-
January 24th, 2010, 03:53 AM
#1
Member
LDAP probing
So i was reading a magazine (Hackinthebox) an article regarding LDAP and it got me thinking, would it be possible to query an Active directory domain anonymously? After a little search i found that it was not enabled by default in Windows 2003, well actually you can get some info but not much. So if i was logged into the network with a domain account (just basic user level permissions) would i be able to perform an LDAP query requesting password hashes? I'm not at home to try on my test network. If i had to guess i would say that it's not possible to get the hashes but possibly other useful information for a pentester. Anyone know if it is possible to get the password hashes via this method?
-
January 24th, 2010, 02:18 PM
#2
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
January 25th, 2010, 04:43 AM
#3
Member
Thanks, but that's not really what i'm looking for. I was just wondering if it is possible to query the AD server and get password hashes for any user in the domain.
-
January 25th, 2010, 12:48 PM
#4
I found this when I googled "query the AD server and get password hashes" .....
http://searchenterprisedesktop.techt...192580,00.html
[edit=decided to comment further]
Thanks, but that's not really what i'm looking for
What he is really looking for Dinowuff, is for someone to give him the answer on a silver platter, only to find that he needs yet someone else to dish it up and serve.
[/edit]
CTO
Last edited by CybertecOne; January 25th, 2010 at 12:52 PM.
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
January 25th, 2010, 02:38 PM
#5
Member
Originally Posted by CybertecOne
I found this when I googled "query the AD server and get password hashes" .....
http://searchenterprisedesktop.techt...192580,00.html
[edit=decided to comment further]
What he is really looking for Dinowuff, is for someone to give him the answer on a silver platter, only to find that he needs yet someone else to dish it up and serve.
[/edit]
CTO
Wow, some people here are .... wont finish that. Did you read the article? How about the first post? Because i couldnt find anything in the article useful to this post? I could be wrong (and have been wrong, i'm only human).
-
January 25th, 2010, 04:46 PM
#6
CTO You crack me up!
Keith:
The M$ link I gave you tells you where and how the HASHES are stored. The security levels and even the friggin registry key.
Yes you could use LDAP to find local copies of LM HASH; but why would you? If you're anonymous, you cant do anything with them.
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
January 27th, 2010, 02:26 AM
#7
Member
Well i'm thinking if i was logged into a domain as just a normal user i could grab the password hashes along with the usernames and use some sort of pass the hash tool to escalate my permission to possibly a domain admin.
-
January 31st, 2010, 06:55 PM
#8
Sorry, work got in my way of surfing Pr0n and answering posts!
If you take a 2003 server CD and install it on a server, follow default prompts and then run the wizards to configure roles, a user with no domain admin rights can capture the hashes.
That being said, with metasploit and a few other tools, you can capture account information over the wire. You will also need a detailed understanding of TCP and http://web.mit.edu/Kerberos/
It is possible to craft a packet wrapper to force information about accounts and passwords to a dmp file. However, using this type of method you would need access to the local dmp file. And a real good understanding of dot net and c sharp. For windows that is.
LDAP. Probably not the what I would use. LDAP will give you this as a regular user
Code:
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Barbara Doe,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
not really anything useful
objectClass: top
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
Similar Threads
-
By heatwave in forum AntiOnline's General Chit Chat
Replies: 4
Last Post: October 12th, 2012, 08:53 AM
-
By killerbeesateme in forum *nix Security Discussions
Replies: 4
Last Post: April 17th, 2006, 09:09 PM
-
By thwhomp in forum IDS & Scanner Discussions
Replies: 3
Last Post: May 5th, 2005, 08:30 PM
-
By thehorse13 in forum The Security Tutorials Forum
Replies: 0
Last Post: June 2nd, 2004, 05:59 PM
-
By jonathans_daddy in forum Web Security
Replies: 3
Last Post: May 4th, 2004, 04:50 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|