SlideShare una empresa de Scribd logo

WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

Descargar como PPTX, PDF
T
ThomasElling1

Wild West Hackin' Fest 2018. Using PowerUpSQL and goddi for Active Directory Information Gathering.

Tecnología
1 de 65
USING POWERUPSQL AND GODDI FOR ACTIVE DIRECTORY INFORMATION GATHERING THOMAS ELLING
2 Confidential & Proprietary ABOUT Thomas Elling  Web Application and Network Pentester at NetSPI  PowerUpSQL contributor  goddi (go dump domain info) creator  I liked the Venom movie  Twitter: @thomas_elling  Slideshare: slideshare.net/thomaselling1  Blog: blog.netspi.com
3 Confidential & Proprietary PRESENTATION OVERVIEW  Previous Research  Active Directory Basics  PowerUpSQL overview  Install instructions  Methodology  Demo  goddi overview  Install instructions  Methodology  Demo  Detection
4 Confidential & Proprietary INTRODUCTION Why is Active Directory Information Gathering useful?  Situational Awareness  What am I looking for?  Escalation Paths  Where are privileged users logged in?  Identify Misconfigurations  Are there passwords in the Description attribute?
5 Confidential & Proprietary INTRODUCTION Why PowerUpSQL and goddi?  AD information gathering alternatives  Using SQL Server and ADSI  Using golang and LDAP  Does not use typical PowerShell AD functions
6 Confidential & Proprietary6 Confidential & Proprietary PREVIOUS RESEARCH
7 Confidential & Proprietary PREVIOUS RESEARCH harmj0y - https://blog.harmj0y.net/ PyroTek3 - https://adsecurity.org/ nikhil_mitt - https://www.labofapenetrationtester.com/ _nullbind - https://blog.netspi.com/author/scott-sutherland/ PowerView authors - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
8 Confidential & Proprietary PREVIOUS RESEARCH PowerView  Part of PowerSploit  Recon module  Basis of PowerShell ingestor in BloodHound  PowerShell AD module hooks  LDAP/.NET  WMI  Win32 API
9 Confidential & Proprietary9 Confidential & Proprietary ACTIVE DIRECTORY BASICS
10 Confidential & Proprietary ACTIVE DIRECTORY BASICS What is Active Directory?  Microsoft’s Directory Service  Directory Service – provides resource and network mappings for objects distributed across a network  Includes wide variety of directory services - Federation services, Lightweight directory services etc.  Domain Services – hierarchical and scalable infrastructure for object management  Domain Services is our focus
11 Confidential & Proprietary ACTIVE DIRECTORY BASICS What are the key components of Domain Services? Forest Tree Domains
12 Confidential & Proprietary ACTIVE DIRECTORY BASICS  Domain - security boundary, collection of objects  Domain Controller – server(s) where Active Directory is installed  Users and Computers – security principals, represent physical entities on the domain  OU – containers for users/groups/computers, easy to apply group policies or delegation  Groups – collection of users/computers where access control can be applied
13 Confidential & Proprietary ACTIVE DIRECTORY BASICS Accessing Domain Services  Active Directory Service Interfaces (ADSI)  COM interfaces for managing network resources  OLE DB provider for ADSI used in SQL Server and PowerUpSQL  LDAP provider  Lightweight Directory Access Protocol (LDAP/LDAPS)  LDAP is AD’s access protocol  Used to send and retrieve domain information  Supports different authentication methods
14 Confidential & Proprietary ACTIVE DIRECTORY BASICS LDAP basics  Entry – collection of attributes  DN – unique identifier for an entry ex. cn=test test,dc=demo,dc=com  Attributes – LDAP data identified by predefined names ex. sAMAccountName  Scope – specifies search objects ex. WholeSubtree  Filters – used to select data within a search ex. Groups (&(objectCategory=group)(SamAccountName=*))
15 Confidential & Proprietary ACTIVE DIRECTORY BASICS Useful LDAP filters  Users - (&(objectCategory=person)(objectClass=user)(SamAccountName=*))  Locked Users - (&(sAMAccountType=805306368)(lockoutTime>=1))  Computers - (&(objectCategory=Computer)(SamAccountName=*))  DCs - (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))  SPNs - (servicePrincipalName=*)  Groups - (&(objectClass=group)(samaccountname=*))  Domain Admins - (&(objectCategory=user)(memberOf=DomainAdminDN))  OUs - (&(objectCategory=organizationalUnit)(ou=*))
16 Confidential & Proprietary16 Confidential & Proprietary POWERUPSQL
17 Confidential & Proprietary POWERUPSQL What is PowerUpSQL?  Written in PowerShell  SQL Server discovery  Weak configuration auditing  Privilege escalation  Post exploitation  Hacking SQL Server on scale
18 Confidential & Proprietary POWERUPSQL Why SQL Server?  Popular in enterprise environments  Integration with Windows services  Vertical escalation opportunities on the domain Why PowerShell?  Native to Windows  Runs commands in memory  Often flagged as trusted  May need to start obfuscating or disabling security features soon…
19 Confidential & Proprietary POWERUPSQL PowerUpSQL wiki  https://github.com/NetSPI/PowerUpSQL/wiki/Active-Directory-Recon- Functions  Setup instructions  Cheat Sheets!  Documentation  Resource Links
20 Confidential & Proprietary POWERUPSQL PowerUpSQL setup  Import-Module PowerUpSQL.psd1  Install-Module -Name PowerUpSQL  IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com /NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")  &([scriptblock]::Create((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/ PowerUpSQL/master/PowerUpSQL.ps1")))
21 Confidential & Proprietary POWERUPSQL
22 Confidential & Proprietary POWERUPSQL Getting started  Get-Command –Module PowerUpSQL –Name 'Get-SQLDomain*'  Get-Help Get-SQLDomainUser
23 Confidential & Proprietary POWERUPSQL Getting started  Check out BlackHat Arsenal 2018 slides  https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa- arsenal-presentation
24 Confidential & Proprietary POWERUPSQL Active Directory information gathering with PowerUpSQL  OLE DB Active Directory Service Interfaces (ADSI) Provider  Two main methods  OPENQUERY (Linked server)  OPENROWSET (Ad Hoc query)  OPENQUERY technique requires creating a SQL server link
25 Confidential & Proprietary POWERUPSQL OPENQUERY method  Linked Server  Configured to run queries in another instance of SQL Server or in another DB  Can also be used to allow data access from outside of SQL Server  ADSI Linked Server  OPENQUERY  Executes a pass through query on specified linked server  Server can be OLE DB data source
26 Confidential & Proprietary POWERUPSQL OPENROWSET method  Ad Hoc Queries  Disabled by default  Needs to be enabled and is done by default in PowerUpSQL  OPENROWSET  One time connection to access remote data through OLE DB  Alternative to linked servers
27 Confidential & Proprietary POWERUPSQL OPENQUERY - Creating a SQL Server Link -- Create SQL Server link to ADSI IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0 EXEC master.dbo.sp_addlinkedserver @server = N'ADSI', @srvproduct=N'Active Directory Service Interfaces', @provider=N'ADSDSOObject', @datasrc=N'adsdatasource' ELSE SELECT 'The target SQL Server link already exists.'
28 Confidential & Proprietary POWERUPSQL OPENQUERY -- Define authentication context - OPENQUERY EXEC sp_addlinkedsrvlogin @rmtsrvname=N'ADSI', @useself=N'True', @locallogin=NULL, @rmtuser=NULL, @rmtpassword=NULL GO -- Use OPENQUERY SELECT * FROM OPENQUERY([ADSI],'<LDAP://path>;(&(objectCategory=Person)(objectClass =user));name, adspath;subtree')
29 Confidential & Proprietary POWERUPSQL OPENROWSET -- Enable 'Show Advanced Options' EXEC sp_configure 'Show Advanced Options', 1 RECONFIGURE GO -- Enable 'Ad Hoc Distributed Queries' EXEC sp_configure 'Ad Hoc Distributed Queries', 1 RECONFIGURE GO -- Run with openrowset SELECT * FROM OPENROWSET('ADSDSOOBJECT','adsdatasource', '<LDAP://path>;(&(objectCategory=Person)(objectClass=user));name, adspath;subtree')
30 Confidential & Proprietary POWERUPSQL  Get-SQLDomainAccountPolicy  Get-SQLDomainComputer  Get-SQLDomainController  Get-SQLDomainExploitableSystem  Get-SQLDomainGroup  Get-SQLDomainGroupMember  Get-SQLDomainObject  Get-SQLDomainOu  Get-SQLDomainPasswordsLAPS  Get-SQLDomainSite  Get-SQLDomainSubnet  Get-SQLDomainTrust  Get-SQLDomainUser
31 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
32 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
33 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
34 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
35 Confidential & Proprietary POWERUPSQL Demo – Grabbing LAPS passwords
36 Confidential & Proprietary POWERUPSQL OPENQUERY Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X No X X No X X No X Yes X X Yes X X Yes
37 Confidential & Proprietary POWERUPSQL OPENROWSET Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X X No X X No X Yes X Yes X X Yes X X Yes
38 Confidential & Proprietary POWERUPSQL Alternate Credentials  Sysadmin login to SQL Server and Windows domain credentials authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -Username sa -Password 'Pass123!' -LinkUsername 'demoadministrator' -LinkPassword 'BestPasswordEver!’  Sysadmin login to SQL Server and SQL Server Service account authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -UseAdHoc -Username sa - Password 'Pass123!'
39 Confidential & Proprietary POWERUPSQL PowerUpSQL caveats  Need sysadmin privileges to return data  Multi-valued attributes cannot be returned  Description, memberof  Multi-valued attributes not supported by OLE DB ADSI provider “Msg 7346, Level 16, State 2, Line 1 Cannot get the data of the row from the OLE DB provider "ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than sign mismatch or overflow.”  SQL CLR workaround  Paging not supported  Max results returned limited  Default set at 1000 in Windows Server 2012
40 Confidential & Proprietary40 Confidential & Proprietary GODDI
41 Confidential & Proprietary GODDI What is goddi?  go dump domain info  Active Directory information gathering tool written in Go  Cross platform compile and compatibility  Performs well in larger environments  Uses go library  gopkg.in/ldap.v2
42 Confidential & Proprietary GODDI goddi setup  Use the binaries in the Releases section  Build it yourself  Ensure go environment is set up  https://golang.org/doc/code.html  go get gopkg.in/ldap.v2
43 Confidential & Proprietary GODDI Active Directory information gathering with goddi  LDAP  gopkg.in/ldap.v2  Dial and Bind  Golang tls.Client  Supports TLS on 636, startTLS, plaintext dial  Default is TLS connection  Certificates managed through tls.Certificates  Need to provide certs on Linux
44 Confidential & Proprietary GODDI Optimizations  Querying for objectCategory when possible  Indexing  Only querying for attributes needed  Optimize search results and time  Paging  AD default is 1000 results  goddi paging set to 200 results  Prevents client blocking  Reduces memory stress on DC and avoids heavy query detection
45 Confidential & Proprietary GODDI func GetLAPS(conn *ldap.Conn, baseDN string) { attributes := []string{ "dNSHostName", "ms-Mcs-AdmPwd", "ms-Mcs-AdmPwdExpirationTime"} filter := "(objectCategory=Computer)" sr := ldapSearch(baseDN, filter, attributes, conn)
46 Confidential & Proprietary GODDI Feature List  Users  Computers  DCs  SPNs  Groups  OUs  LAPS passwords  GPP passwords  Sensitive data checks – description attribute  And more
47 Confidential & Proprietary GODDI LAPS  Local Administrator Password Solution  Passwords stored in Active Directory  Password access can be limited with ACLs  ms-mcs-AdmPwd  Attribute that stores cleartext password  Domain Admin privileges needed to read  ms-mcs-AdmPwdExpirationTime  attribute stores password reset date/time  Authenticated users can read
48 Confidential & Proprietary GODDI GPP  Group Policy Preference  Group Policy can be used to change local administrator passwords  XML files can contain encrypted cpassword if provided  AES 256 bit encrypted  demo.localSYSVOLdemo.localPolicies...
49 Confidential & Proprietary GODDI GPP  https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx  Authenticated users have access to SYSVOL  “Fixed” in May 2014
50 Confidential & Proprietary GODDI GPP  ...MachinePreferencesGroupsGroups.xml  ...UserPreferencesGroupsGroups.xml  ...MachinePreferencesServicesServices.xml  ...UserPreferencesServicesServices.xml  ...MachinePreferencesScheduledtasksScheduledtasks.xml  ...UserPreferencesScheduledtasksScheduledtasks.xml  ...MachinePreferencesDataSourcesDataSources.xml  ...UserPreferencesDataSourcesDataSources.xml  ...MachinePreferencesPrintersPrinters.xml  ...UserPreferencesPrintersPrinters.xml  ...MachinePreferencesDrivesDrives.xml  ...UserPreferencesDrivesDrives.xml
51 Confidential & Proprietary GODDI Demo – Windows
52 Confidential & Proprietary GODDI Demo – Linux
53 Confidential & Proprietary GODDI
54 Confidential & Proprietary GODDI Output  CSV output  Creates csv directory
55 Confidential & Proprietary GODDI goddi caveats  Need to supply credentials every time  Does not run from current user context as PowerUpSQL or PowerView  Certificates can be tricky  Need to import them on Linux  GetGPP  Uses “net use” and “mount”  Needs more robust error handling  Need to improve XML parsing  Underlying library requires case sensitive attributes
56 Confidential & Proprietary GODDI goddi Roadmap – ADSI and COM  Best solution for using user’s current Windows security context  Use the IADs interfaces (inherit from IDispatch)  Requires lower level system calls var mod = syscall.LoadDLL("ole32.dll") var proc = mod.FindProc("CoCreateInstanceEx") ret, _, _ := proc.Call(...)  go-ole library
57 Confidential & Proprietary57 Confidential & Proprietary DETECTION
58 Confidential & Proprietary DETECTION Setting Up Logging Options  HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics  LDAP Interface Events  Field Engineering
59 Confidential & Proprietary DETECTION Windows Event IDs  2889 – LDAP bind without signing or cleartext connection  1644 – Costly LDAP searches  https://docs.microsoft.com/en-us/windows-server/identity/ad- ds/manage/component-updates/directory-services-component-updates
60 Confidential & Proprietary DETECTION
61 Confidential & Proprietary DETECTION
62 Confidential & Proprietary62 Confidential & Proprietary WRAPPING UP
63 Confidential & Proprietary WRAPPING UP Thanks!  Everyone on the Previous Research slide  Scott Sutherland  Karl Fosaaen  Kevin Robertson  PowerUpSQL and goddi contributors  Everyone at this talk!
64 Confidential & Proprietary WRAPPING UP References  Everyone on the Previous Research slide  Fancy Gopher, by Renée French, https://blog.golang.org/gophergala/fancygopher.jpg
MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS https://www.netspi.com https://www.facebook.com/netspi @NetSPI https://www.slideshare.net/NetSPI

Recomendados

Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixProvisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixDavid Bosschaert
 
OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)David Bosschaert
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)David Bosschaert
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGiDavid Bosschaert
 
CRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongCRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongKeith Lee
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Voeurng Sovann
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLErick Vidbaz
 

Recomendados

Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixProvisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixDavid Bosschaert
 
OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)David Bosschaert
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)David Bosschaert
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGiDavid Bosschaert
 
CRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongCRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongKeith Lee
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Voeurng Sovann
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLErick Vidbaz
 
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Lucidworks
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqelajobandesther
 
Second Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSecond Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSveta Smirnova
 
Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2javagroup2006
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demoViaggio Italia
 
MySQL Router REST API
MySQL Router REST APIMySQL Router REST API
MySQL Router REST APIFrederic Descamps
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploitAlberto García Illera
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Ryosuke Uchitate
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
ARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CIARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CICosmin Poieana
 
Wicket Security Presentation
Wicket Security PresentationWicket Security Presentation
Wicket Security Presentationmrmean
 
Oracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirOracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirilkerb
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoDavid Lapsley
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureTiago Simões
 
MySQL JSON Functions
MySQL JSON FunctionsMySQL JSON Functions
MySQL JSON FunctionsSveta Smirnova
 
Elasticsearch security
Elasticsearch securityElasticsearch security
Elasticsearch securityNag Arvind Gudiseva
 
Elasticsearch Security Strategy
Elasticsearch Security StrategyElasticsearch Security Strategy
Elasticsearch Security StrategyNag Arvind Gudiseva
 
Con4445 jesus
Con4445 jesusCon4445 jesus
Con4445 jesusPaulo Jesus
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 

Más contenido relacionado

La actualidad más candente

Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Lucidworks
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqelajobandesther
 
Second Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSecond Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSveta Smirnova
 
Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2javagroup2006
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demoViaggio Italia
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Ryosuke Uchitate
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
ARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CIARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CICosmin Poieana
 
Wicket Security Presentation
Wicket Security PresentationWicket Security Presentation
Wicket Security Presentationmrmean
 
Oracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirOracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirilkerb
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoDavid Lapsley
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureTiago Simões
 

La actualidad más candente (20)

Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqela
 
Second Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSecond Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON Functions
 
Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demo
 
MySQL Router REST API
MySQL Router REST APIMySQL Router REST API
MySQL Router REST API
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploit
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
ARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CIARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CI
 
Wicket Security Presentation
Wicket Security PresentationWicket Security Presentation
Wicket Security Presentation
 
Oracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirOracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakir
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using Django
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architecture
 
MySQL JSON Functions
MySQL JSON FunctionsMySQL JSON Functions
MySQL JSON Functions
 
Elasticsearch security
Elasticsearch securityElasticsearch security
Elasticsearch security
 
Elasticsearch Security Strategy
Elasticsearch Security StrategyElasticsearch Security Strategy
Elasticsearch Security Strategy
 

Similar a WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTChristian Gohmann
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTrivadis
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity ManagementInSync Conference
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerLuong Vo
 
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Mihai Criveti
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellKarl Fosaaen
 
Monitoring your technology stack with New Relic
Monitoring your technology stack with New RelicMonitoring your technology stack with New Relic
Monitoring your technology stack with New RelicRonald Bradford
 
OSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamOSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamNETWAYS
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...NomanKhalid56
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2aIvan Ma
 

Similar a WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering (20)

Con4445 jesus
Con4445 jesusCon4445 jesus
Con4445 jesus
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous Database
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using REST
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security Features
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity Management
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
 
WebGUI Developers Workshop
WebGUI Developers WorkshopWebGUI Developers Workshop
WebGUI Developers Workshop
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShell
 
Monitoring your technology stack with New Relic
Monitoring your technology stack with New RelicMonitoring your technology stack with New Relic
Monitoring your technology stack with New Relic
 
OSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamOSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga Team
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
Iac d.damyanov 4.pptx
Iac d.damyanov 4.pptxIac d.damyanov 4.pptx
Iac d.damyanov 4.pptx
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2a
 

Último

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

  • 1. USING POWERUPSQL AND GODDI FOR ACTIVE DIRECTORY INFORMATION GATHERING THOMAS ELLING
  • 2. 2 Confidential & Proprietary ABOUT Thomas Elling  Web Application and Network Pentester at NetSPI  PowerUpSQL contributor  goddi (go dump domain info) creator  I liked the Venom movie  Twitter: @thomas_elling  Slideshare: slideshare.net/thomaselling1  Blog: blog.netspi.com
  • 3. 3 Confidential & Proprietary PRESENTATION OVERVIEW  Previous Research  Active Directory Basics  PowerUpSQL overview  Install instructions  Methodology  Demo  goddi overview  Install instructions  Methodology  Demo  Detection
  • 4. 4 Confidential & Proprietary INTRODUCTION Why is Active Directory Information Gathering useful?  Situational Awareness  What am I looking for?  Escalation Paths  Where are privileged users logged in?  Identify Misconfigurations  Are there passwords in the Description attribute?
  • 5. 5 Confidential & Proprietary INTRODUCTION Why PowerUpSQL and goddi?  AD information gathering alternatives  Using SQL Server and ADSI  Using golang and LDAP  Does not use typical PowerShell AD functions
  • 6. 6 Confidential & Proprietary6 Confidential & Proprietary PREVIOUS RESEARCH
  • 7. 7 Confidential & Proprietary PREVIOUS RESEARCH harmj0y - https://blog.harmj0y.net/ PyroTek3 - https://adsecurity.org/ nikhil_mitt - https://www.labofapenetrationtester.com/ _nullbind - https://blog.netspi.com/author/scott-sutherland/ PowerView authors - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
  • 8. 8 Confidential & Proprietary PREVIOUS RESEARCH PowerView  Part of PowerSploit  Recon module  Basis of PowerShell ingestor in BloodHound  PowerShell AD module hooks  LDAP/.NET  WMI  Win32 API
  • 9. 9 Confidential & Proprietary9 Confidential & Proprietary ACTIVE DIRECTORY BASICS
  • 10. 10 Confidential & Proprietary ACTIVE DIRECTORY BASICS What is Active Directory?  Microsoft’s Directory Service  Directory Service – provides resource and network mappings for objects distributed across a network  Includes wide variety of directory services - Federation services, Lightweight directory services etc.  Domain Services – hierarchical and scalable infrastructure for object management  Domain Services is our focus
  • 11. 11 Confidential & Proprietary ACTIVE DIRECTORY BASICS What are the key components of Domain Services? Forest Tree Domains
  • 12. 12 Confidential & Proprietary ACTIVE DIRECTORY BASICS  Domain - security boundary, collection of objects  Domain Controller – server(s) where Active Directory is installed  Users and Computers – security principals, represent physical entities on the domain  OU – containers for users/groups/computers, easy to apply group policies or delegation  Groups – collection of users/computers where access control can be applied
  • 13. 13 Confidential & Proprietary ACTIVE DIRECTORY BASICS Accessing Domain Services  Active Directory Service Interfaces (ADSI)  COM interfaces for managing network resources  OLE DB provider for ADSI used in SQL Server and PowerUpSQL  LDAP provider  Lightweight Directory Access Protocol (LDAP/LDAPS)  LDAP is AD’s access protocol  Used to send and retrieve domain information  Supports different authentication methods
  • 14. 14 Confidential & Proprietary ACTIVE DIRECTORY BASICS LDAP basics  Entry – collection of attributes  DN – unique identifier for an entry ex. cn=test test,dc=demo,dc=com  Attributes – LDAP data identified by predefined names ex. sAMAccountName  Scope – specifies search objects ex. WholeSubtree  Filters – used to select data within a search ex. Groups (&(objectCategory=group)(SamAccountName=*))
  • 15. 15 Confidential & Proprietary ACTIVE DIRECTORY BASICS Useful LDAP filters  Users - (&(objectCategory=person)(objectClass=user)(SamAccountName=*))  Locked Users - (&(sAMAccountType=805306368)(lockoutTime>=1))  Computers - (&(objectCategory=Computer)(SamAccountName=*))  DCs - (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))  SPNs - (servicePrincipalName=*)  Groups - (&(objectClass=group)(samaccountname=*))  Domain Admins - (&(objectCategory=user)(memberOf=DomainAdminDN))  OUs - (&(objectCategory=organizationalUnit)(ou=*))
  • 16. 16 Confidential & Proprietary16 Confidential & Proprietary POWERUPSQL
  • 17. 17 Confidential & Proprietary POWERUPSQL What is PowerUpSQL?  Written in PowerShell  SQL Server discovery  Weak configuration auditing  Privilege escalation  Post exploitation  Hacking SQL Server on scale
  • 18. 18 Confidential & Proprietary POWERUPSQL Why SQL Server?  Popular in enterprise environments  Integration with Windows services  Vertical escalation opportunities on the domain Why PowerShell?  Native to Windows  Runs commands in memory  Often flagged as trusted  May need to start obfuscating or disabling security features soon…
  • 19. 19 Confidential & Proprietary POWERUPSQL PowerUpSQL wiki  https://github.com/NetSPI/PowerUpSQL/wiki/Active-Directory-Recon- Functions  Setup instructions  Cheat Sheets!  Documentation  Resource Links
  • 20. 20 Confidential & Proprietary POWERUPSQL PowerUpSQL setup  Import-Module PowerUpSQL.psd1  Install-Module -Name PowerUpSQL  IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com /NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")  &([scriptblock]::Create((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/ PowerUpSQL/master/PowerUpSQL.ps1")))
  • 21. 21 Confidential & Proprietary POWERUPSQL
  • 22. 22 Confidential & Proprietary POWERUPSQL Getting started  Get-Command –Module PowerUpSQL –Name 'Get-SQLDomain*'  Get-Help Get-SQLDomainUser
  • 23. 23 Confidential & Proprietary POWERUPSQL Getting started  Check out BlackHat Arsenal 2018 slides  https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa- arsenal-presentation
  • 24. 24 Confidential & Proprietary POWERUPSQL Active Directory information gathering with PowerUpSQL  OLE DB Active Directory Service Interfaces (ADSI) Provider  Two main methods  OPENQUERY (Linked server)  OPENROWSET (Ad Hoc query)  OPENQUERY technique requires creating a SQL server link
  • 25. 25 Confidential & Proprietary POWERUPSQL OPENQUERY method  Linked Server  Configured to run queries in another instance of SQL Server or in another DB  Can also be used to allow data access from outside of SQL Server  ADSI Linked Server  OPENQUERY  Executes a pass through query on specified linked server  Server can be OLE DB data source
  • 26. 26 Confidential & Proprietary POWERUPSQL OPENROWSET method  Ad Hoc Queries  Disabled by default  Needs to be enabled and is done by default in PowerUpSQL  OPENROWSET  One time connection to access remote data through OLE DB  Alternative to linked servers
  • 27. 27 Confidential & Proprietary POWERUPSQL OPENQUERY - Creating a SQL Server Link -- Create SQL Server link to ADSI IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0 EXEC master.dbo.sp_addlinkedserver @server = N'ADSI', @srvproduct=N'Active Directory Service Interfaces', @provider=N'ADSDSOObject', @datasrc=N'adsdatasource' ELSE SELECT 'The target SQL Server link already exists.'
  • 28. 28 Confidential & Proprietary POWERUPSQL OPENQUERY -- Define authentication context - OPENQUERY EXEC sp_addlinkedsrvlogin @rmtsrvname=N'ADSI', @useself=N'True', @locallogin=NULL, @rmtuser=NULL, @rmtpassword=NULL GO -- Use OPENQUERY SELECT * FROM OPENQUERY([ADSI],'<LDAP://path>;(&(objectCategory=Person)(objectClass =user));name, adspath;subtree')
  • 29. 29 Confidential & Proprietary POWERUPSQL OPENROWSET -- Enable 'Show Advanced Options' EXEC sp_configure 'Show Advanced Options', 1 RECONFIGURE GO -- Enable 'Ad Hoc Distributed Queries' EXEC sp_configure 'Ad Hoc Distributed Queries', 1 RECONFIGURE GO -- Run with openrowset SELECT * FROM OPENROWSET('ADSDSOOBJECT','adsdatasource', '<LDAP://path>;(&(objectCategory=Person)(objectClass=user));name, adspath;subtree')
  • 30. 30 Confidential & Proprietary POWERUPSQL  Get-SQLDomainAccountPolicy  Get-SQLDomainComputer  Get-SQLDomainController  Get-SQLDomainExploitableSystem  Get-SQLDomainGroup  Get-SQLDomainGroupMember  Get-SQLDomainObject  Get-SQLDomainOu  Get-SQLDomainPasswordsLAPS  Get-SQLDomainSite  Get-SQLDomainSubnet  Get-SQLDomainTrust  Get-SQLDomainUser
  • 31. 31 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
  • 32. 32 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
  • 33. 33 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
  • 34. 34 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
  • 35. 35 Confidential & Proprietary POWERUPSQL Demo – Grabbing LAPS passwords
  • 36. 36 Confidential & Proprietary POWERUPSQL OPENQUERY Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X No X X No X X No X Yes X X Yes X X Yes
  • 37. 37 Confidential & Proprietary POWERUPSQL OPENROWSET Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X X No X X No X Yes X Yes X X Yes X X Yes
  • 38. 38 Confidential & Proprietary POWERUPSQL Alternate Credentials  Sysadmin login to SQL Server and Windows domain credentials authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -Username sa -Password 'Pass123!' -LinkUsername 'demoadministrator' -LinkPassword 'BestPasswordEver!’  Sysadmin login to SQL Server and SQL Server Service account authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -UseAdHoc -Username sa - Password 'Pass123!'
  • 39. 39 Confidential & Proprietary POWERUPSQL PowerUpSQL caveats  Need sysadmin privileges to return data  Multi-valued attributes cannot be returned  Description, memberof  Multi-valued attributes not supported by OLE DB ADSI provider “Msg 7346, Level 16, State 2, Line 1 Cannot get the data of the row from the OLE DB provider "ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than sign mismatch or overflow.”  SQL CLR workaround  Paging not supported  Max results returned limited  Default set at 1000 in Windows Server 2012
  • 40. 40 Confidential & Proprietary40 Confidential & Proprietary GODDI
  • 41. 41 Confidential & Proprietary GODDI What is goddi?  go dump domain info  Active Directory information gathering tool written in Go  Cross platform compile and compatibility  Performs well in larger environments  Uses go library  gopkg.in/ldap.v2
  • 42. 42 Confidential & Proprietary GODDI goddi setup  Use the binaries in the Releases section  Build it yourself  Ensure go environment is set up  https://golang.org/doc/code.html  go get gopkg.in/ldap.v2
  • 43. 43 Confidential & Proprietary GODDI Active Directory information gathering with goddi  LDAP  gopkg.in/ldap.v2  Dial and Bind  Golang tls.Client  Supports TLS on 636, startTLS, plaintext dial  Default is TLS connection  Certificates managed through tls.Certificates  Need to provide certs on Linux
  • 44. 44 Confidential & Proprietary GODDI Optimizations  Querying for objectCategory when possible  Indexing  Only querying for attributes needed  Optimize search results and time  Paging  AD default is 1000 results  goddi paging set to 200 results  Prevents client blocking  Reduces memory stress on DC and avoids heavy query detection
  • 45. 45 Confidential & Proprietary GODDI func GetLAPS(conn *ldap.Conn, baseDN string) { attributes := []string{ "dNSHostName", "ms-Mcs-AdmPwd", "ms-Mcs-AdmPwdExpirationTime"} filter := "(objectCategory=Computer)" sr := ldapSearch(baseDN, filter, attributes, conn)
  • 46. 46 Confidential & Proprietary GODDI Feature List  Users  Computers  DCs  SPNs  Groups  OUs  LAPS passwords  GPP passwords  Sensitive data checks – description attribute  And more
  • 47. 47 Confidential & Proprietary GODDI LAPS  Local Administrator Password Solution  Passwords stored in Active Directory  Password access can be limited with ACLs  ms-mcs-AdmPwd  Attribute that stores cleartext password  Domain Admin privileges needed to read  ms-mcs-AdmPwdExpirationTime  attribute stores password reset date/time  Authenticated users can read
  • 48. 48 Confidential & Proprietary GODDI GPP  Group Policy Preference  Group Policy can be used to change local administrator passwords  XML files can contain encrypted cpassword if provided  AES 256 bit encrypted  demo.localSYSVOLdemo.localPolicies...
  • 49. 49 Confidential & Proprietary GODDI GPP  https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx  Authenticated users have access to SYSVOL  “Fixed” in May 2014
  • 50. 50 Confidential & Proprietary GODDI GPP  ...MachinePreferencesGroupsGroups.xml  ...UserPreferencesGroupsGroups.xml  ...MachinePreferencesServicesServices.xml  ...UserPreferencesServicesServices.xml  ...MachinePreferencesScheduledtasksScheduledtasks.xml  ...UserPreferencesScheduledtasksScheduledtasks.xml  ...MachinePreferencesDataSourcesDataSources.xml  ...UserPreferencesDataSourcesDataSources.xml  ...MachinePreferencesPrintersPrinters.xml  ...UserPreferencesPrintersPrinters.xml  ...MachinePreferencesDrivesDrives.xml  ...UserPreferencesDrivesDrives.xml
  • 51. 51 Confidential & Proprietary GODDI Demo – Windows
  • 52. 52 Confidential & Proprietary GODDI Demo – Linux
  • 53. 53 Confidential & Proprietary GODDI
  • 54. 54 Confidential & Proprietary GODDI Output  CSV output  Creates csv directory
  • 55. 55 Confidential & Proprietary GODDI goddi caveats  Need to supply credentials every time  Does not run from current user context as PowerUpSQL or PowerView  Certificates can be tricky  Need to import them on Linux  GetGPP  Uses “net use” and “mount”  Needs more robust error handling  Need to improve XML parsing  Underlying library requires case sensitive attributes
  • 56. 56 Confidential & Proprietary GODDI goddi Roadmap – ADSI and COM  Best solution for using user’s current Windows security context  Use the IADs interfaces (inherit from IDispatch)  Requires lower level system calls var mod = syscall.LoadDLL("ole32.dll") var proc = mod.FindProc("CoCreateInstanceEx") ret, _, _ := proc.Call(...)  go-ole library
  • 57. 57 Confidential & Proprietary57 Confidential & Proprietary DETECTION
  • 58. 58 Confidential & Proprietary DETECTION Setting Up Logging Options  HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics  LDAP Interface Events  Field Engineering
  • 59. 59 Confidential & Proprietary DETECTION Windows Event IDs  2889 – LDAP bind without signing or cleartext connection  1644 – Costly LDAP searches  https://docs.microsoft.com/en-us/windows-server/identity/ad- ds/manage/component-updates/directory-services-component-updates
  • 60. 60 Confidential & Proprietary DETECTION
  • 61. 61 Confidential & Proprietary DETECTION
  • 62. 62 Confidential & Proprietary62 Confidential & Proprietary WRAPPING UP
  • 63. 63 Confidential & Proprietary WRAPPING UP Thanks!  Everyone on the Previous Research slide  Scott Sutherland  Karl Fosaaen  Kevin Robertson  PowerUpSQL and goddi contributors  Everyone at this talk!
  • 64. 64 Confidential & Proprietary WRAPPING UP References  Everyone on the Previous Research slide  Fancy Gopher, by Renée French, https://blog.golang.org/gophergala/fancygopher.jpg
  • 65. MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS https://www.netspi.com https://www.facebook.com/netspi @NetSPI https://www.slideshare.net/NetSPI