Enumerating User with Ldapsearch and enum4linux - Anonymously

If you are using Windows for your recon, use LDAP tool to do Anonymous/Credentialed LDAP data dump or use ldapsearch in kali as mentioned below:

Add north.newyork.local to your host file:

sudo nano /etc/hosts
# Host addresses
127.0.0.1  localhost
127.0.1.1  parrot
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
192.168.56.11 north.newyork.local

# Others

ldapsearch -LLL -x -H ldap://north.newyork.local -b '' -s base '(objectclass=*)'

Enum4linux

We can confirm the anonymous listing on the NORTH DC also with Enum4linux.

enum4linux 192.168.56.11

┌─[jefe@parrot]─[~]
└──╼ $enum4linux 192.168.56.11
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Feb 17 08:43:09 2023

 ==========================
|    Target Information    |
 ==========================
Target ........... 192.168.56.11
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =====================================================
|    Enumerating Workgroup/Domain on 192.168.56.11    |
 =====================================================
[+] Got domain/workgroup name: NORTH

 =============================================
|    Nbtstat Information for 192.168.56.11    |
 =============================================
Looking up status of 192.168.56.11
        BRONX           <20> -         B <ACTIVE>  File Server Service
        BRONX           <00> -         B <ACTIVE>  Workstation Service
        NORTH           <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        NORTH           <1c> - <GROUP> B <ACTIVE>  Domain Controllers
        NORTH           <1b> -         B <ACTIVE>  Domain Master Browser

        MAC Address = 08-00-27-21-3D-50

 ======================================
|    Session Check on 192.168.56.11    |
 ======================================
[+] Server 192.168.56.11 allows sessions using username '', password ''

 ============================================
|    Getting domain SID for 192.168.56.11    |
 ============================================
Domain Name: NORTH
Domain Sid: S-1-5-21-3479418675-758175455-2935469610
[+] Host is part of a domain (not a workgroup)

 =======================================
|    OS information on 192.168.56.11    |
 =======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.56.11 from smbclient:
[+] Got OS info for 192.168.56.11 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ==============================
|    Users on 192.168.56.11    |
 ==============================
index: 0x18a7 RID: 0x45a acb: 0x00000210 Account: alejandro.Rodriguez   Name: (null)    Desc: alejandro rodriguez
index: 0x18a8 RID: 0x45b acb: 0x00010210 Account: claudio.Ortiz Name: (null)    Desc: claudio ortiz
index: 0x18af RID: 0x45e acb: 0x00040210 Account: elena.Lopez   Name: (null)    Desc: elena lopez
index: 0x16f5 RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x18b3 RID: 0x460 acb: 0x00000210 Account: joel.exposito Name: (null)    Desc: joel exposito
index: 0x18b0 RID: 0x45f acb: 0x00000210 Account: miguel.Cabrera        Name: (null)    Desc: miguel cabrera (Password : IloveBaseball)
index: 0x18a0 RID: 0x456 acb: 0x00000210 Account: pablo.Sandoval        Name: (null)    Desc: pablo sandoval
index: 0x18ac RID: 0x45d acb: 0x00000210 Account: pacofish      Name: (null)    Desc: Good food
index: 0x18ab RID: 0x45c acb: 0x00000210 Account: salvador.Aguilar      Name: (null)    Desc: salvador aguilar
index: 0x18b4 RID: 0x461 acb: 0x00000210 Account: sql_svc       Name: (null)    Desc: sql service maybe

user:[Guest] rid:[0x1f5]
user:[pablo.Sandoval] rid:[0x456]
user:[alejandro.Rodriguez] rid:[0x45a]
user:[claudio.Ortiz] rid:[0x45b]
user:[salvador.Aguilar] rid:[0x45c]
user:[pacofish] rid:[0x45d]
user:[elena.Lopez] rid:[0x45e]
user:[miguel.Cabrera] rid:[0x45f]
user:[joel.exposito] rid:[0x460]
user:[sql_svc] rid:[0x461]

 ==========================================
|    Share Enumeration on 192.168.56.11    |
 ==========================================

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 192.168.56.11

 =====================================================
|    Password Policy Information for 192.168.56.11    |
 =====================================================


[+] Attaching to 192.168.56.11 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.56.11)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

        [+] NORTH
        [+] Builtin

[+] Password Info for Domain: NORTH

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 311 days 2 minutes
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 5 minutes
        [+] Locked Account Duration: 5 minutes
        [+] Account Lockout Threshold: 5
        [+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ===============================
|    Groups on 192.168.56.11    |
 ===============================

[+] Getting builtin groups:
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]

[+] Getting builtin group memberships:
Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group 'Users' (RID: 545) has member: Couldn't lookup SIDs
Group 'Remote Desktop Users' (RID: 555) has member: Couldn't lookup SIDs
Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs

[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44e]
group:[NorthMultiDom] rid:[0x455]

[+] Getting local group memberships:
Group 'NorthMultiDom' (RID: 1109) has member: Couldn't lookup SIDs
Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs

[+] Getting domain groups:
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[DnsUpdateProxy] rid:[0x44f]
group:[North] rid:[0x452]
group:[Patrol] rid:[0x453]
group:[NorthManager] rid:[0x454]

[+] Getting domain group memberships:
Group 'North' (RID: 1106) has member: NORTH\pablo.Sandoval
Group 'North' (RID: 1106) has member: NORTH\fernando.Alonzo
Group 'North' (RID: 1106) has member: NORTH\valentino.alcantara
Group 'North' (RID: 1106) has member: NORTH\matias.Almonte
Group 'North' (RID: 1106) has member: NORTH\alejandro.Rodriguez
Group 'North' (RID: 1106) has member: NORTH\claudio.Ortiz
Group 'North' (RID: 1106) has member: NORTH\salvador.Aguilar
Group 'North' (RID: 1106) has member: NORTH\pacofish
Group 'North' (RID: 1106) has member: NORTH\elena.Lopez
Group 'Patrol' (RID: 1107) has member: NORTH\elena.Lopez
Group 'Patrol' (RID: 1107) has member: NORTH\miguel.Cabrera
Group 'Patrol' (RID: 1107) has member: NORTH\joel.exposito
Group 'Domain Guests' (RID: 514) has member: NORTH\Guest
Group 'Domain Computers' (RID: 515) has member: NORTH\YONKERS$
Group 'Domain Users' (RID: 513) has member: NORTH\Administrator
Group 'Domain Users' (RID: 513) has member: NORTH\vagrant
Group 'Domain Users' (RID: 513) has member: NORTH\krbtgt
Group 'Domain Users' (RID: 513) has member: NORTH\newyork$
Group 'Domain Users' (RID: 513) has member: NORTH\pablo.Sandoval
Group 'Domain Users' (RID: 513) has member: NORTH\fernando.Alonzo
Group 'Domain Users' (RID: 513) has member: NORTH\valentino.alcantara
Group 'Domain Users' (RID: 513) has member: NORTH\matias.Almonte
Group 'Domain Users' (RID: 513) has member: NORTH\alejandro.Rodriguez
Group 'Domain Users' (RID: 513) has member: NORTH\claudio.Ortiz
Group 'Domain Users' (RID: 513) has member: NORTH\salvador.Aguilar
Group 'Domain Users' (RID: 513) has member: NORTH\pacofish
Group 'Domain Users' (RID: 513) has member: NORTH\elena.Lopez
Group 'Domain Users' (RID: 513) has member: NORTH\miguel.Cabrera
Group 'Domain Users' (RID: 513) has member: NORTH\joel.exposito
Group 'Domain Users' (RID: 513) has member: NORTH\sql_svc
Group 'Group Policy Creator Owners' (RID: 520) has member: NORTH\Administrator
Group 'NorthManager' (RID: 1108) has member: NORTH\joel.exposito

 ========================================================================
|    Users on 192.168.56.11 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ==============================================
|    Getting printer info for 192.168.56.11    |
 ==============================================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Fri Feb 17 08:43:11 2023

PreviousEnumerate Users Anonymously - RPC NextEnumerate Guest Access on Shares - CME

Last updated 2 years ago