Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ADRecon - Detection CHCON 2018

Prashant
October 27, 2018

ADRecon - Detection CHCON 2018

Prashant

October 27, 2018
Tweet

More Decks by Prashant

Other Decks in Technology

Transcript

  1. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 27/10/18 ADRecon: Active Directory Recon Detection Detection Prashant Mahajan
  2. net user Prashant 27/10/18 net user Prashant Full Name Prashant

    Mahajan Job Title Senior Security Consultant Company Sense of Security Founder Member null – The Open Security Community (https://null.co.in) Project Manager null Jobs (https://jobs.null.co.in) Developer ADRecon (https://github.com/sense-of-security/ADRecon)
  3. • ADRecon provides a holistic picture of the current state

    of AD environment. • Extracts & combines various artefacts from an Active Directory environment • The information is presented in specially formatted Excel report (optional) • Summary views with metrics to facilitate analysis (Excel Only) • Can be run by normal unprivileged domain user* from • a domain-member or • a standalone workstation * some features require privileged user account. 27/10/18 Sense of Security What is ADRecon ?
  4. • Blue Team • Purple Team • Red Team •

    System administrators • Security professionals Friendly plug • Making Pentesters Sad: Low-hanging Fruit For Enterprise Defenders by Mike Loss at purplecon (15 November) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat Europe 2018 (3 - 6 December) 27/10/18 Sense of Security Who uses ADRecon ?
  5. 1. User credentials and access to a Windows host with

    network access to the Domain Controller • TCP 9389 for ADWS or • TCP 389 for LDAP 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en-au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en-au/download/details.aspx?id=7887) 27/10/18 Sense of Security Prerequisites
  6. 27/10/18 Sense of Security Modules • Forest, Domain, Trusts, Sites,

    Subnets, • Default and Fine Grained* Password Policy (if implemented), • Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles, • Users and their attributes, • Service Principal Names (SPNs), • Groups and memberships, • Organizational Units (OUs), • ACLs for the Domain, OUs, Root Containers and GroupPolicy objects, • GroupPolicy objects and gPLink details, • DNS Zones and Records, Printers, • Computers and their attributes, • LAPS passwords* (if implemented), • BitLocker Recovery Keys* (if implemented), • GPOReport (requires RSAT), and • Kerberoast (not included in the default collection method). * require privileged user account
  7. • You can generate the GPO report using the following

    command*: ./ADRecon –Collect GPOReport • This command will generate html and xml GPOReports using the Get-GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN>\<Username> /netonly powershell.exe 27/10/18 Sense of Security GPOReport
  8. • User and groups are directory objects and can be

    audited just like files/folders giving valuable audit information. • Group Policy: Windows Settings --> Security Settings --> Advanced Audit Policy Configuration --> DS Access --> Audit Directory Service Access. 27/10/18 Sense of Security Audit Directory Service Access https://community.softwaregrp.com/t5/Security-Research/Where-s-wald0-Sniffing-out-the-Bloodhound/ba-p/228770
  9. • Event ID 4662 will be generated every time one

    of these objects is enumerated. 27/10/18 Sense of Security Event ID 4662
  10. • Event ID 4662 will also be generated by normal/admin

    activity such as: • net user /domain • Get-WmiObject -Class Win32_UserAccount • Get-ADUser -Filter * (MS ActiveDirectory module) • Get-NetUser (PowerView) • Find Users, Contacts and Groups GUI • How to differentiate between attacker enumeration from normal activity? 27/10/18 Sense of Security What is normal ? http://www.labofapenetrationtester.com/2018/10/deploy-deception.html
  11. • Deploy-Deception by Nikhil Mittal • A simple PowerShell module

    (uses the ActiveDirectory module cmdlets) which can be used to create decoy objects, set interesting attributes, turn on auditing for different Active Directory objects. • https://github.com/samratashok/Deploy-Deception • Automates deploying ”Deception Objects” • Turns on auditing for an uncommon attribute that only aggressive enumeration triggers the logging. 27/10/18 Sense of Security Deploy-Deception
  12. • Can we enumerate all System Access Control List (SACL)

    ? 27/10/18 Sense of Security Detection
  13. • Updated to enumerate SACLs for • Domain • OU

    • Root Containers • GPO • Users • Computers • Groups • Updated to enumerate DACLs Users, Computers and Groups. 27/10/18 Sense of Security ACL Module Update Release at CHCON18
  14. • Can we enumerate all System Access Control List (SACL)?

    27/10/18 Sense of Security Detection https://docs.microsoft.com/en-us/windows/desktop/ad/retrieving-an-objectampaposs-sacl
  15. • Can we enumerate all System Access Control List (SACL)?

    “To set or get the SACL from an object security descriptor, the SE_SECURITY_NAME privilege must be enabled in the access token of the requesting thread. The administrators group has this privilege by default, and it can be assigned to other users or groups.” 27/10/18 Sense of Security Detection https://docs.microsoft.com/en-us/windows/desktop/ad/retrieving-an-objectampaposs-sacl
  16. • Updated to enumerate SACLs* for • Domain • OU

    • Root Containers • GPO • Users • Computers • Groups • Updated to enumerate DACLs Users, Computers and Groups. * requires privileged user account. 27/10/18 Sense of Security ACL Module Update Release at CHCON18
  17. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Questions? Github: https://github.com/sense-of- security/ADRecon Twitter: ADRecon @ad_recon Author: @prashant3535 27/10/18
  18. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher. Github: https://github.com/sense-of-security/ADRecon Twitter: ADRecon @ad_recon Author: @prashant3535
  19. • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The

    KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account-what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/security-best- practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active-directory- password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory- integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989) • Active Directory password attribute selection (https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/ad_password_attribute_selection.htm) • unicodePwd (https://msdn.microsoft.com/en-us/library/cc223248.aspx) • userPassword (https://msdn.microsoft.com/en-us/library/cc223249.aspx) 27/10/18 Sense of Security Resources
  20. Building your own AD Lab • Building an Effective Active

    Directory Lab Environment for Testing (https://adsecurity.org/?p=2653) • Setting up an Active Directory Lab (https://www.psattack.com/articles/20160718/setting-up-an-active- directory-lab-part-1/) • Detection Lab (https://github.com/clong/DetectionLab) • AutomatedLab (https://github.com/AutomatedLab/AutomatedLab) • Invoke-ADLabDeployer (https://github.com/outflanknl/Invoke- ADLabDeployer) • Creating Real Looking User Accounts in AD Lab (https://www.darkoperator.com/blog/2016/7/30/creating-real-looking- user-accounts-in-ad-lab) • Create Lab User Accounts 2.0 (https://gallery.technet.microsoft.com/Create-Lab-User-Accounts- 844f7ba1)