Uploaded byprashant3535
2,672 views

ADRecon BH ASIA 2018 : Arsenal Presentation

Adrecon is a tool for gathering information about Active Directory environments and generating comprehensive reports on their status. It can be operated by both privileged and unprivileged domain users and produces outputs in various formats such as Excel and CSV. Future plans for the tool include enhanced LDAP support, domain trust enumeration, and improved export options.

Embed presentation

Downloaded 32 times
www.senseofsecurity.com.au © Sense of Security 2018 Page 1 – 22-Mar-18 Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 15, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 ADRecon 22-23 March 2018 https://github.com/sense-of-security/ADRecon BlackHat Asia 2018 – Arsenal
www.senseofsecurity.com.au © Sense of Security 2018 Page 2 – 22-Mar-18 What is ADRecon ? • ADRecon is a tool which gathers information about the Active Directory (AD) and generates a report which can provide a holistic picture of the current state of the target AD environment. • Can be run from a domain-member or a standalone workstation as a normal unprivileged domain user*. • Output is an Excel Report with graphs and raw data, CSV files and/or STDOUT. * some features require privileged user.
www.senseofsecurity.com.au © Sense of Security 2018 Page 3 – 22-Mar-18 Who uses ADRecon ? • System administrators • Security professionals • Red Team • Blue Team • Purple Team Friendly plug • “Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy” – Mike Loss at BSides Canberra (13 April) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat USA 2018 (4 – 7 August)
www.senseofsecurity.com.au © Sense of Security 2018 Page 4 – 22-Mar-18 Prerequisites 1. User credentials and access to a Windows host with network access to the Domain Controller (TCP 9389 for ADWS or TCP 389 for LDAP) 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en- au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en- au/download/details.aspx?id=7887)
www.senseofsecurity.com.au © Sense of Security 2018 Page 5 – 22-Mar-18 Modules • Forest • Domains in the Forest and other attributes such as Sites • Domain Password Policy • Domain Controllers and their roles • Users and their attributes • Service Principal Names • Groups and their members • Organizational Units (OU) and their ACLs • Group Policy Object details • DNS Zones and Records • Printers • Computers and their attributes • LAPS passwords* (if implemented) • BitLocker Recovery Keys* (if implemented) * requires privileged user.
www.senseofsecurity.com.au © Sense of Security 2018 Page 6 – 22-Mar-18 Parameters Slide added after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 7 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 8 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 9 – 22-Mar-18 Forest Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 10 – 22-Mar-18 Domain Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 11 – 22-Mar-18 Password Policy Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 12 – 22-Mar-18 Domain Controllers Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 13 – 22-Mar-18 Users Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 14 – 22-Mar-18 Groups Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 15 – 22-Mar-18 Group Memberships Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 16 – 22-Mar-18 OUs Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 17 – 22-Mar-18 OU Permissions Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 18 – 22-Mar-18 GPOs Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 19 – 22-Mar-18 GPO Report (RSAT only) • You can generate the GPO report using the following command*: ./ADRecon –Collect GPOReport • This command will create html and xml GPOReports using the Get- GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN><Username> /netonly powershell.exe
www.senseofsecurity.com.au © Sense of Security 2018 Page 20 – 22-Mar-18 DNS Zones and Records Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 21 – 22-Mar-18 Computers Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 22 – 22-Mar-18 LAPS Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 23 – 22-Mar-18 BitLocker Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 24 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 25 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 26 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 27 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 28 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 29 – 22-Mar-18 Future Plans • Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636). • Add Domain Trust Enumeration. • Gather ACLs for the useraccountcontrol attribute and the ms-mcs- admpwd LAPS attribute to determine which users can read the values. • Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force- Change-Password, DS-Replication-Get-Changes, DS-Replication-Get- Changes-All, etc. which can be used as alternative attack vectors. • Additional export and storage option: export to STDOUT, SQLite, xml, html. • List issues identified and provide recommended remediation advice based on analysis of the data.
www.senseofsecurity.com.au © Sense of Security 2018 Page 30 – 22-Mar-18 How to contribute ? • Test the tool, suggest changes, improvements, enhancements, etc. • Add / Promote / Write about the tool • Report / track / suggest / fix issues Pull requests are always welcome J Issue tracker (https://github.com/sense-of-security/ADRecon/issues)
www.senseofsecurity.com.au © Sense of Security 2018 Page 31 – 22-Mar-18 https://github.com/sense-of-security/ADRecon Author: @prashant3535 Screenshot taken on 20Mar18
www.senseofsecurity.com.au © Sense of Security 2018 Page 32 – 22-Mar-18 Questions?
www.senseofsecurity.com.au © Sense of Security 2018 Page 33 – 22-Mar-18 Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au
www.senseofsecurity.com.au © Sense of Security 2018 Page 34 – 22-Mar-18 References • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account- what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad- ds/plan/security-best-practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active- directory-password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active- directory-integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989)

More Related Content

PDF
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
byprashant3535
 
PDF
ADRecon - Detection CHCON 2018
byprashant3535
 
PDF
Active Directory Recon 101
byprashant3535
 
PDF
Mimikatz
byprashant3535
 
PPTX
Autonomous Database Security Features
bySinanPetrusToma
 
PDF
DBA Tasks in Oracle Autonomous Database
bySinanPetrusToma
 
PDF
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
byCisco Canada
 
PDF
High Availability & Disaster Recovery on Oracle Cloud Infrastructure
bySinanPetrusToma
 
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
byprashant3535
 
ADRecon - Detection CHCON 2018
byprashant3535
 
Active Directory Recon 101
byprashant3535
 
Mimikatz
byprashant3535
 
Autonomous Database Security Features
bySinanPetrusToma
 
DBA Tasks in Oracle Autonomous Database
bySinanPetrusToma
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
byCisco Canada
 
High Availability & Disaster Recovery on Oracle Cloud Infrastructure
bySinanPetrusToma
 

Similar to ADRecon BH ASIA 2018 : Arsenal Presentation

PPTX
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PPT
Active directory - an introduction
bypepoluan
 
PDF
Windows Security Crash Course
byUTD Computer Security Group
 
PPTX
Escalation defenses ad guardrails every company should deploy
byDavid Rowe
 
PDF
Beyond the mcse red teaming active directory
byPriyanka Aash
 
PPT
Windows Security in Operating System
byMeghaj Mallick
 
PPT
Campus Technology Day Campus Security Review
bywebhostingguy
 
PDF
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
byGabriel Mathenge
 
PPTX
Active directory ds ws2008 r2
byMICTT Palma
 
PPTX
Network Security - Real and Present Dangers
byPeter Wood
 
PDF
Sense of Security Best practice strategies to improve your enterprise security
byJason Edelstein
 
PDF
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
byNoNameCon
 
PPT
Free tools for win server administration
byConcentrated Technology
 
PDF
Hacking our chairmans inbox - Charl van der Walt - SensePost
byHarry Gunns
 
PDF
Hacking identity: A Pen Tester's Guide to IAM
byJerod Brennen
 
PDF
6425 c 01
bytanvutha
 
KEY
Drop, Stop & Roll
byJohn Hoffoss
 
DOCX
1. What are some risks, threats, and vulnerabilities commonly foun.docx
byelliotkimberlee
 
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
byFelipe Prado
 
Attacker's Perspective of Active Directory
bySunny Neo
 
Active directory - an introduction
bypepoluan
 
Windows Security Crash Course
byUTD Computer Security Group
 
Escalation defenses ad guardrails every company should deploy
byDavid Rowe
 
Beyond the mcse red teaming active directory
byPriyanka Aash
 
Windows Security in Operating System
byMeghaj Mallick
 
Campus Technology Day Campus Security Review
bywebhostingguy
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
byGabriel Mathenge
 
Active directory ds ws2008 r2
byMICTT Palma
 
Network Security - Real and Present Dangers
byPeter Wood
 
Sense of Security Best practice strategies to improve your enterprise security
byJason Edelstein
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
byNoNameCon
 
Free tools for win server administration
byConcentrated Technology
 
Hacking our chairmans inbox - Charl van der Walt - SensePost
byHarry Gunns
 
Hacking identity: A Pen Tester's Guide to IAM
byJerod Brennen
 
6425 c 01
bytanvutha
 
Drop, Stop & Roll
byJohn Hoffoss
 
1. What are some risks, threats, and vulnerabilities commonly foun.docx
byelliotkimberlee
 

More from prashant3535

PDF
BSides Pune 2024
byprashant3535
 
PDF
Digital Crime & Forensics - Presentation
byprashant3535
 
PDF
Digital Crime & Forensics - Report
byprashant3535
 
PDF
What Firefox can tell about you? - Firefox Forensics
byprashant3535
 
PDF
Footprinting
byprashant3535
 
PDF
Tracking Emails
byprashant3535
 
PDF
One Laptop Per Child
byprashant3535
 
PDF
Data Hiding Techniques
byprashant3535
 
BSides Pune 2024
byprashant3535
 
Digital Crime & Forensics - Presentation
byprashant3535
 
Digital Crime & Forensics - Report
byprashant3535
 
What Firefox can tell about you? - Firefox Forensics
byprashant3535
 
Footprinting
byprashant3535
 
Tracking Emails
byprashant3535
 
One Laptop Per Child
byprashant3535
 
Data Hiding Techniques
byprashant3535
 

Recently uploaded

PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Workflow and decision Automation with Flowable
bychakib ch
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 

ADRecon BH ASIA 2018 : Arsenal Presentation

  • 1.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 1 – 22-Mar-18 Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 15, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 ADRecon 22-23 March 2018 https://github.com/sense-of-security/ADRecon BlackHat Asia 2018 – Arsenal
  • 2.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 2 – 22-Mar-18 What is ADRecon ? • ADRecon is a tool which gathers information about the Active Directory (AD) and generates a report which can provide a holistic picture of the current state of the target AD environment. • Can be run from a domain-member or a standalone workstation as a normal unprivileged domain user*. • Output is an Excel Report with graphs and raw data, CSV files and/or STDOUT. * some features require privileged user.
  • 3.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 3 – 22-Mar-18 Who uses ADRecon ? • System administrators • Security professionals • Red Team • Blue Team • Purple Team Friendly plug • “Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy” – Mike Loss at BSides Canberra (13 April) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat USA 2018 (4 – 7 August)
  • 4.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 4 – 22-Mar-18 Prerequisites 1. User credentials and access to a Windows host with network access to the Domain Controller (TCP 9389 for ADWS or TCP 389 for LDAP) 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en- au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en- au/download/details.aspx?id=7887)
  • 5.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 5 – 22-Mar-18 Modules • Forest • Domains in the Forest and other attributes such as Sites • Domain Password Policy • Domain Controllers and their roles • Users and their attributes • Service Principal Names • Groups and their members • Organizational Units (OU) and their ACLs • Group Policy Object details • DNS Zones and Records • Printers • Computers and their attributes • LAPS passwords* (if implemented) • BitLocker Recovery Keys* (if implemented) * requires privileged user.
  • 6.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 6 – 22-Mar-18 Parameters Slide added after presentation
  • 7.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 7 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation
  • 8.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 8 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation
  • 9.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 9 – 22-Mar-18 Forest Updated Screenshot after presentation
  • 10.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 10 – 22-Mar-18 Domain Updated Screenshot after presentation
  • 11.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 11 – 22-Mar-18 Password Policy Updated Screenshot after presentation
  • 12.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 12 – 22-Mar-18 Domain Controllers Updated Screenshot after presentation
  • 13.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 13 – 22-Mar-18 Users Updated Screenshot after presentation
  • 14.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 14 – 22-Mar-18 Groups Updated Screenshot after presentation
  • 15.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 15 – 22-Mar-18 Group Memberships Updated Screenshot after presentation
  • 16.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 16 – 22-Mar-18 OUs Updated Screenshot after presentation
  • 17.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 17 – 22-Mar-18 OU Permissions Updated Screenshot after presentation
  • 18.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 18 – 22-Mar-18 GPOs Updated Screenshot after presentation
  • 19.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 19 – 22-Mar-18 GPO Report (RSAT only) • You can generate the GPO report using the following command*: ./ADRecon –Collect GPOReport • This command will create html and xml GPOReports using the Get- GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN><Username> /netonly powershell.exe
  • 20.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 20 – 22-Mar-18 DNS Zones and Records Updated Screenshot after presentation
  • 21.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 21 – 22-Mar-18 Computers Updated Screenshot after presentation
  • 22.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 22 – 22-Mar-18 LAPS Updated Screenshot after presentation
  • 23.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 23 – 22-Mar-18 BitLocker Updated Screenshot after presentation
  • 24.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 24 – 22-Mar-18 Excel Report
  • 25.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 25 – 22-Mar-18 Excel Report
  • 26.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 26 – 22-Mar-18 Excel Report
  • 27.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 27 – 22-Mar-18 Excel Report
  • 28.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 28 – 22-Mar-18 Excel Report
  • 29.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 29 – 22-Mar-18 Future Plans • Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636). • Add Domain Trust Enumeration. • Gather ACLs for the useraccountcontrol attribute and the ms-mcs- admpwd LAPS attribute to determine which users can read the values. • Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force- Change-Password, DS-Replication-Get-Changes, DS-Replication-Get- Changes-All, etc. which can be used as alternative attack vectors. • Additional export and storage option: export to STDOUT, SQLite, xml, html. • List issues identified and provide recommended remediation advice based on analysis of the data.
  • 30.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 30 – 22-Mar-18 How to contribute ? • Test the tool, suggest changes, improvements, enhancements, etc. • Add / Promote / Write about the tool • Report / track / suggest / fix issues Pull requests are always welcome J Issue tracker (https://github.com/sense-of-security/ADRecon/issues)
  • 31.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 31 – 22-Mar-18 https://github.com/sense-of-security/ADRecon Author: @prashant3535 Screenshot taken on 20Mar18
  • 32.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 32 – 22-Mar-18 Questions?
  • 33.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 33 – 22-Mar-18 Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au
  • 34.
    www.senseofsecurity.com.au © Senseof Security 2018 Page 34 – 22-Mar-18 References • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account- what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad- ds/plan/security-best-practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active- directory-password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active- directory-integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989)