PM
By thwhomp in forum IDS & Scanner Discussions
Last Post: May 5th, 2005, 08:30 PM
By thehorse13 in forum The Security Tutorials Forum
Last Post: June 2nd, 2004, 05:59 PM
By jonathans_daddy in forum Web Security
Last Post: May 4th, 2004, 04:50 AM