What is ADRecon ? • ADRecon is a tool which gathers information about the Active Directory (AD) and generates a report which can provide a holistic picture of the current state of the target AD environment. • Can be run from a domain-member or a standalone workstation as a normal unprivileged domain user*. • Output is an Excel Report with graphs and raw data, CSV files and/or STDOUT. * some features require privileged user.
Who uses ADRecon ? • System administrators • Security professionals • Red Team • Blue Team • Purple Team Friendly plug • “Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy” – Mike Loss at BSides Canberra (13 April) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat USA 2018 (4 – 7 August)
Prerequisites 1. User credentials and access to a Windows host with network access to the Domain Controller (TCP 9389 for ADWS or TCP 389 for LDAP) 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en- au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en- au/download/details.aspx?id=7887)
Modules • Forest • Domains in the Forest and other attributes such as Sites • Domain Password Policy • Domain Controllers and their roles • Users and their attributes • Service Principal Names • Groups and their members • Organizational Units (OU) and their ACLs • Group Policy Object details • DNS Zones and Records • Printers • Computers and their attributes • LAPS passwords* (if implemented) • BitLocker Recovery Keys* (if implemented) * requires privileged user.
GPO Report (RSAT only) • You can generate the GPO report using the following command*: ./ADRecon –Collect GPOReport • This command will create html and xml GPOReports using the Get- GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN>\<Username> /netonly powershell.exe
Future Plans • Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636). • Add Domain Trust Enumeration. • Gather ACLs for the useraccountcontrol attribute and the ms-mcs- admpwd LAPS attribute to determine which users can read the values. • Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force- Change-Password, DS-Replication-Get-Changes, DS-Replication-Get- Changes-All, etc. which can be used as alternative attack vectors. • Additional export and storage option: export to STDOUT, SQLite, xml, html. • List issues identified and provide recommended remediation advice based on analysis of the data.
How to contribute ? • Test the tool, suggest changes, improvements, enhancements, etc. • Add / Promote / Write about the tool • Report / track / suggest / fix issues Pull requests are always welcome J Issue tracker (https://github.com/sense-of-security/ADRecon/issues)
Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 [email protected] www.senseofsecurity.com.au
References • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account- what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad- ds/plan/security-best-practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active- directory-password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active- directory-integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989)