Results 1 to 8 of 8

Thread: LDAP probing

  1. #1
    Member
    Join Date
    Oct 2002
    Posts
    52

    LDAP probing

    So i was reading a magazine (Hackinthebox) an article regarding LDAP and it got me thinking, would it be possible to query an Active directory domain anonymously? After a little search i found that it was not enabled by default in Windows 2003, well actually you can get some info but not much. So if i was logged into the network with a domain account (just basic user level permissions) would i be able to perform an LDAP query requesting password hashes? I'm not at home to try on my test network. If i had to guess i would say that it's not possible to get the hashes but possibly other useful information for a pentester. Anyone know if it is possible to get the password hashes via this method?

  2. #2
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  3. #3
    Member
    Join Date
    Oct 2002
    Posts
    52
    Thanks, but that's not really what i'm looking for. I was just wondering if it is possible to query the AD server and get password hashes for any user in the domain.

  4. #4
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    I found this when I googled "query the AD server and get password hashes" .....

    http://searchenterprisedesktop.techt...192580,00.html

    [edit=decided to comment further]
    Thanks, but that's not really what i'm looking for
    What he is really looking for Dinowuff, is for someone to give him the answer on a silver platter, only to find that he needs yet someone else to dish it up and serve.
    [/edit]


    CTO
    Last edited by CybertecOne; January 25th, 2010 at 12:52 PM.
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  5. #5
    Member
    Join Date
    Oct 2002
    Posts
    52
    Quote Originally Posted by CybertecOne View Post
    I found this when I googled "query the AD server and get password hashes" .....

    http://searchenterprisedesktop.techt...192580,00.html

    [edit=decided to comment further]

    What he is really looking for Dinowuff, is for someone to give him the answer on a silver platter, only to find that he needs yet someone else to dish it up and serve.
    [/edit]


    CTO
    Wow, some people here are .... wont finish that. Did you read the article? How about the first post? Because i couldnt find anything in the article useful to this post? I could be wrong (and have been wrong, i'm only human).

  6. #6
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    CTO You crack me up!

    Keith:

    The M$ link I gave you tells you where and how the HASHES are stored. The security levels and even the friggin registry key.

    Yes you could use LDAP to find local copies of LM HASH; but why would you? If you're anonymous, you cant do anything with them.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  7. #7
    Member
    Join Date
    Oct 2002
    Posts
    52
    Well i'm thinking if i was logged into a domain as just a normal user i could grab the password hashes along with the usernames and use some sort of pass the hash tool to escalate my permission to possibly a domain admin.

  8. #8
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Sorry, work got in my way of surfing Pr0n and answering posts!

    If you take a 2003 server CD and install it on a server, follow default prompts and then run the wizards to configure roles, a user with no domain admin rights can capture the hashes.

    That being said, with metasploit and a few other tools, you can capture account information over the wire. You will also need a detailed understanding of TCP and http://web.mit.edu/Kerberos/

    It is possible to craft a packet wrapper to force information about accounts and passwords to a dmp file. However, using this type of method you would need access to the local dmp file. And a real good understanding of dot net and c sharp. For windows that is.

    LDAP. Probably not the what I would use. LDAP will give you this as a regular user

    Code:
    dn: cn=John Doe,dc=example,dc=com
     cn: John Doe
     givenName: John
     sn: Doe
     telephoneNumber: +1 888 555 6789
     telephoneNumber: +1 888 555 1232
     mail: john@example.com
     manager: cn=Barbara Doe,dc=example,dc=com
     objectClass: inetOrgPerson
     objectClass: organizationalPerson
     objectClass: person
    not really anything useful
    objectClass: top
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

Similar Threads

  1. firewall detection and network probing
    By heatwave in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: October 12th, 2012, 08:53 AM
  2. LDAP two factor authentication
    By killerbeesateme in forum *nix Security Discussions
    Replies: 4
    Last Post: April 17th, 2006, 09:09 PM
  3. News Article: Vulnerabilities Becoming More Common
    By thwhomp in forum IDS & Scanner Discussions
    Replies: 3
    Last Post: May 5th, 2005, 08:30 PM
  4. HPING - Probing Continued. Tut 2 in Series of 5
    By thehorse13 in forum The Security Tutorials Forum
    Replies: 0
    Last Post: June 2nd, 2004, 05:59 PM
  5. Novell, LDAP, & PHP
    By jonathans_daddy in forum Web Security
    Replies: 3
    Last Post: May 4th, 2004, 04:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •