Enumerating User with Ldapsearch and enum4linux - Anonymously
If you are using Windows for your recon, use LDAP tool to do Anonymous/Credentialed LDAP data dump or use ldapsearch in kali as mentioned below:
Add north.newyork.local to your host file:
sudo nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 parrot
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.11 north.newyork.local
# Others
ldapsearch -LLL -x -H ldap://north.newyork.local -b '' -s base '(objectclass=*)'Enum4linux
We can confirm the anonymous listing on the NORTH DC also with Enum4linux.
enum4linux 192.168.56.11┌─[jefe@parrot]─[~]
└──╼ $enum4linux 192.168.56.11
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Feb 17 08:43:09 2023
==========================
| Target Information |
==========================
Target ........... 192.168.56.11
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.168.56.11 |
=====================================================
[+] Got domain/workgroup name: NORTH
=============================================
| Nbtstat Information for 192.168.56.11 |
=============================================
Looking up status of 192.168.56.11
BRONX <20> - B <ACTIVE> File Server Service
BRONX <00> - B <ACTIVE> Workstation Service
NORTH <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
NORTH <1c> - <GROUP> B <ACTIVE> Domain Controllers
NORTH <1b> - B <ACTIVE> Domain Master Browser
MAC Address = 08-00-27-21-3D-50
======================================
| Session Check on 192.168.56.11 |
======================================
[+] Server 192.168.56.11 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.168.56.11 |
============================================
Domain Name: NORTH
Domain Sid: S-1-5-21-3479418675-758175455-2935469610
[+] Host is part of a domain (not a workgroup)
=======================================
| OS information on 192.168.56.11 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.56.11 from smbclient:
[+] Got OS info for 192.168.56.11 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
==============================
| Users on 192.168.56.11 |
==============================
index: 0x18a7 RID: 0x45a acb: 0x00000210 Account: alejandro.Rodriguez Name: (null) Desc: alejandro rodriguez
index: 0x18a8 RID: 0x45b acb: 0x00010210 Account: claudio.Ortiz Name: (null) Desc: claudio ortiz
index: 0x18af RID: 0x45e acb: 0x00040210 Account: elena.Lopez Name: (null) Desc: elena lopez
index: 0x16f5 RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x18b3 RID: 0x460 acb: 0x00000210 Account: joel.exposito Name: (null) Desc: joel exposito
index: 0x18b0 RID: 0x45f acb: 0x00000210 Account: miguel.Cabrera Name: (null) Desc: miguel cabrera (Password : IloveBaseball)
index: 0x18a0 RID: 0x456 acb: 0x00000210 Account: pablo.Sandoval Name: (null) Desc: pablo sandoval
index: 0x18ac RID: 0x45d acb: 0x00000210 Account: pacofish Name: (null) Desc: Good food
index: 0x18ab RID: 0x45c acb: 0x00000210 Account: salvador.Aguilar Name: (null) Desc: salvador aguilar
index: 0x18b4 RID: 0x461 acb: 0x00000210 Account: sql_svc Name: (null) Desc: sql service maybe
user:[Guest] rid:[0x1f5]
user:[pablo.Sandoval] rid:[0x456]
user:[alejandro.Rodriguez] rid:[0x45a]
user:[claudio.Ortiz] rid:[0x45b]
user:[salvador.Aguilar] rid:[0x45c]
user:[pacofish] rid:[0x45d]
user:[elena.Lopez] rid:[0x45e]
user:[miguel.Cabrera] rid:[0x45f]
user:[joel.exposito] rid:[0x460]
user:[sql_svc] rid:[0x461]
==========================================
| Share Enumeration on 192.168.56.11 |
==========================================
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 192.168.56.11
=====================================================
| Password Policy Information for 192.168.56.11 |
=====================================================
[+] Attaching to 192.168.56.11 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:192.168.56.11)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] NORTH
[+] Builtin
[+] Password Info for Domain: NORTH
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 311 days 2 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 5 minutes
[+] Locked Account Duration: 5 minutes
[+] Account Lockout Threshold: 5
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
===============================
| Groups on 192.168.56.11 |
===============================
[+] Getting builtin groups:
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
[+] Getting builtin group memberships:
Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group 'Users' (RID: 545) has member: Couldn't lookup SIDs
Group 'Remote Desktop Users' (RID: 555) has member: Couldn't lookup SIDs
Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44e]
group:[NorthMultiDom] rid:[0x455]
[+] Getting local group memberships:
Group 'NorthMultiDom' (RID: 1109) has member: Couldn't lookup SIDs
Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
[+] Getting domain groups:
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[DnsUpdateProxy] rid:[0x44f]
group:[North] rid:[0x452]
group:[Patrol] rid:[0x453]
group:[NorthManager] rid:[0x454]
[+] Getting domain group memberships:
Group 'North' (RID: 1106) has member: NORTH\pablo.Sandoval
Group 'North' (RID: 1106) has member: NORTH\fernando.Alonzo
Group 'North' (RID: 1106) has member: NORTH\valentino.alcantara
Group 'North' (RID: 1106) has member: NORTH\matias.Almonte
Group 'North' (RID: 1106) has member: NORTH\alejandro.Rodriguez
Group 'North' (RID: 1106) has member: NORTH\claudio.Ortiz
Group 'North' (RID: 1106) has member: NORTH\salvador.Aguilar
Group 'North' (RID: 1106) has member: NORTH\pacofish
Group 'North' (RID: 1106) has member: NORTH\elena.Lopez
Group 'Patrol' (RID: 1107) has member: NORTH\elena.Lopez
Group 'Patrol' (RID: 1107) has member: NORTH\miguel.Cabrera
Group 'Patrol' (RID: 1107) has member: NORTH\joel.exposito
Group 'Domain Guests' (RID: 514) has member: NORTH\Guest
Group 'Domain Computers' (RID: 515) has member: NORTH\YONKERS$
Group 'Domain Users' (RID: 513) has member: NORTH\Administrator
Group 'Domain Users' (RID: 513) has member: NORTH\vagrant
Group 'Domain Users' (RID: 513) has member: NORTH\krbtgt
Group 'Domain Users' (RID: 513) has member: NORTH\newyork$
Group 'Domain Users' (RID: 513) has member: NORTH\pablo.Sandoval
Group 'Domain Users' (RID: 513) has member: NORTH\fernando.Alonzo
Group 'Domain Users' (RID: 513) has member: NORTH\valentino.alcantara
Group 'Domain Users' (RID: 513) has member: NORTH\matias.Almonte
Group 'Domain Users' (RID: 513) has member: NORTH\alejandro.Rodriguez
Group 'Domain Users' (RID: 513) has member: NORTH\claudio.Ortiz
Group 'Domain Users' (RID: 513) has member: NORTH\salvador.Aguilar
Group 'Domain Users' (RID: 513) has member: NORTH\pacofish
Group 'Domain Users' (RID: 513) has member: NORTH\elena.Lopez
Group 'Domain Users' (RID: 513) has member: NORTH\miguel.Cabrera
Group 'Domain Users' (RID: 513) has member: NORTH\joel.exposito
Group 'Domain Users' (RID: 513) has member: NORTH\sql_svc
Group 'Group Policy Creator Owners' (RID: 520) has member: NORTH\Administrator
Group 'NorthManager' (RID: 1108) has member: NORTH\joel.exposito
========================================================================
| Users on 192.168.56.11 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================================
| Getting printer info for 192.168.56.11 |
==============================================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Fri Feb 17 08:43:11 2023
Last updated
