Enumerating User with Ldapsearch and enum4linux - Anonymously

If you are using Windows for your recon, use LDAP tool to do Anonymous/Credentialed LDAP data dump or use ldapsearch in kali as mentioned below:

Add north.newyork.local to your host file:

sudo nano /etc/hosts
# Host addresses
127.0.0.1  localhost
127.0.1.1  parrot
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
192.168.56.11 north.newyork.local

# Others

ldapsearch -LLL -x -H ldap://north.newyork.local -b '' -s base '(objectclass=*)'

Enum4linux

We can confirm the anonymous listing on the NORTH DC also with Enum4linux.

enum4linux 192.168.56.11

┌─[jefe@parrot]─[~]
└──╼ $enum4linux 192.168.56.11
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Feb 17 08:43:09 2023

 ==========================
|    Target Information    |
 ==========================
Target ........... 192.168.56.11
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =====================================================
|    Enumerating Workgroup/Domain on 192.168.56.11    |
 =====================================================
[+] Got domain/workgroup name: NORTH

 =============================================
|    Nbtstat Information for 192.168.56.11    |
 =============================================
Looking up status of 192.168.56.11
        BRONX           <20> -         B <ACTIVE>  File Server Service
        BRONX           <00> -         B <ACTIVE>  Workstation Service
        NORTH           <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        NORTH           <1c> - <GROUP> B <ACTIVE>  Domain Controllers
        NORTH           <1b> -         B <ACTIVE>  Domain Master Browser

        MAC Address = 08-00-27-21-3D-50

 ======================================
|    Session Check on 192.168.56.11    |
 ======================================
[+] Server 192.168.56.11 allows sessions using username '', password ''

 ============================================
|    Getting domain SID for 192.168.56.11    |
 ============================================
Domain Name: NORTH
Domain Sid: S-1-5-21-3479418675-758175455-2935469610
[+] Host is part of a domain (not a workgroup)

 =======================================
|    OS information on 192.168.56.11    |
 =======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.56.11 from smbclient:
[+] Got OS info for 192.168.56.11 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ==============================
|    Users on 192.168.56.11    |
 ==============================
index: 0x18a7 RID: 0x45a acb: 0x00000210 Account: alejandro.Rodriguez   Name: (null)    Desc: alejandro rodriguez
index: 0x18a8 RID: 0x45b acb: 0x00010210 Account: claudio.Ortiz Name: (null)    Desc: claudio ortiz
index: 0x18af RID: 0x45e acb: 0x00040210 Account: elena.Lopez   Name: (null)    Desc: elena lopez
index: 0x16f5 RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x18b3 RID: 0x460 acb: 0x00000210 Account: joel.exposito Name: (null)    Desc: joel exposito
index: 0x18b0 RID: 0x45f acb: 0x00000210 Account: miguel.Cabrera        Name: (null)    Desc: miguel cabrera (Password : IloveBaseball)
index: 0x18a0 RID: 0x456 acb: 0x00000210 Account: pablo.Sandoval        Name: (null)    Desc: pablo sandoval
index: 0x18ac RID: 0x45d acb: 0x00000210 Account: pacofish      Name: (null)    Desc: Good food
index: 0x18ab RID: 0x45c acb: 0x00000210 Account: salvador.Aguilar      Name: (null)    Desc: salvador aguilar
index: 0x18b4 RID: 0x461 acb: 0x00000210 Account: sql_svc       Name: (null)    Desc: sql service maybe

user:[Guest] rid:[0x1f5]
user:[pablo.Sandoval] rid:[0x456]
user:[alejandro.Rodriguez] rid:[0x45a]
user:[claudio.Ortiz] rid:[0x45b]
user:[salvador.Aguilar] rid:[0x45c]
user:[pacofish] rid:[0x45d]
user:[elena.Lopez] rid:[0x45e]
user:[miguel.Cabrera] rid:[0x45f]
user:[joel.exposito] rid:[0x460]
user:[sql_svc] rid:[0x461]

 ==========================================
|    Share Enumeration on 192.168.56.11    |
 ==========================================

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 192.168.56.11

 =====================================================
|    Password Policy Information for 192.168.56.11    |
 =====================================================


[+] Attaching to 192.168.56.11 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.56.11)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

        [+] NORTH
        [+] Builtin

[+] Password Info for Domain: NORTH

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 311 days 2 minutes
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 5 minutes
        [+] Locked Account Duration: 5 minutes
        [+] Account Lockout Threshold: 5
        [+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ===============================
|    Groups on 192.168.56.11    |
 ===============================

[+] Getting builtin groups:
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]

[+] Getting builtin group memberships:
Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group 'Users' (RID: 545) has member: Couldn't lookup SIDs
Group 'Remote Desktop Users' (RID: 555) has member: Couldn't lookup SIDs
Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs

[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44e]
group:[NorthMultiDom] rid:[0x455]

[+] Getting local group memberships:
Group 'NorthMultiDom' (RID: 1109) has member: Couldn't lookup SIDs
Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs

[+] Getting domain groups:
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[DnsUpdateProxy] rid:[0x44f]
group:[North] rid:[0x452]
group:[Patrol] rid:[0x453]
group:[NorthManager] rid:[0x454]

[+] Getting domain group memberships:
Group 'North' (RID: 1106) has member: NORTH\pablo.Sandoval
Group 'North' (RID: 1106) has member: NORTH\fernando.Alonzo
Group 'North' (RID: 1106) has member: NORTH\valentino.alcantara
Group 'North' (RID: 1106) has member: NORTH\matias.Almonte
Group 'North' (RID: 1106) has member: NORTH\alejandro.Rodriguez
Group 'North' (RID: 1106) has member: NORTH\claudio.Ortiz
Group 'North' (RID: 1106) has member: NORTH\salvador.Aguilar
Group 'North' (RID: 1106) has member: NORTH\pacofish
Group 'North' (RID: 1106) has member: NORTH\elena.Lopez
Group 'Patrol' (RID: 1107) has member: NORTH\elena.Lopez
Group 'Patrol' (RID: 1107) has member: NORTH\miguel.Cabrera
Group 'Patrol' (RID: 1107) has member: NORTH\joel.exposito
Group 'Domain Guests' (RID: 514) has member: NORTH\Guest
Group 'Domain Computers' (RID: 515) has member: NORTH\YONKERS$
Group 'Domain Users' (RID: 513) has member: NORTH\Administrator
Group 'Domain Users' (RID: 513) has member: NORTH\vagrant
Group 'Domain Users' (RID: 513) has member: NORTH\krbtgt
Group 'Domain Users' (RID: 513) has member: NORTH\newyork$
Group 'Domain Users' (RID: 513) has member: NORTH\pablo.Sandoval
Group 'Domain Users' (RID: 513) has member: NORTH\fernando.Alonzo
Group 'Domain Users' (RID: 513) has member: NORTH\valentino.alcantara
Group 'Domain Users' (RID: 513) has member: NORTH\matias.Almonte
Group 'Domain Users' (RID: 513) has member: NORTH\alejandro.Rodriguez
Group 'Domain Users' (RID: 513) has member: NORTH\claudio.Ortiz
Group 'Domain Users' (RID: 513) has member: NORTH\salvador.Aguilar
Group 'Domain Users' (RID: 513) has member: NORTH\pacofish
Group 'Domain Users' (RID: 513) has member: NORTH\elena.Lopez
Group 'Domain Users' (RID: 513) has member: NORTH\miguel.Cabrera
Group 'Domain Users' (RID: 513) has member: NORTH\joel.exposito
Group 'Domain Users' (RID: 513) has member: NORTH\sql_svc
Group 'Group Policy Creator Owners' (RID: 520) has member: NORTH\Administrator
Group 'NorthManager' (RID: 1108) has member: NORTH\joel.exposito

 ========================================================================
|    Users on 192.168.56.11 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ==============================================
|    Getting printer info for 192.168.56.11    |
 ==============================================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Fri Feb 17 08:43:11 2023

PreviousEnumerate Users Anonymously - RPC NextEnumerate Guest Access on Shares - CME

Last updated 1 year ago

sudo nano /etc/hosts # Host addresses 127.0.0.1 localhost 127.0.1.1 parrot ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.56.11 north.newyork.local # Others

┌─[jefe@parrot]─[~] └──╼ $enum4linux 192.168.56.11 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Feb 17 08:43:09 2023 ========================== | Target Information | ========================== Target ........... 192.168.56.11 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 192.168.56.11 | ===================================================== [+] Got domain/workgroup name: NORTH ============================================= | Nbtstat Information for 192.168.56.11 | ============================================= Looking up status of 192.168.56.11 BRONX <20> - B <ACTIVE> File Server Service BRONX <00> - B <ACTIVE> Workstation Service NORTH <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name NORTH <1c> - <GROUP> B <ACTIVE> Domain Controllers NORTH <1b> - B <ACTIVE> Domain Master Browser MAC Address = 08-00-27-21-3D-50 ====================================== | Session Check on 192.168.56.11 | ====================================== [+] Server 192.168.56.11 allows sessions using username '', password '' ============================================ | Getting domain SID for 192.168.56.11 | ============================================ Domain Name: NORTH Domain Sid: S-1-5-21-3479418675-758175455-2935469610 [+] Host is part of a domain (not a workgroup) ======================================= | OS information on 192.168.56.11 | ======================================= Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.56.11 from smbclient: [+] Got OS info for 192.168.56.11 from srvinfo: do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================== | Users on 192.168.56.11 | ============================== index: 0x18a7 RID: 0x45a acb: 0x00000210 Account: alejandro.Rodriguez Name: (null) Desc: alejandro rodriguez index: 0x18a8 RID: 0x45b acb: 0x00010210 Account: claudio.Ortiz Name: (null) Desc: claudio ortiz index: 0x18af RID: 0x45e acb: 0x00040210 Account: elena.Lopez Name: (null) Desc: elena lopez index: 0x16f5 RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x18b3 RID: 0x460 acb: 0x00000210 Account: joel.exposito Name: (null) Desc: joel exposito index: 0x18b0 RID: 0x45f acb: 0x00000210 Account: miguel.Cabrera Name: (null) Desc: miguel cabrera (Password : IloveBaseball) index: 0x18a0 RID: 0x456 acb: 0x00000210 Account: pablo.Sandoval Name: (null) Desc: pablo sandoval index: 0x18ac RID: 0x45d acb: 0x00000210 Account: pacofish Name: (null) Desc: Good food index: 0x18ab RID: 0x45c acb: 0x00000210 Account: salvador.Aguilar Name: (null) Desc: salvador aguilar index: 0x18b4 RID: 0x461 acb: 0x00000210 Account: sql_svc Name: (null) Desc: sql service maybe user:[Guest] rid:[0x1f5] user:[pablo.Sandoval] rid:[0x456] user:[alejandro.Rodriguez] rid:[0x45a] user:[claudio.Ortiz] rid:[0x45b] user:[salvador.Aguilar] rid:[0x45c] user:[pacofish] rid:[0x45d] user:[elena.Lopez] rid:[0x45e] user:[miguel.Cabrera] rid:[0x45f] user:[joel.exposito] rid:[0x460] user:[sql_svc] rid:[0x461] ========================================== | Share Enumeration on 192.168.56.11 | ========================================== Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on 192.168.56.11 ===================================================== | Password Policy Information for 192.168.56.11 | ===================================================== [+] Attaching to 192.168.56.11 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:192.168.56.11) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] NORTH [+] Builtin [+] Password Info for Domain: NORTH [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 311 days 2 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 5 minutes [+] Locked Account Duration: 5 minutes [+] Account Lockout Threshold: 5 [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 =============================== | Groups on 192.168.56.11 | =============================== [+] Getting builtin groups: group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] group:[RDS Remote Access Servers] rid:[0x23f] group:[RDS Endpoint Servers] rid:[0x240] group:[RDS Management Servers] rid:[0x241] group:[Hyper-V Administrators] rid:[0x242] group:[Access Control Assistance Operators] rid:[0x243] group:[Remote Management Users] rid:[0x244] group:[Storage Replica Administrators] rid:[0x246] group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] [+] Getting builtin group memberships: Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs Group 'Users' (RID: 545) has member: Couldn't lookup SIDs Group 'Remote Desktop Users' (RID: 555) has member: Couldn't lookup SIDs Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44e] group:[NorthMultiDom] rid:[0x455] [+] Getting local group memberships: Group 'NorthMultiDom' (RID: 1109) has member: Couldn't lookup SIDs Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs [+] Getting domain groups: group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Group Policy Creator Owners] rid:[0x208] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[DnsUpdateProxy] rid:[0x44f] group:[North] rid:[0x452] group:[Patrol] rid:[0x453] group:[NorthManager] rid:[0x454] [+] Getting domain group memberships: Group 'North' (RID: 1106) has member: NORTH\pablo.Sandoval Group 'North' (RID: 1106) has member: NORTH\fernando.Alonzo Group 'North' (RID: 1106) has member: NORTH\valentino.alcantara Group 'North' (RID: 1106) has member: NORTH\matias.Almonte Group 'North' (RID: 1106) has member: NORTH\alejandro.Rodriguez Group 'North' (RID: 1106) has member: NORTH\claudio.Ortiz Group 'North' (RID: 1106) has member: NORTH\salvador.Aguilar Group 'North' (RID: 1106) has member: NORTH\pacofish Group 'North' (RID: 1106) has member: NORTH\elena.Lopez Group 'Patrol' (RID: 1107) has member: NORTH\elena.Lopez Group 'Patrol' (RID: 1107) has member: NORTH\miguel.Cabrera Group 'Patrol' (RID: 1107) has member: NORTH\joel.exposito Group 'Domain Guests' (RID: 514) has member: NORTH\Guest Group 'Domain Computers' (RID: 515) has member: NORTH\YONKERS$ Group 'Domain Users' (RID: 513) has member: NORTH\Administrator Group 'Domain Users' (RID: 513) has member: NORTH\vagrant Group 'Domain Users' (RID: 513) has member: NORTH\krbtgt Group 'Domain Users' (RID: 513) has member: NORTH\newyork$ Group 'Domain Users' (RID: 513) has member: NORTH\pablo.Sandoval Group 'Domain Users' (RID: 513) has member: NORTH\fernando.Alonzo Group 'Domain Users' (RID: 513) has member: NORTH\valentino.alcantara Group 'Domain Users' (RID: 513) has member: NORTH\matias.Almonte Group 'Domain Users' (RID: 513) has member: NORTH\alejandro.Rodriguez Group 'Domain Users' (RID: 513) has member: NORTH\claudio.Ortiz Group 'Domain Users' (RID: 513) has member: NORTH\salvador.Aguilar Group 'Domain Users' (RID: 513) has member: NORTH\pacofish Group 'Domain Users' (RID: 513) has member: NORTH\elena.Lopez Group 'Domain Users' (RID: 513) has member: NORTH\miguel.Cabrera Group 'Domain Users' (RID: 513) has member: NORTH\joel.exposito Group 'Domain Users' (RID: 513) has member: NORTH\sql_svc Group 'Group Policy Creator Owners' (RID: 520) has member: NORTH\Administrator Group 'NorthManager' (RID: 1108) has member: NORTH\joel.exposito ======================================================================== | Users on 192.168.56.11 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ============================================== | Getting printer info for 192.168.56.11 | ============================================== do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Fri Feb 17 08:43:11 2023