Windows 2000 DNS Zone Transfer

In a Windows 2000 domain, clients use service (SRV) records to locate Windows 2000 domain services, such as Active Directory and Kerberos. This means every Windows 2000 Active Directory domain must have a DNS server for the network to operate properly.
A simple zone transfer performed with the nslookup command can enumerate lots of interesting network information. The command to enumerate using the nslookupcommand is as follows:
nslookup ls -d domainname
Within the nslookup results, a hacker looks closely at the following records, because they provide additional information about the network services:
  • Global Catalog service (_gc._tcp_)
  • Domain controllers (_ldap._tcp)
  • Kerberos authentication (_kerberos._tcp)
As a countermeasure, zone transfers can be blocked in the properties of the Windows DNS server.
An Active Directory database is a Lightweight Directory Access Protocol (LDAP)-based database. This allows the existing users and groups in the database to be enumerated with a simple LDAP query. The only thing required to perform this enumeration is to create an authenticated session via LDAP. A Windows 2000 LDAP client called the Active Directory Administration Tool (ldp.exe) connects to an Active Directory server and identifies the contents of the database. You can find ldp.exe on the Windows 2000 CD-ROM in the Support\Reskit\Netmgmt\Dstool folder.
To perform an Active Directory enumeration attack, a hacker performs the following steps:
  1. Connect to any Active Directory server using ldp.exe on port 389. When the connection is complete, server information is displayed in the right pane.
  2. On the Connection menu, choose Authenticate. Type the username, password, and domain name in the appropriate boxes. You can use the Guest account or any other domain account.
  3. Once the authentication is successful, enumerate users and built-in groups by choosing the Search option from the Browse menu.

No comments:

Post a Comment

Popular Posts