Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ADRecon BH ASIA 2018 : Arsenal Presentation

Prashant
March 22, 2018

ADRecon BH ASIA 2018 : Arsenal Presentation

Updated version of the Arsenal Demo of ADRecon presented on 22nd and 23rd March at BlackHat Asia 2018.
https://www.blackhat.com/asia-18/arsenal.html#adrecon-active-directory-recon

Prashant

March 22, 2018
Tweet

More Decks by Prashant

Other Decks in Technology

Transcript

  1. www.senseofsecurity.com.au © Sense of Security 2018 Page 1 – 22-Mar-18

    Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 15, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 [email protected] www.senseofsecurity.com.au ABN: 14 098 237 908 ADRecon 22-23 March 2018 https://github.com/sense-of-security/ADRecon BlackHat Asia 2018 – Arsenal
  2. www.senseofsecurity.com.au © Sense of Security 2018 Page 2 – 22-Mar-18

    What is ADRecon ? • ADRecon is a tool which gathers information about the Active Directory (AD) and generates a report which can provide a holistic picture of the current state of the target AD environment. • Can be run from a domain-member or a standalone workstation as a normal unprivileged domain user*. • Output is an Excel Report with graphs and raw data, CSV files and/or STDOUT. * some features require privileged user.
  3. www.senseofsecurity.com.au © Sense of Security 2018 Page 3 – 22-Mar-18

    Who uses ADRecon ? • System administrators • Security professionals • Red Team • Blue Team • Purple Team Friendly plug • “Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy” – Mike Loss at BSides Canberra (13 April) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat USA 2018 (4 – 7 August)
  4. www.senseofsecurity.com.au © Sense of Security 2018 Page 4 – 22-Mar-18

    Prerequisites 1. User credentials and access to a Windows host with network access to the Domain Controller (TCP 9389 for ADWS or TCP 389 for LDAP) 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en- au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en- au/download/details.aspx?id=7887)
  5. www.senseofsecurity.com.au © Sense of Security 2018 Page 5 – 22-Mar-18

    Modules • Forest • Domains in the Forest and other attributes such as Sites • Domain Password Policy • Domain Controllers and their roles • Users and their attributes • Service Principal Names • Groups and their members • Organizational Units (OU) and their ACLs • Group Policy Object details • DNS Zones and Records • Printers • Computers and their attributes • LAPS passwords* (if implemented) • BitLocker Recovery Keys* (if implemented) * requires privileged user.
  6. www.senseofsecurity.com.au © Sense of Security 2018 Page 7 – 22-Mar-18

    ADRecon Execution Updated Screenshot after presentation
  7. www.senseofsecurity.com.au © Sense of Security 2018 Page 8 – 22-Mar-18

    ADRecon Execution Updated Screenshot after presentation
  8. www.senseofsecurity.com.au © Sense of Security 2018 Page 11 – 22-Mar-18

    Password Policy Updated Screenshot after presentation
  9. www.senseofsecurity.com.au © Sense of Security 2018 Page 12 – 22-Mar-18

    Domain Controllers Updated Screenshot after presentation
  10. www.senseofsecurity.com.au © Sense of Security 2018 Page 15 – 22-Mar-18

    Group Memberships Updated Screenshot after presentation
  11. www.senseofsecurity.com.au © Sense of Security 2018 Page 17 – 22-Mar-18

    OU Permissions Updated Screenshot after presentation
  12. www.senseofsecurity.com.au © Sense of Security 2018 Page 19 – 22-Mar-18

    GPO Report (RSAT only) • You can generate the GPO report using the following command*: ./ADRecon –Collect GPOReport • This command will create html and xml GPOReports using the Get- GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN>\<Username> /netonly powershell.exe
  13. www.senseofsecurity.com.au © Sense of Security 2018 Page 20 – 22-Mar-18

    DNS Zones and Records Updated Screenshot after presentation
  14. www.senseofsecurity.com.au © Sense of Security 2018 Page 21 – 22-Mar-18

    Computers Updated Screenshot after presentation
  15. www.senseofsecurity.com.au © Sense of Security 2018 Page 23 – 22-Mar-18

    BitLocker Updated Screenshot after presentation
  16. www.senseofsecurity.com.au © Sense of Security 2018 Page 29 – 22-Mar-18

    Future Plans • Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636). • Add Domain Trust Enumeration. • Gather ACLs for the useraccountcontrol attribute and the ms-mcs- admpwd LAPS attribute to determine which users can read the values. • Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force- Change-Password, DS-Replication-Get-Changes, DS-Replication-Get- Changes-All, etc. which can be used as alternative attack vectors. • Additional export and storage option: export to STDOUT, SQLite, xml, html. • List issues identified and provide recommended remediation advice based on analysis of the data.
  17. www.senseofsecurity.com.au © Sense of Security 2018 Page 30 – 22-Mar-18

    How to contribute ? • Test the tool, suggest changes, improvements, enhancements, etc. • Add / Promote / Write about the tool • Report / track / suggest / fix issues Pull requests are always welcome J Issue tracker (https://github.com/sense-of-security/ADRecon/issues)
  18. www.senseofsecurity.com.au © Sense of Security 2018 Page 31 – 22-Mar-18

    https://github.com/sense-of-security/ADRecon Author: @prashant3535 Screenshot taken on 20Mar18
  19. www.senseofsecurity.com.au © Sense of Security 2018 Page 33 – 22-Mar-18

    Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 [email protected] www.senseofsecurity.com.au
  20. www.senseofsecurity.com.au © Sense of Security 2018 Page 34 – 22-Mar-18

    References • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account- what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad- ds/plan/security-best-practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active- directory-password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active- directory-integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989)