SlideShare a Scribd company logo

ADRecon BH ASIA 2018 : Arsenal Presentation

P
prashant3535

Updated version of the Arsenal Demo of ADRecon presented on 22nd and 23rd March at BlackHat Asia 2018. https://www.blackhat.com/asia-18/arsenal.html#adrecon-active-directory-recon

Technology
1 of 34
Download to read offline
www.senseofsecurity.com.au © Sense of Security 2018 Page 1 – 22-Mar-18 Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 15, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 ADRecon 22-23 March 2018 https://github.com/sense-of-security/ADRecon BlackHat Asia 2018 – Arsenal
www.senseofsecurity.com.au © Sense of Security 2018 Page 2 – 22-Mar-18 What is ADRecon ? • ADRecon is a tool which gathers information about the Active Directory (AD) and generates a report which can provide a holistic picture of the current state of the target AD environment. • Can be run from a domain-member or a standalone workstation as a normal unprivileged domain user*. • Output is an Excel Report with graphs and raw data, CSV files and/or STDOUT. * some features require privileged user.
www.senseofsecurity.com.au © Sense of Security 2018 Page 3 – 22-Mar-18 Who uses ADRecon ? • System administrators • Security professionals • Red Team • Blue Team • Purple Team Friendly plug • “Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy” – Mike Loss at BSides Canberra (13 April) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat USA 2018 (4 – 7 August)
www.senseofsecurity.com.au © Sense of Security 2018 Page 4 – 22-Mar-18 Prerequisites 1. User credentials and access to a Windows host with network access to the Domain Controller (TCP 9389 for ADWS or TCP 389 for LDAP) 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en- au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en- au/download/details.aspx?id=7887)
www.senseofsecurity.com.au © Sense of Security 2018 Page 5 – 22-Mar-18 Modules • Forest • Domains in the Forest and other attributes such as Sites • Domain Password Policy • Domain Controllers and their roles • Users and their attributes • Service Principal Names • Groups and their members • Organizational Units (OU) and their ACLs • Group Policy Object details • DNS Zones and Records • Printers • Computers and their attributes • LAPS passwords* (if implemented) • BitLocker Recovery Keys* (if implemented) * requires privileged user.
www.senseofsecurity.com.au © Sense of Security 2018 Page 6 – 22-Mar-18 Parameters Slide added after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 7 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 8 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 9 – 22-Mar-18 Forest Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 10 – 22-Mar-18 Domain Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 11 – 22-Mar-18 Password Policy Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 12 – 22-Mar-18 Domain Controllers Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 13 – 22-Mar-18 Users Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 14 – 22-Mar-18 Groups Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 15 – 22-Mar-18 Group Memberships Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 16 – 22-Mar-18 OUs Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 17 – 22-Mar-18 OU Permissions Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 18 – 22-Mar-18 GPOs Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 19 – 22-Mar-18 GPO Report (RSAT only) • You can generate the GPO report using the following command*: ./ADRecon –Collect GPOReport • This command will create html and xml GPOReports using the Get- GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN><Username> /netonly powershell.exe
www.senseofsecurity.com.au © Sense of Security 2018 Page 20 – 22-Mar-18 DNS Zones and Records Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 21 – 22-Mar-18 Computers Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 22 – 22-Mar-18 LAPS Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 23 – 22-Mar-18 BitLocker Updated Screenshot after presentation
www.senseofsecurity.com.au © Sense of Security 2018 Page 24 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 25 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 26 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 27 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 28 – 22-Mar-18 Excel Report
www.senseofsecurity.com.au © Sense of Security 2018 Page 29 – 22-Mar-18 Future Plans • Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636). • Add Domain Trust Enumeration. • Gather ACLs for the useraccountcontrol attribute and the ms-mcs- admpwd LAPS attribute to determine which users can read the values. • Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force- Change-Password, DS-Replication-Get-Changes, DS-Replication-Get- Changes-All, etc. which can be used as alternative attack vectors. • Additional export and storage option: export to STDOUT, SQLite, xml, html. • List issues identified and provide recommended remediation advice based on analysis of the data.
www.senseofsecurity.com.au © Sense of Security 2018 Page 30 – 22-Mar-18 How to contribute ? • Test the tool, suggest changes, improvements, enhancements, etc. • Add / Promote / Write about the tool • Report / track / suggest / fix issues Pull requests are always welcome J Issue tracker (https://github.com/sense-of-security/ADRecon/issues)
www.senseofsecurity.com.au © Sense of Security 2018 Page 31 – 22-Mar-18 https://github.com/sense-of-security/ADRecon Author: @prashant3535 Screenshot taken on 20Mar18
www.senseofsecurity.com.au © Sense of Security 2018 Page 32 – 22-Mar-18 Questions?
www.senseofsecurity.com.au © Sense of Security 2018 Page 33 – 22-Mar-18 Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au
www.senseofsecurity.com.au © Sense of Security 2018 Page 34 – 22-Mar-18 References • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account- what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad- ds/plan/security-best-practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active- directory-password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active- directory-integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989)

Recommended

ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs PresentationADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentationprashant3535
 
ADRecon - Detection CHCON 2018
ADRecon - Detection CHCON 2018ADRecon - Detection CHCON 2018
ADRecon - Detection CHCON 2018prashant3535
 
Active Directory Recon 101
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101prashant3535
 
Mimikatz
MimikatzMimikatz
Mimikatzprashant3535
 
Autonomous Database Security Features
Autonomous Database Security FeaturesAutonomous Database Security Features
Autonomous Database Security FeaturesSinanPetrusToma
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
High Availability & Disaster Recovery on Oracle Cloud Infrastructure
High Availability & Disaster Recovery on Oracle Cloud InfrastructureHigh Availability & Disaster Recovery on Oracle Cloud Infrastructure
High Availability & Disaster Recovery on Oracle Cloud InfrastructureSinanPetrusToma
 

Recommended

ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs PresentationADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentation
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentationprashant3535
 
ADRecon - Detection CHCON 2018
ADRecon - Detection CHCON 2018ADRecon - Detection CHCON 2018
ADRecon - Detection CHCON 2018prashant3535
 
Active Directory Recon 101
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101prashant3535
 
Mimikatz
MimikatzMimikatz
Mimikatzprashant3535
 
Autonomous Database Security Features
Autonomous Database Security FeaturesAutonomous Database Security Features
Autonomous Database Security FeaturesSinanPetrusToma
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
High Availability & Disaster Recovery on Oracle Cloud Infrastructure
High Availability & Disaster Recovery on Oracle Cloud InfrastructureHigh Availability & Disaster Recovery on Oracle Cloud Infrastructure
High Availability & Disaster Recovery on Oracle Cloud InfrastructureSinanPetrusToma
 
ArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUDArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUDGaret Keller
 
Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Yusuf Hadiwinata Sutandar
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analyticsnovsela
 
Why You Need Manageability Now More than Ever and How to Get It
Why You Need Manageability Now More than Ever and How to Get ItWhy You Need Manageability Now More than Ever and How to Get It
Why You Need Manageability Now More than Ever and How to Get ItGustavo Rene Antunez
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
Internet of things
Internet of thingsInternet of things
Internet of thingsRoutecoMarketing
 
Presentation of my paper in the IEEE Symposium on Computer and Communications...
Presentation of my paper in the IEEE Symposium on Computer and Communications...Presentation of my paper in the IEEE Symposium on Computer and Communications...
Presentation of my paper in the IEEE Symposium on Computer and Communications...Dalton Valadares
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfWlamir Molinari
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleSnowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleAdam Doyle
 
New ThousandEyes Product Features and Release Highlights: November 2022
New ThousandEyes Product Features and Release Highlights: November 2022New ThousandEyes Product Features and Release Highlights: November 2022
New ThousandEyes Product Features and Release Highlights: November 2022ThousandEyes
 
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> Facility
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> FacilityIIoT: The Whole Gamut - Exploration --> Drilling --> Production --> Facility
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> FacilityChijioke “CJ” Ejimuda
 
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkApplying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkGerardo Pardo-Castellote
 
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platform
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platformSingapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platform
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platformFrank Alexander Reusch
 
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
Microsoft, Citrix and SCOM: EOL or a New Beginning ?
Microsoft, Citrix and SCOM: EOL or a New Beginning ?Microsoft, Citrix and SCOM: EOL or a New Beginning ?
Microsoft, Citrix and SCOM: EOL or a New Beginning ?eG Innovations
 
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIs
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIsIncredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIs
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIsRobb Boyd
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceEMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
BSides Pune 2024
BSides Pune 2024BSides Pune 2024
BSides Pune 2024prashant3535
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 

More Related Content

Similar to ADRecon BH ASIA 2018 : Arsenal Presentation

ArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUDArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUDGaret Keller
 
Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Yusuf Hadiwinata Sutandar
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analyticsnovsela
 
Why You Need Manageability Now More than Ever and How to Get It
Why You Need Manageability Now More than Ever and How to Get ItWhy You Need Manageability Now More than Ever and How to Get It
Why You Need Manageability Now More than Ever and How to Get ItGustavo Rene Antunez
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
Presentation of my paper in the IEEE Symposium on Computer and Communications...
Presentation of my paper in the IEEE Symposium on Computer and Communications...Presentation of my paper in the IEEE Symposium on Computer and Communications...
Presentation of my paper in the IEEE Symposium on Computer and Communications...Dalton Valadares
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfWlamir Molinari
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleSnowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleAdam Doyle
 
New ThousandEyes Product Features and Release Highlights: November 2022
New ThousandEyes Product Features and Release Highlights: November 2022New ThousandEyes Product Features and Release Highlights: November 2022
New ThousandEyes Product Features and Release Highlights: November 2022ThousandEyes
 
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> Facility
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> FacilityIIoT: The Whole Gamut - Exploration --> Drilling --> Production --> Facility
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> FacilityChijioke “CJ” Ejimuda
 
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkApplying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkGerardo Pardo-Castellote
 
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platform
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platformSingapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platform
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platformFrank Alexander Reusch
 
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
Microsoft, Citrix and SCOM: EOL or a New Beginning ?
Microsoft, Citrix and SCOM: EOL or a New Beginning ?Microsoft, Citrix and SCOM: EOL or a New Beginning ?
Microsoft, Citrix and SCOM: EOL or a New Beginning ?eG Innovations
 
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIs
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIsIncredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIs
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIsRobb Boyd
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceEMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 

Similar to ADRecon BH ASIA 2018 : Arsenal Presentation (20)

ArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUDArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUD
 
Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
 
Why You Need Manageability Now More than Ever and How to Get It
Why You Need Manageability Now More than Ever and How to Get ItWhy You Need Manageability Now More than Ever and How to Get It
Why You Need Manageability Now More than Ever and How to Get It
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Presentation of my paper in the IEEE Symposium on Computer and Communications...
Presentation of my paper in the IEEE Symposium on Computer and Communications...Presentation of my paper in the IEEE Symposium on Computer and Communications...
Presentation of my paper in the IEEE Symposium on Computer and Communications...
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
 
Snowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at ScaleSnowflake Data Science and AI/ML at Scale
Snowflake Data Science and AI/ML at Scale
 
New ThousandEyes Product Features and Release Highlights: November 2022
New ThousandEyes Product Features and Release Highlights: November 2022New ThousandEyes Product Features and Release Highlights: November 2022
New ThousandEyes Product Features and Release Highlights: November 2022
 
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> Facility
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> FacilityIIoT: The Whole Gamut - Exploration --> Drilling --> Production --> Facility
IIoT: The Whole Gamut - Exploration --> Drilling --> Production --> Facility
 
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkApplying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
 
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platform
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platformSingapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platform
Singapore_IEEE_power_self-supply_based_on_an_io_t_driven_ platform
 
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWAREFIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
FIWARE Global Summit - Building Production Grade IoT Platform Leveraging FIWARE
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Microsoft, Citrix and SCOM: EOL or a New Beginning ?
Microsoft, Citrix and SCOM: EOL or a New Beginning ?Microsoft, Citrix and SCOM: EOL or a New Beginning ?
Microsoft, Citrix and SCOM: EOL or a New Beginning ?
 
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIs
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIsIncredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIs
Incredible Compute Density: Cisco DNA Center Platform: Digging Deeper with APIs
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
 
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceEMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
EMEA Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
 

More from prashant3535

Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Digital Crime & Forensics - Report
Digital Crime & Forensics - ReportDigital Crime & Forensics - Report
Digital Crime & Forensics - Reportprashant3535
 
What Firefox can tell about you? - Firefox Forensics
What Firefox can tell about you? - Firefox ForensicsWhat Firefox can tell about you? - Firefox Forensics
What Firefox can tell about you? - Firefox Forensicsprashant3535
 
One Laptop Per Child
One Laptop Per ChildOne Laptop Per Child
One Laptop Per Childprashant3535
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniquesprashant3535
 

More from prashant3535 (8)

BSides Pune 2024
BSides Pune 2024BSides Pune 2024
BSides Pune 2024
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
Digital Crime & Forensics - Report
Digital Crime & Forensics - ReportDigital Crime & Forensics - Report
Digital Crime & Forensics - Report
 
What Firefox can tell about you? - Firefox Forensics
What Firefox can tell about you? - Firefox ForensicsWhat Firefox can tell about you? - Firefox Forensics
What Firefox can tell about you? - Firefox Forensics
 
Footprinting
FootprintingFootprinting
Footprinting
 
Tracking Emails
Tracking EmailsTracking Emails
Tracking Emails
 
One Laptop Per Child
One Laptop Per ChildOne Laptop Per Child
One Laptop Per Child
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniques
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

ADRecon BH ASIA 2018 : Arsenal Presentation

  • 1. www.senseofsecurity.com.au © Sense of Security 2018 Page 1 – 22-Mar-18 Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 15, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 ADRecon 22-23 March 2018 https://github.com/sense-of-security/ADRecon BlackHat Asia 2018 – Arsenal
  • 2. www.senseofsecurity.com.au © Sense of Security 2018 Page 2 – 22-Mar-18 What is ADRecon ? • ADRecon is a tool which gathers information about the Active Directory (AD) and generates a report which can provide a holistic picture of the current state of the target AD environment. • Can be run from a domain-member or a standalone workstation as a normal unprivileged domain user*. • Output is an Excel Report with graphs and raw data, CSV files and/or STDOUT. * some features require privileged user.
  • 3. www.senseofsecurity.com.au © Sense of Security 2018 Page 3 – 22-Mar-18 Who uses ADRecon ? • System administrators • Security professionals • Red Team • Blue Team • Purple Team Friendly plug • “Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy” – Mike Loss at BSides Canberra (13 April) • ADVANCED INFRASTRUCTURE HACKING - 2018 EDITION Training – NotSoSecure at BlackHat USA 2018 (4 – 7 August)
  • 4. www.senseofsecurity.com.au © Sense of Security 2018 Page 4 – 22-Mar-18 Prerequisites 1. User credentials and access to a Windows host with network access to the Domain Controller (TCP 9389 for ADWS or TCP 389 for LDAP) 2. Windows Host Prerequisites • .NET Framework 3.0 or later (Windows 7 includes 3.0) • PowerShell 2.0 or later (Windows 7 includes 2.0) 3. Optional • Microsoft Excel (to generate the report) • Remote Server Administration Tools (RSAT): • Windows 10 (https://www.microsoft.com/en- au/download/details.aspx?id=45520) • Windows 7 (https://www.microsoft.com/en- au/download/details.aspx?id=7887)
  • 5. www.senseofsecurity.com.au © Sense of Security 2018 Page 5 – 22-Mar-18 Modules • Forest • Domains in the Forest and other attributes such as Sites • Domain Password Policy • Domain Controllers and their roles • Users and their attributes • Service Principal Names • Groups and their members • Organizational Units (OU) and their ACLs • Group Policy Object details • DNS Zones and Records • Printers • Computers and their attributes • LAPS passwords* (if implemented) • BitLocker Recovery Keys* (if implemented) * requires privileged user.
  • 6. www.senseofsecurity.com.au © Sense of Security 2018 Page 6 – 22-Mar-18 Parameters Slide added after presentation
  • 7. www.senseofsecurity.com.au © Sense of Security 2018 Page 7 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation
  • 8. www.senseofsecurity.com.au © Sense of Security 2018 Page 8 – 22-Mar-18 ADRecon Execution Updated Screenshot after presentation
  • 9. www.senseofsecurity.com.au © Sense of Security 2018 Page 9 – 22-Mar-18 Forest Updated Screenshot after presentation
  • 10. www.senseofsecurity.com.au © Sense of Security 2018 Page 10 – 22-Mar-18 Domain Updated Screenshot after presentation
  • 11. www.senseofsecurity.com.au © Sense of Security 2018 Page 11 – 22-Mar-18 Password Policy Updated Screenshot after presentation
  • 12. www.senseofsecurity.com.au © Sense of Security 2018 Page 12 – 22-Mar-18 Domain Controllers Updated Screenshot after presentation
  • 13. www.senseofsecurity.com.au © Sense of Security 2018 Page 13 – 22-Mar-18 Users Updated Screenshot after presentation
  • 14. www.senseofsecurity.com.au © Sense of Security 2018 Page 14 – 22-Mar-18 Groups Updated Screenshot after presentation
  • 15. www.senseofsecurity.com.au © Sense of Security 2018 Page 15 – 22-Mar-18 Group Memberships Updated Screenshot after presentation
  • 16. www.senseofsecurity.com.au © Sense of Security 2018 Page 16 – 22-Mar-18 OUs Updated Screenshot after presentation
  • 17. www.senseofsecurity.com.au © Sense of Security 2018 Page 17 – 22-Mar-18 OU Permissions Updated Screenshot after presentation
  • 18. www.senseofsecurity.com.au © Sense of Security 2018 Page 18 – 22-Mar-18 GPOs Updated Screenshot after presentation
  • 19. www.senseofsecurity.com.au © Sense of Security 2018 Page 19 – 22-Mar-18 GPO Report (RSAT only) • You can generate the GPO report using the following command*: ./ADRecon –Collect GPOReport • This command will create html and xml GPOReports using the Get- GPOReport PowerShell module. • The xml file can be analysed using Grouper by Mike Loss (https://github.com/l0ss/Grouper) * can be executed from a standalone workstation by executing ADRecon using RUNAS runas /user:<Domain FQDN><Username> /netonly powershell.exe
  • 20. www.senseofsecurity.com.au © Sense of Security 2018 Page 20 – 22-Mar-18 DNS Zones and Records Updated Screenshot after presentation
  • 21. www.senseofsecurity.com.au © Sense of Security 2018 Page 21 – 22-Mar-18 Computers Updated Screenshot after presentation
  • 22. www.senseofsecurity.com.au © Sense of Security 2018 Page 22 – 22-Mar-18 LAPS Updated Screenshot after presentation
  • 23. www.senseofsecurity.com.au © Sense of Security 2018 Page 23 – 22-Mar-18 BitLocker Updated Screenshot after presentation
  • 24. www.senseofsecurity.com.au © Sense of Security 2018 Page 24 – 22-Mar-18 Excel Report
  • 25. www.senseofsecurity.com.au © Sense of Security 2018 Page 25 – 22-Mar-18 Excel Report
  • 26. www.senseofsecurity.com.au © Sense of Security 2018 Page 26 – 22-Mar-18 Excel Report
  • 27. www.senseofsecurity.com.au © Sense of Security 2018 Page 27 – 22-Mar-18 Excel Report
  • 28. www.senseofsecurity.com.au © Sense of Security 2018 Page 28 – 22-Mar-18 Excel Report
  • 29. www.senseofsecurity.com.au © Sense of Security 2018 Page 29 – 22-Mar-18 Future Plans • Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636). • Add Domain Trust Enumeration. • Gather ACLs for the useraccountcontrol attribute and the ms-mcs- admpwd LAPS attribute to determine which users can read the values. • Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force- Change-Password, DS-Replication-Get-Changes, DS-Replication-Get- Changes-All, etc. which can be used as alternative attack vectors. • Additional export and storage option: export to STDOUT, SQLite, xml, html. • List issues identified and provide recommended remediation advice based on analysis of the data.
  • 30. www.senseofsecurity.com.au © Sense of Security 2018 Page 30 – 22-Mar-18 How to contribute ? • Test the tool, suggest changes, improvements, enhancements, etc. • Add / Promote / Write about the tool • Report / track / suggest / fix issues Pull requests are always welcome J Issue tracker (https://github.com/sense-of-security/ADRecon/issues)
  • 31. www.senseofsecurity.com.au © Sense of Security 2018 Page 31 – 22-Mar-18 https://github.com/sense-of-security/ADRecon Author: @prashant3535 Screenshot taken on 20Mar18
  • 32. www.senseofsecurity.com.au © Sense of Security 2018 Page 32 – 22-Mar-18 Questions?
  • 33. www.senseofsecurity.com.au © Sense of Security 2018 Page 33 – 22-Mar-18 Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au
  • 34. www.senseofsecurity.com.au © Sense of Security 2018 Page 34 – 22-Mar-18 References • What Are Active Directory Functional Levels? (https://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx) • The KRBTGT Account – What is it ? (https://blogs.technet.microsoft.com/janelewis/2006/12/19/the-krbtgt-account- what-is-it/) • Active Directory Service Principal Names (SPNs) Descriptions (https://adsecurity.org/?page_id=183) • Privileged Accounts and Groups in Active Directory (https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad- ds/plan/security-best-practices/Appendix-B--Privileged-Accounts-and-Groups-in-Active-Directory.md) • How to use the UserAccountControl flags to manipulate user account properties (https://support.microsoft.com/en- au/kb/305144) • All Active Directory Attributes (https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) • Infrastructure FSMO Role (https://msdn.microsoft.com/en-us/library/cc223753.aspx) • Active Directory: Password Policies (https://social.technet.microsoft.com/wiki/contents/articles/24159.active- directory-password-policies.aspx) • Active Directory-Integrated DNS Zone (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active- directory-integrated-dns-zones) • PowerView (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) • BloodHound (https://github.com/BloodHoundAD/BloodHound) • Grouper (https://github.com/l0ss/Grouper) • Get-LAPSPasswords (https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1) • PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name (https://adsecurity.org/?p=440) • Active Directory OU Permissions Report (https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989)