AverageSecurityGuy

Security, Programming, Pentesting

About

Mastodon

Linked In

Projects

Cheat Sheets

Book

5 April 2013

ADSelfService Plus Account Enumeration

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

On a recent pentest I came across an externally accessible ADSelfService Plus server. ADSelfService Plus is sold by ManageEngine and is designed to allow users to reset and unlock their own Active Directory (AD) accounts. To use the service, the user is required to register and configure multiple security questions. After playing with the server for a while, I determined that attempting to reset the password of an unregistered user resulted in an error while attempting to reset the password of a registered user displayed the user's security questions. This meant I could enumerate user accounts and the associated security questions.

Using Python and a list of common first and last names I developed a script, ad_self_service_miner.py, that would enumerate user accounts and capture the security questions. The script is available on my Github account. To use the script you will need to set the server and domain. The domain information is available on the account reset page.

server = 'https://server'
domain = 'DOMAIN'

You will also need to modify the username format. In my case the username was First.Last. Keep in mind that in most Windows environments the AD username typically matches the username portion of the email address, so a quick Google search should yield the correct username format. 

user = "{0}.{1}".format(f.capitalize(), l.capitalize())

After you modify the script, get a list of first names and last names and save them to firstnames.txt and lastnames.txt, respectively, in the same directory as the script. Finally, let the script run. All user accounts and security questions will be stored in ad_self_service_miner.log also in the same directory as the script.

I tested approximately 20,000 username combinations and was able to enumerate 132 user accounts along with the associated security questions. The hard part is going through the process of finding the answers to the questions, which I didn't do on this engagement.

You can find ADSelfService Plus devices using this Google search.

I spoke with ManageEngine about this vulnerability and was informed that there is a configuration setting to place a CAPTCHA on the account reset page, which will help prevent automated brute-forcing.

tags: