Hi
Whilst trying to understand functionality of "BUILTIN\Pre-Windows 2000 Compatible Access group" and i was able to enumerate a specific set of Information ANONYMOUSLY when using certain APIs like SAMR named pipe with SMB, detailed HERE. The tool i used to enumerate Information anonymously from AD using a a NULL session is called SuperScan.
The Key in this First Scenario is add to special identity "NT AUTHORITY\ANONYMOUS LOGON" to "BUILTIN\Pre-Windows 2000 Compatible Access group" and use a software which uses noted APIs to query/enumerate information.
If we look at Default Security Descriptor of Domain, we can Pre-Windows 2000 group is present with some pre-defined level of granted rights (Refer first image pasted below).
Now i continue with the Second Scenario where i try to enumerate information anonymously but using LDAP/LDP.exe
Now by default with Windows Server 2003, anonymous LDAP Bind operation isn't permitted, unless this behavior is explicitly has been overridden using DsHeuristics attribute. As per this article, author indeed changed the noted attribute value but he also changed the Security Descriptor of targetted Containers (in author's case - SENECA) to allow "NT AUTHORITY\Anonymous Logon" with List Contents and Read permission!
Now if we don't add & grant rights to "NT AUTHORITY\Anonymous Logon" for the given container/object, then we won't be able to Search/Browse information anonymously using LDP.exe and this is the part that confuses me.
If i look at the default ACL of Domain Object, we see that by default, multiple permissions including LIST contents & READ permission exist for "BUILTIN\Pre-Windows 2000 Compatible Access group" applied recursively (This Object and all child Objects), as shown in attachment.
Now If i have already added "NT AUTHORITY\ANONYMOUS LOGON" to "BUILTIN\Pre-Windows 2000 Compatible Access group", then "NT AUTHORITY\Anonymous Logon" should automatically possess all of the rights adhered by "BUILTIN\Pre-Windows 2000 Compatible Access group" and i should be able to view information anonymously using Simple LDAP bind, but indeed its NOT! Please correct me if i am wrong here.
I am trying to enumerate information under USERS container anonymously.
Please Assist.