Mahajan Job Title Senior Security Consultant Company Sense of Security Founder Member null – The Open Security Community (https://null.co.in) Project Manager null Jobs (https://jobs.null.co.in) Developer ADRecon (https://github.com/sense-of-security/ADRecon)
of AD environment. • Extracts & combines various artefacts from an Active Directory environment • The information is presented in specially formatted Excel report (optional) • Summary views with metrics to facilitate analysis (Excel Only) • Can be run by normal unprivileged domain user* from • a domain-member or • a standalone workstation * some features require privileged user account. 27/10/18 Sense of Security What is ADRecon ?
System administrators • Security professionals Friendly plug • Making Pentesters Sad: Low-hanging Fruit For Enterprise Defenders by Mike Loss at purplecon (15 November) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat Europe 2018 (3 - 6 December) 27/10/18 Sense of Security Who uses ADRecon ?
network access to the Domain Controller • TCP 9389 for ADWS or • TCP 389 for LDAP 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en-au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en-au/download/details.aspx?id=7887) 27/10/18 Sense of Security Prerequisites
Subnets, • Default and Fine Grained* Password Policy (if implemented), • Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles, • Users and their attributes, • Service Principal Names (SPNs), • Groups and memberships, • Organizational Units (OUs), • ACLs for the Domain, OUs, Root Containers and GroupPolicy objects, • GroupPolicy objects and gPLink details, • DNS Zones and Records, Printers, • Computers and their attributes, • LAPS passwords* (if implemented), • BitLocker Recovery Keys* (if implemented), • GPOReport (requires RSAT), and • Kerberoast (not included in the default collection method). * require privileged user account
command*: ./ADRecon –Collect GPOReport • This command will generate html and xml GPOReports using the Get-GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN>\<Username> /netonly powershell.exe 27/10/18 Sense of Security GPOReport
audited just like files/folders giving valuable audit information. • Group Policy: Windows Settings --> Security Settings --> Advanced Audit Policy Configuration --> DS Access --> Audit Directory Service Access. 27/10/18 Sense of Security Audit Directory Service Access https://community.softwaregrp.com/t5/Security-Research/Where-s-wald0-Sniffing-out-the-Bloodhound/ba-p/228770
activity such as: • net user /domain • Get-WmiObject -Class Win32_UserAccount • Get-ADUser -Filter * (MS ActiveDirectory module) • Get-NetUser (PowerView) • Find Users, Contacts and Groups GUI • How to differentiate between attacker enumeration from normal activity? 27/10/18 Sense of Security What is normal ? http://www.labofapenetrationtester.com/2018/10/deploy-deception.html
(uses the ActiveDirectory module cmdlets) which can be used to create decoy objects, set interesting attributes, turn on auditing for different Active Directory objects. • https://github.com/samratashok/Deploy-Deception • Automates deploying ”Deception Objects” • Turns on auditing for an uncommon attribute that only aggressive enumeration triggers the logging. 27/10/18 Sense of Security Deploy-Deception
• Root Containers • GPO • Users • Computers • Groups • Updated to enumerate DACLs Users, Computers and Groups. 27/10/18 Sense of Security ACL Module Update Release at CHCON18
“To set or get the SACL from an object security descriptor, the SE_SECURITY_NAME privilege must be enabled in the access token of the requesting thread. The administrators group has this privilege by default, and it can be assigned to other users or groups.” 27/10/18 Sense of Security Detection https://docs.microsoft.com/en-us/windows/desktop/ad/retrieving-an-objectampaposs-sacl
• Root Containers • GPO • Users • Computers • Groups • Updated to enumerate DACLs Users, Computers and Groups. * requires privileged user account. 27/10/18 Sense of Security ACL Module Update Release at CHCON18
KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account-what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/security-best- practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active-directory- password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory- integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989) • Active Directory password attribute selection (https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/ad_password_attribute_selection.htm) • unicodePwd (https://msdn.microsoft.com/en-us/library/cc223248.aspx) • userPassword (https://msdn.microsoft.com/en-us/library/cc223249.aspx) 27/10/18 Sense of Security Resources
Directory Lab Environment for Testing (https://adsecurity.org/?p=2653) • Setting up an Active Directory Lab (https://www.psattack.com/articles/20160718/setting-up-an-active- directory-lab-part-1/) • Detection Lab (https://github.com/clong/DetectionLab) • AutomatedLab (https://github.com/AutomatedLab/AutomatedLab) • Invoke-ADLabDeployer (https://github.com/outflanknl/Invoke- ADLabDeployer) • Creating Real Looking User Accounts in AD Lab (https://www.darkoperator.com/blog/2016/7/30/creating-real-looking- user-accounts-in-ad-lab) • Create Lab User Accounts 2.0 (https://gallery.technet.microsoft.com/Create-Lab-User-Accounts- 844f7ba1)
prashant3535
taketo957
rfdnxbro
dtaniwaki
cdataj
minorun365
yoshiyuki_kono
usanchuu
kumorn5s
gawa
ymatsuwitter
_kensh
shogogg
.png){kind=avatar}
helenjbeal
addyosmani
jonrohan
rmw
aleyda
csswizardry
hatefulcrawdad
nonsquared
szymonslowik
geshan
bkeepers
