Active Directory Recon 101 - OWASP Bay Area Presentation

Transcript

1. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

   Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 15 August 18 Active Directory Recon 101 Prashant Mahajan

2. • What is Active Directory (AD)? • Reconnaissance • Username

   Enumeration • Password Brute-Force • ADRecon 15 August 18 Agenda

3. What is Active Directory (AD)? Sense of Security - 2018

   • Microsoft’s proprietary directory service for use in Windows domain networks • Usually referring to a specific service in AD • AD DS – Active Directory Domain Services • Provides centralised and standardised management of network resources (“objects”) • Users, Groups, Computers, Policies, etc • Relies on different protocols/technologies to provide: • Location lookup • Management of objects • Access – auth(n/z) https://blogs.technet.microsoft.com/ashwinexchange/2012/12/18/understanding-active-directory-for-beginners-part-1/ Fun with LDAP and Kerberos* in AD environments - Ronnie Flathers – @ropnop - Thotcon 2018 15 August 18

4. Sense of Security - 2018 15 August 18

5. • Building an Effective Active Directory Lab Environment for Testing

   (https://adsecurity.org/?p=2653) • Setting up an Active Directory Lab (https://www.psattack.com/articles/20160718/setting-up-an-active- directory-lab-part-1/) • Detection Lab (https://github.com/clong/DetectionLab) • AutomatedLab (https://github.com/AutomatedLab/AutomatedLab) • Invoke-ADLabDeployer (https://github.com/outflanknl/Invoke- ADLabDeployer) • Creating Real Looking User Accounts in AD Lab (https://www.darkoperator.com/blog/2016/7/30/creating-real-looking- user-accounts-in-ad-lab) • Create Lab User Accounts 2.0 (https://gallery.technet.microsoft.com/Create-Lab-User-Accounts- 844f7ba1) 15 August 18 Sense of Security - 2018 Building your own AD Lab

6. • DHCP • DNS • LDAP Meta-Data • NetBIOS Sense

   of Security - 2018 Reconnaissance 15 August 18

7. Sense of Security - 2018 DHCP - Wireshark 15 August

   18

8. nmap –script broadcast-dhcp-discover 13 Jul 18 Sense of Security -

   2018 DHCP - Nmap

9. Sense of Security - 2018 DNS - nslookup nslookup •

   set type=srv • _gc._tcp.<domain fqdn> • _ldap._tcp.<domain fqdn> • _kerberos._tcp.<domain fqdn> • _kpasswd._tcp.<domain fqdn> 15 August 18

10. • dig -t SRV _gc._tcp.<domain fqdn> • dig -t SRV

    _ldap._tcp.<domain fqdn> • dig -t SRV _kerberos._tcp.<domain fqdn> • dig -t SRV _kpasswd._tcp.<domain fqdn> Sense of Security - 2018 DNS - dig 15 August 18

11. nmap --script dns-srv-enum --script-args “dns- srv-enum.domain=‘<domain fqdn>’” Sense of Security

    - 2018 DNS - nmap 15 August 18

12. Active Directory / Windows Network Enumeration Through DNS Service Locator

    Records • QID: 45023 Sense of Security - 2018 DNS - Qualys 15 August 18

13. Sense of Security - 2018 LDAP Meta-data – LDAP Admin

    15 August 18

14. ldapsearch -LLL -x -H ldap://dc1.sos.labs -b '' -s base '(objectclass=*)’

    • -L: Search results are display in LDAP Data Interchange Format detailed in ldif(5). A single -L restricts the output to LDIFv1. A second -L disables comments. A third -L disables printing of the LDIF version. The default is to use an extended version of LDIF. • -x: Use simple authentication instead of SASL. • -H: ldapuri • -b: searchbase • -s: {base|one|sub|children} Sense of Security - 2018 LDAP Meta-data ldapsearch http://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html 15 August 18

15. LDAP Information Gathering • QID: 45016 LDAP Crafted Search Request

    Server Information Disclosure • Plugin ID: 25701 Sense of Security - 2018 LDAP Meta-Data – Qualys/Nessus 15 August 18

16. • NetBT || NetBIOS over TCP/IP || NBT • NetBIOS

    over TCP/IP is the network component that performs computer name to IP address mapping, name resolution (netbt.sys or vnbt.sys) • A legacy protocol used for backward compatibility Sense of Security - 2018 NetBIOS https://technet.microsoft.com/en-us/library/cc961921.aspx 15 August 18

17. nbtstat –a <IP> Sense of Security - 2018 NetBIOS –

    nbtstat (Windows) 15 August 18

18. nmblookup –A <IP> Sense of Security - 2018 NetBIOS –

    nmblookup (Kali) 15 August 18

19. • nbtscan (Kali) • nbtscan (Windows http://sectools.org/tool/nbtscan/) Sense of Security

    - 2018 NetBIOS - nbtscan 15 August 18

20. Protocol Port AD and AD DS Usage Type of traffic

    TCP 25 Replication SMTP TCP/UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP/UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos UDP 123 Windows Time, Trusts Windows Time, NTP, SNTP TCP 135 Replication RPC, EPM UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram Service TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, Net TCP/UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP/UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc Sense of Security - 2018 Active Directory Common Ports Used 15 August 18

21. Protocol Port AD and AD DS Usage Type of traffic

    TCP/UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP 5985 WS-Management and PowerShell remoting (HTTP) WinRM TCP 5986 WS-Management and PowerShell remoting (HTTPS) WinRM TCP 9389 AD DS Web Services SOAP UDP 67 and 2535 DHCP (Note: DHCP is not a core AD DS service but it is often present in many AD DS deployments.) DHCP, MADCAP Sense of Security - 2018 Active Directory Common Ports Used 15 August 18

22. Protocol Port AD and AD DS Usage Type of traffic

    TCP 49152-65535 Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS UDP 49152-65535 Group Policy DCOM, RPC, EPM Sense of Security - 2018 Active Directory Common Ports Used https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 15 August 18

23. • null session • Printers • Kerberos • Authenticated (normal/unprivileged

    user) - ADRecon Sense of Security - 2018 Username enumeration 15 August 18

24. enum4linux -a <IP> Sense of Security - 2018 null session

    – enum4linux 15 August 18

25. enum4linux –u <domain\username> -p <password> -a <IP> Sense of Security

    - 2018 Authenticated enum4linux 15 August 18

26. rpcclient –U “” –N <IP> rpcclient –U <username> <IP> Sense

    of Security - 2018 null session - rpcclient 15 August 18

27. Sense of Security - 2018 null session - rpcclient 15

    August 18

28. • nmap (https://nmap.org/nsedoc/scripts/krb5-enum- users.html) nmap -p88 --script=krb5-enum-users --script- args krb5-enum-

    users.realm='<domain>',userdb=/root/usernames. txt <DC-IP> • Metasploit auxiliary/gather/kerberos_enumusers Sense of Security - 2018 Kerberos 15 August 18

29. • SMB • RDP • Kerberos Sense of Security -

    2018 Password Brute-Force 15 August 18

30. Metasploit • auxiliary/scanner/smb/smb_login Sense of Security - 2018 Password Brute-Force

    - Metasploit 15 August 18

31. Sense of Security - 2018 Password Brute-Force - Metasploit 15

    August 18

32. • Failed • Successful Sense of Security - 2018 Password

    Brute-Force - Metasploit 15 August 18

33. • Generates a security event every failed attempt • Event

    ID 4625 “An account failed to log on” Sense of Security - 2018 Password Brute-Force - Metasploit 15 August 18

34. • RDP ? • Extremely slow L Sense of Security

    - 2018 Password Brute-Force 15 August 18

35. • Kerberos ? Sense of Security - 2018 Password Brute-Force

    15 August 18

36. https://github.com/ropnop/kerberos_windows_scripts apt install heimdal-clients Sense of Security - 2018 Password

    Brute-Force 15 August 18

37. • kerberos_windows_scripts by ropnop • Loops through a username list

    or a password list • runs kinit with the username and password • Generates a security event for every attempt • Event ID 4624 “An account was successfully logged on” • Generates a security event for every attempt if Account Logon: Audit Kerberos Authentication Service is configured • Event ID 4771 “Kerberos pre-authentication failed” with Failure Code 0x18 (bad password) for failed attempts. Sense of Security - 2018 Password Brute-Force https://github.com/ropnop/kerberos_windows_scripts 15 August 18

38. Sense of Security - 2018 Password Brute-Force 15 August 18

39. Sense of Security - 2018 Password Brute-Force 15 August 18

40. ADRecon Demo https://github.com/sense-of-security/adrecon https://www.slideshare.net/prashant3535/adrecon-bh-usa-2018- arsenal-and-def-con-26-demo-labs-presentation 13 Jul 18 Sense of

    Security - 2018

41. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.