harmandeepMemberJan 31, 2015 at 9:46 am #164840
Whilst trying to understand functionality of “BUILTINPre-Windows 2000 Compatible Access group” and i was able to enumerate a specific set of Information ANONYMOUSLY when using certain APIs like SAMR named pipe with SMB, detailed HERE. The tool i used to enumerate Information anonymously from AD using a a NULL session is called SuperScan.
The Key in this First Scenario is add to special identity “NT AUTHORITYANONYMOUS LOGON” to “BUILTINPre-Windows 2000 Compatible Access group” and use a software which uses noted APIs to query/enumerate information.
If we look at Default Security Descriptor of Domain, we can Pre-Windows 2000 group is present with some pre-defined level of granted rights (Refer first image pasted below).
Now i continue with the Second Scenario where i try to enumerate information anonymously but using LDAP/LDP.exe
Now by default with Windows Server 2003, anonymous LDAP Bind operation isn’t permitted, unless this behavior is explicitly has been overridden using DsHeuristics attribute. As per THIS Petri article, author indeed changed the noted attribute value but he also changed the Security Descriptor of targetted Containers (in author’s case – SENECA) to allow “NT AUTHORITYAnonymous Logon” with List Contents and Read permission!
Now if we don’t add & grant rights to “NT AUTHORITYAnonymous Logon” for the given container/object, then we won’t be able to Search/Browse information anonymously using LDP.exe and this is the part that confuses me.
If i look at the default ACL of Domain Object, we see that by default, multiple permissions including LIST contents & READ permission exist for “BUILTINPre-Windows 2000 Compatible Access group” applied recursively (This Object and all child Objects), as shown in attachment.
Now If i have already added “NT AUTHORITYANONYMOUS LOGON” to “BUILTINPre-Windows 2000 Compatible Access group”, then “NT AUTHORITYAnonymous Logon” should automatically possess all of the rights adhered by “BUILTINPre-Windows 2000 Compatible Access group” and i should be able to view information anonymously using Simple LDAP bind, but indeed its NOT! Please correct me if i am wrong here.
I am trying to enumerate information under USERS container anonymously.
You must be logged in to reply to this topic.