www.senseofsecurity.com.au © Sense of Security 2018 Page 1 – 22-Mar-18 Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 15, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 [email protected] www.senseofsecurity.com.au ABN: 14 098 237 908 ADRecon 22-23 March 2018 https://github.com/sense-of-security/ADRecon BlackHat Asia 2018 – Arsenal

www.senseofsecurity.com.au © Sense of Security 2018 Page 2 – 22-Mar-18 What is ADRecon ? • ADRecon is a tool which gathers information about the Active Directory (AD) and generates a report which can provide a holistic picture of the current state of the target AD environment. • Can be run from a domain-member or a standalone workstation as a normal unprivileged domain user*. • Output is an Excel Report with graphs and raw data, CSV files and/or STDOUT. * some features require privileged user.

www.senseofsecurity.com.au © Sense of Security 2018 Page 3 – 22-Mar-18 Who uses ADRecon ? • System administrators • Security professionals • Red Team • Blue Team • Purple Team Friendly plug • “Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy” – Mike Loss at BSides Canberra (13 April) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat USA 2018 (4 – 7 August)

www.senseofsecurity.com.au © Sense of Security 2018 Page 4 – 22-Mar-18 Prerequisites 1. User credentials and access to a Windows host with network access to the Domain Controller (TCP 9389 for ADWS or TCP 389 for LDAP) 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en- au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en- au/download/details.aspx?id=7887)

www.senseofsecurity.com.au © Sense of Security 2018 Page 5 – 22-Mar-18 Modules • Forest • Domains in the Forest and other attributes such as Sites • Domain Password Policy • Domain Controllers and their roles • Users and their attributes • Service Principal Names • Groups and their members • Organizational Units (OU) and their ACLs • Group Policy Object details • DNS Zones and Records • Printers • Computers and their attributes • LAPS passwords* (if implemented) • BitLocker Recovery Keys* (if implemented) * requires privileged user.

www.senseofsecurity.com.au © Sense of Security 2018 Page 6 – 22-Mar-18 Parameters Slide added after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 7 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 8 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 9 – 22-Mar-18 Forest Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 10 – 22-Mar-18 Domain Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 11 – 22-Mar-18 Password Policy Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 12 – 22-Mar-18 Domain Controllers Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 13 – 22-Mar-18 Users Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 14 – 22-Mar-18 Groups Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 15 – 22-Mar-18 Group Memberships Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 16 – 22-Mar-18 OUs Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 17 – 22-Mar-18 OU Permissions Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 18 – 22-Mar-18 GPOs Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 19 – 22-Mar-18 GPO Report (RSAT only) • You can generate the GPO report using the following command*: ./ADRecon –Collect GPOReport • This command will create html and xml GPOReports using the Get- GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:\ /netonly powershell.exe

www.senseofsecurity.com.au © Sense of Security 2018 Page 20 – 22-Mar-18 DNS Zones and Records Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 21 – 22-Mar-18 Computers Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 22 – 22-Mar-18 LAPS Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 23 – 22-Mar-18 BitLocker Updated Screenshot after presentation

www.senseofsecurity.com.au © Sense of Security 2018 Page 24 – 22-Mar-18 Excel Report

www.senseofsecurity.com.au © Sense of Security 2018 Page 25 – 22-Mar-18 Excel Report

www.senseofsecurity.com.au © Sense of Security 2018 Page 26 – 22-Mar-18 Excel Report

www.senseofsecurity.com.au © Sense of Security 2018 Page 27 – 22-Mar-18 Excel Report

www.senseofsecurity.com.au © Sense of Security 2018 Page 28 – 22-Mar-18 Excel Report

www.senseofsecurity.com.au © Sense of Security 2018 Page 29 – 22-Mar-18 Future Plans • Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636). • Add Domain Trust Enumeration. • Gather ACLs for the useraccountcontrol attribute and the ms-mcs- admpwd LAPS attribute to determine which users can read the values. • Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force- Change-Password, DS-Replication-Get-Changes, DS-Replication-Get- Changes-All, etc. which can be used as alternative attack vectors. • Additional export and storage option: export to STDOUT, SQLite, xml, html. • List issues identified and provide recommended remediation advice based on analysis of the data.

www.senseofsecurity.com.au © Sense of Security 2018 Page 30 – 22-Mar-18 How to contribute ? • Test the tool, suggest changes, improvements, enhancements, etc. • Add / Promote / Write about the tool • Report / track / suggest / fix issues Pull requests are always welcome J Issue tracker (https://github.com/sense-of-security/ADRecon/issues)

www.senseofsecurity.com.au © Sense of Security 2018 Page 31 – 22-Mar-18 https://github.com/sense-of-security/ADRecon Author: @prashant3535 Screenshot taken on 20Mar18

www.senseofsecurity.com.au © Sense of Security 2018 Page 32 – 22-Mar-18 Questions?

www.senseofsecurity.com.au © Sense of Security 2018 Page 33 – 22-Mar-18 Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 [email protected] www.senseofsecurity.com.au

www.senseofsecurity.com.au © Sense of Security 2018 Page 34 – 22-Mar-18 References • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account- what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad- ds/plan/security-best-practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active- directory-password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active- directory-integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989)