Anonymous Authentication

Anonymous Access

There are a variety of common protocols in Active Directory environments that support anonymous authentication. All of them are viable targets for initial access, but this is largely dependent on the hosted files or information disclosed in each.

SMB

Anonymous access to the SMB protocol allows you to steal sensitive information or upload malware to file shares.

nxc smb 10.10.10.10 -u guest -p '' --shares

Additionally, anonymous SMB access may allow you to perform RID bruting and enumerate all valid users or groups within the domain:

nxc smb 10.10.10.10 -u guest -p '' --rid-brute

LDAP

Anonymous access to LDAP allows you to read (and possibly write to) the domain's directory.

ldapsearch -v -x -b "DC=contoso,DC=com" -H "ldap://10.10.10.10" "(objectClass=*)"

RPC Functions

Anonymous access to RPC functions allows you to do recon on the host - list users, groups, etc. You may also be able to invoke authentication-coercion functions and invoke relay attacks.

rpcclient -U "" -N 10.10.10.10

PreviousInitial Access NextDomain Attacks

Last updated 4 months ago