Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Active Directory Recon 101 - OWASP Bay Area Pre...

Prashant
August 15, 2018

Active Directory Recon 101 - OWASP Bay Area Presentation

Prashant

August 15, 2018
Tweet

More Decks by Prashant

Other Decks in Technology

Transcript

  1. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 15 August 18 Active Directory Recon 101 Prashant Mahajan
  2. • What is Active Directory (AD)? • Reconnaissance • Username

    Enumeration • Password Brute-Force • ADRecon 15 August 18 Agenda
  3. What is Active Directory (AD)? Sense of Security - 2018

    • Microsoft’s proprietary directory service for use in Windows domain networks • Usually referring to a specific service in AD • AD DS – Active Directory Domain Services • Provides centralised and standardised management of network resources (“objects”) • Users, Groups, Computers, Policies, etc • Relies on different protocols/technologies to provide: • Location lookup • Management of objects • Access – auth(n/z) https://blogs.technet.microsoft.com/ashwinexchange/2012/12/18/understanding-active-directory-for-beginners-part-1/ Fun with LDAP and Kerberos* in AD environments - Ronnie Flathers – @ropnop - Thotcon 2018 15 August 18
  4. • Building an Effective Active Directory Lab Environment for Testing

    (https://adsecurity.org/?p=2653) • Setting up an Active Directory Lab (https://www.psattack.com/articles/20160718/setting-up-an-active- directory-lab-part-1/) • Detection Lab (https://github.com/clong/DetectionLab) • AutomatedLab (https://github.com/AutomatedLab/AutomatedLab) • Invoke-ADLabDeployer (https://github.com/outflanknl/Invoke- ADLabDeployer) • Creating Real Looking User Accounts in AD Lab (https://www.darkoperator.com/blog/2016/7/30/creating-real-looking- user-accounts-in-ad-lab) • Create Lab User Accounts 2.0 (https://gallery.technet.microsoft.com/Create-Lab-User-Accounts- 844f7ba1) 15 August 18 Sense of Security - 2018 Building your own AD Lab
  5. • DHCP • DNS • LDAP Meta-Data • NetBIOS Sense

    of Security - 2018 Reconnaissance 15 August 18
  6. Sense of Security - 2018 DNS - nslookup nslookup •

    set type=srv • _gc._tcp.<domain fqdn> • _ldap._tcp.<domain fqdn> • _kerberos._tcp.<domain fqdn> • _kpasswd._tcp.<domain fqdn> 15 August 18
  7. • dig -t SRV _gc._tcp.<domain fqdn> • dig -t SRV

    _ldap._tcp.<domain fqdn> • dig -t SRV _kerberos._tcp.<domain fqdn> • dig -t SRV _kpasswd._tcp.<domain fqdn> Sense of Security - 2018 DNS - dig 15 August 18
  8. Active Directory / Windows Network Enumeration Through DNS Service Locator

    Records • QID: 45023 Sense of Security - 2018 DNS - Qualys 15 August 18
  9. ldapsearch -LLL -x -H ldap://dc1.sos.labs -b '' -s base '(objectclass=*)’

    • -L: Search results are display in LDAP Data Interchange Format detailed in ldif(5). A single -L restricts the output to LDIFv1. A second -L disables comments. A third -L disables printing of the LDIF version. The default is to use an extended version of LDIF. • -x: Use simple authentication instead of SASL. • -H: ldapuri • -b: searchbase • -s: {base|one|sub|children} Sense of Security - 2018 LDAP Meta-data ldapsearch http://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html 15 August 18
  10. LDAP Information Gathering • QID: 45016 LDAP Crafted Search Request

    Server Information Disclosure • Plugin ID: 25701 Sense of Security - 2018 LDAP Meta-Data – Qualys/Nessus 15 August 18
  11. • NetBT || NetBIOS over TCP/IP || NBT • NetBIOS

    over TCP/IP is the network component that performs computer name to IP address mapping, name resolution (netbt.sys or vnbt.sys) • A legacy protocol used for backward compatibility Sense of Security - 2018 NetBIOS https://technet.microsoft.com/en-us/library/cc961921.aspx 15 August 18
  12. Protocol Port AD and AD DS Usage Type of traffic

    TCP 25 Replication SMTP TCP/UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP/UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos UDP 123 Windows Time, Trusts Windows Time, NTP, SNTP TCP 135 Replication RPC, EPM UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram Service TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, Net TCP/UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP/UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc Sense of Security - 2018 Active Directory Common Ports Used 15 August 18
  13. Protocol Port AD and AD DS Usage Type of traffic

    TCP/UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP 5985 WS-Management and PowerShell remoting (HTTP) WinRM TCP 5986 WS-Management and PowerShell remoting (HTTPS) WinRM TCP 9389 AD DS Web Services SOAP UDP 67 and 2535 DHCP (Note: DHCP is not a core AD DS service but it is often present in many AD DS deployments.) DHCP, MADCAP Sense of Security - 2018 Active Directory Common Ports Used 15 August 18
  14. Protocol Port AD and AD DS Usage Type of traffic

    TCP 49152-65535 Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS UDP 49152-65535 Group Policy DCOM, RPC, EPM Sense of Security - 2018 Active Directory Common Ports Used https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 15 August 18
  15. • null session • Printers • Kerberos • Authenticated (normal/unprivileged

    user) - ADRecon Sense of Security - 2018 Username enumeration 15 August 18
  16. rpcclient –U “” –N <IP> rpcclient –U <username> <IP> Sense

    of Security - 2018 null session - rpcclient 15 August 18
  17. • nmap (https://nmap.org/nsedoc/scripts/krb5-enum- users.html) nmap -p88 --script=krb5-enum-users --script- args krb5-enum-

    users.realm='<domain>',userdb=/root/usernames. txt <DC-IP> • Metasploit auxiliary/gather/kerberos_enumusers Sense of Security - 2018 Kerberos 15 August 18
  18. • SMB • RDP • Kerberos Sense of Security -

    2018 Password Brute-Force 15 August 18
  19. • Failed • Successful Sense of Security - 2018 Password

    Brute-Force - Metasploit 15 August 18
  20. • Generates a security event every failed attempt • Event

    ID 4625 “An account failed to log on” Sense of Security - 2018 Password Brute-Force - Metasploit 15 August 18
  21. • RDP ? • Extremely slow L Sense of Security

    - 2018 Password Brute-Force 15 August 18
  22. • kerberos_windows_scripts by ropnop • Loops through a username list

    or a password list • runs kinit with the username and password • Generates a security event for every attempt • Event ID 4624 “An account was successfully logged on” • Generates a security event for every attempt if Account Logon: Audit Kerberos Authentication Service is configured • Event ID 4771 “Kerberos pre-authentication failed” with Failure Code 0x18 (bad password) for failed attempts. Sense of Security - 2018 Password Brute-Force https://github.com/ropnop/kerberos_windows_scripts 15 August 18
  23. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.