Discovering Active Direcory users with blank passwords

Is there a way to discover Active Directory users with blank
passwords if I have domain admin privileges and local access
to my domain controllers?

Best Regards,
Igor

Which version of Windows Server are you running??



-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of igor.mamuzickoncar-inem.hr
Sent: Monday, April 02, 2007 11:43 AM
To: focus-mssecurityfocus.com
Subject: Discovering Active Direcory users with blank
passwords

Is there a way to discover Active Directory users with blank
passwords
if I have domain admin privileges and local access to my
domain
controllers?

Best Regards,
Igor

Dump the sam file (use pwdump) and run a cracker.  The most
simplistic
settings on any cracker will show the blank passwords
immediately.

Regards,

Jeff 

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of igor.mamuzickoncar-inem.hr
Sent: Monday, April 02, 2007 11:43 AM
To: focus-mssecurityfocus.com
Subject: Discovering Active Direcory users with blank
passwords

Is there a way to discover Active Directory users with blank
passwords
if I have domain admin privileges and local access to my
domain
controllers?

Best Regards,
Igor


The preceding email message may be confidential or protected
by the attorney-client privilege. It is not intended for
transmission to, or receipt by, any unauthorized persons. 
If you have received this message in error, please (i) do
not read it, (ii) reply to the sender that you received the
message in error, and (iii) erase or destroy the message. 
Legal advice contained in the preceding message is solely
for the benefit of the Foley & Lardner LLP client(s)
represented by the Firm in the particular matter that is the
subject of this message, and may not be relied upon by any
other party.      

  
Internal Revenue Service regulations require that certain
types of written advice include a disclaimer. To the extent
the preceding message contains advice relating to a Federal
tax issue, unless expressly stated otherwise the advice is
not intended or written to be used, and it cannot be used by
the recipient or any other taxpayer, for the purpose of
avoiding Federal tax penalties, and was not written to
support the promotion or marketing of any transaction or
matter discussed herein.

Active Directory will allow you to write a query.


On 2 Apr 2007 16:43:28 -0000, igor.mamuzickoncar-inem.hr
<igor.mamuzickoncar-inem.hr> wrote:
> Is there a way to discover Active Directory users with
blank passwords if I
> have domain admin privileges and local access to my
domain controllers?
>
> Best Regards,
> Igor
>
>

Dump the passwords (pwdump, Abel and Cain...) from SAM and
crack them.
Or use Microsoft's MBSA to recover weak passwords.

Alternate way is to use Hydra but since you have access to
DC then that is
not necessary.

Goran Pizent



-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of igor.mamuzickoncar-inem.hr
Sent: 2. travanj 2007 18:43
To: focus-mssecurityfocus.com
Subject: Discovering Active Direcory users with blank
passwords

Is there a way to discover Active Directory users with blank
passwords if I
have domain admin privileges and local access to my domain
controllers?

Best Regards,
Igor

Hi All,

Is there a way to discover Active Directory
"Shared" user account or "Service" users
Account for auditing purpose? 
I have domain admin privileges and local access to my domain
controllers.

Best regards
Tich

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On Behalf Of igor.mamuzickoncar-inem.hr
Sent: luned́ 2 aprile 2007 18.43
To: focus-mssecurityfocus.com
Subject: Discovering Active Direcory users with blank
passwords

Is there a way to discover Active Directory users with blank
passwords if I have domain admin privileges and local access
to my domain controllers?

Best Regards,
Igor

--
The information transmitted is intended for the person or
entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in
reliance upon, this information by persons or entities other
than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the
material from any computer.

Biassoni Riccardo wrote:
> Hi All,
> 
> Is there a way to discover Active Directory
"Shared" user account or "Service" users
Account for auditing purpose? 
> I have domain admin privileges and local access to my
domain controllers.

In AD, there's no inherent difference between a service
account and a 
regular user account. In order to actually do this, then,
you'd have to 
actually find some characteristic of these accounts in your
environment, 
such as:

+ Being logged onto multiple workstations at once
+ Having services configured using the account
+ Having a particular naming scheme

Obviously these are going to be fairly environment specific,
but there 
are ways of finding them out (psloggedon and wmic, for
instance). 
They're going to take a substantial amount of effort to
figure out 
however, and investigate if you don't have a consistent way
of managing 
service accounts.

The short answer is: How good's your vbscript/wmi?

  - James.

-- 
   James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

    "All at sea again / And now my hurricanes
    Have brought down this ocean rain / To bathe me
again"

  https://www.bsrf.org.uk |
ca: https://www.cac
ert.org/index.php?id=3
-- 

Here's a quick way to find non-standard service accounts
that are
actually used:

Loop through each computer with the following command,
replacing %1 with
the name of the computer.

C:>wmic /node:%1 service where (not StartName like
"LocalSystem" and
not StartName like "%%NetworkService%%" and not
StartName like
"%%LocalService%%") get Name, Caption, StartMode,
StartName, Started

This might be more effective because, as James noted,
service accounts
look just like regular user accounts in Active Directory.

There might be better ways other than this.

Scott

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Biassoni Riccardo
Sent: Tuesday, April 03, 2007 7:25 AM
To: focus-mssecurityfocus.com
Subject: Discovering Active Direcory shared or Service users
account

Hi All,

Is there a way to discover Active Directory
"Shared" user account or
"Service" users Account for auditing purpose? 
I have domain admin privileges and local access to my
domain
controllers.

Best regards
Tich

You can also get this from the sc.exe command - start from
sc <machinename>
query to get the list of services, then follow that up to
get the start
name. It's also a fairly easy C programming project - open
the service
control manager, enumerate the services, then see which are
running as
something other than localsystem, etc. Any good network
auditing tool should
do this - I put it in the Internet Scanner almost 10 years
ago.

Some additional pieces of information are needed - first
would be to see if
the service is running. Sometimes they'll be stopped with
stale passwords.
Next is to see if it is a domain account - lots of things
make local
accounts for services, and I'd assume you're not really
concerned about
these.

Lastly, and this is a good trick I've been keeping to myself
for quite some
time, in order to find out when was the last time the
account logged on to
that system, check the write time and date on the
HKLMSoftwareMicrosoftWindows NTProfileList[user's SID]
key. Prior to
Windows 2003, this was accessible as auth user, now it takes
admin to read
it remotely. I'm not sure if the last write time on a reg
key is available
using anything other than the Windows API calls. Any account
that logs on
locally, including services, will update the write time on
the key for their
account. A nice side-effect is that you can get the up time
on the services
in question, since every time they restart, a logon is
performed. I once had
someone pushing back on a password change policy for
services, complaining
it would hurt his up time, so I checked and found out that
only 2% of his
systems actually went that long without a restart, so
security won that
round.

Understanding who logs on as a service, and where, is really
critical to
securing the overall network. Anyone with admin credentials
could hijack the
service, and perform tasks using the service account. Thus
you should not
have services running under high level domain accounts,
unless you're
prepared to treat that system as being as critical to
security as the domain
controllers.

Hope this helps...

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Talkovic, Scott A.
Sent: Tuesday, April 03, 2007 10:53 AM
To: Biassoni Riccardo; focus-mssecurityfocus.com
Subject: RE: Discovering Active Direcory shared or Service
users account

Here's a quick way to find non-standard service accounts
that are
actually used:

Loop through each computer with the following command,
replacing %1 with
the name of the computer.

C:>wmic /node:%1 service where (not StartName like
"LocalSystem" and
not StartName like "%%NetworkService%%" and not
StartName like
"%%LocalService%%") get Name, Caption, StartMode,
StartName, Started

This might be more effective because, as James noted,
service accounts
look just like regular user accounts in Active Directory.

There might be better ways other than this.

Scott

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Biassoni Riccardo
Sent: Tuesday, April 03, 2007 7:25 AM
To: focus-mssecurityfocus.com
Subject: Discovering Active Direcory shared or Service users
account

Hi All,

Is there a way to discover Active Directory
"Shared" user account or
"Service" users Account for auditing purpose? 
I have domain admin privileges and local access to my
domain
controllers.

Best regards
Tich