4. 4 Confidential & Proprietary
INTRODUCTION
Why is Active Directory Information Gathering useful?
Situational Awareness
What am I looking for?
Escalation Paths
Where are privileged users logged in?
Identify Misconfigurations
Are there passwords in the Description attribute?
5. 5 Confidential & Proprietary
INTRODUCTION
Why PowerUpSQL and goddi?
AD information gathering alternatives
Using SQL Server and ADSI
Using golang and LDAP
Does not use typical PowerShell AD functions
6. 6 Confidential & Proprietary6 Confidential & Proprietary
PREVIOUS RESEARCH
8. 8 Confidential & Proprietary
PREVIOUS RESEARCH
PowerView
Part of PowerSploit
Recon module
Basis of PowerShell ingestor in BloodHound
PowerShell AD module hooks
LDAP/.NET
WMI
Win32 API
10. 10 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
What is Active Directory?
Microsoft’s Directory Service
Directory Service – provides resource and network mappings for objects
distributed across a network
Includes wide variety of directory services - Federation services, Lightweight
directory services etc.
Domain Services – hierarchical and scalable infrastructure for object
management
Domain Services is our focus
11. 11 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
What are the key components of Domain Services?
Forest Tree
Domains
12. 12 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
Domain - security boundary, collection of objects
Domain Controller – server(s) where Active Directory is installed
Users and Computers – security principals, represent physical entities on the
domain
OU – containers for users/groups/computers, easy to apply group policies or
delegation
Groups – collection of users/computers where access control can be applied
13. 13 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
Accessing Domain Services
Active Directory Service Interfaces (ADSI)
COM interfaces for managing network resources
OLE DB provider for ADSI used in SQL Server and PowerUpSQL
LDAP provider
Lightweight Directory Access Protocol (LDAP/LDAPS)
LDAP is AD’s access protocol
Used to send and retrieve domain information
Supports different authentication methods
14. 14 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
LDAP basics
Entry – collection of attributes
DN – unique identifier for an entry ex. cn=test test,dc=demo,dc=com
Attributes – LDAP data identified by predefined names ex. sAMAccountName
Scope – specifies search objects ex. WholeSubtree
Filters – used to select data within a search ex. Groups
(&(objectCategory=group)(SamAccountName=*))
17. 17 Confidential & Proprietary
POWERUPSQL
What is PowerUpSQL?
Written in PowerShell
SQL Server discovery
Weak configuration auditing
Privilege escalation
Post exploitation
Hacking SQL Server on scale
18. 18 Confidential & Proprietary
POWERUPSQL
Why SQL Server?
Popular in enterprise environments
Integration with Windows services
Vertical escalation opportunities on the domain
Why PowerShell?
Native to Windows
Runs commands in memory
Often flagged as trusted
May need to start obfuscating or disabling security features soon…
23. 23 Confidential & Proprietary
POWERUPSQL
Getting started
Check out BlackHat Arsenal 2018 slides
https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa-
arsenal-presentation
24. 24 Confidential & Proprietary
POWERUPSQL
Active Directory information gathering with PowerUpSQL
OLE DB Active Directory Service Interfaces (ADSI) Provider
Two main methods
OPENQUERY (Linked server)
OPENROWSET (Ad Hoc query)
OPENQUERY technique requires creating a SQL server link
25. 25 Confidential & Proprietary
POWERUPSQL
OPENQUERY method
Linked Server
Configured to run queries in another instance of SQL Server or in another DB
Can also be used to allow data access from outside of SQL Server
ADSI Linked Server
OPENQUERY
Executes a pass through query on specified linked server
Server can be OLE DB data source
26. 26 Confidential & Proprietary
POWERUPSQL
OPENROWSET method
Ad Hoc Queries
Disabled by default
Needs to be enabled and is done by default in PowerUpSQL
OPENROWSET
One time connection to access remote data through OLE DB
Alternative to linked servers
27. 27 Confidential & Proprietary
POWERUPSQL
OPENQUERY - Creating a SQL Server Link
-- Create SQL Server link to ADSI
IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0
EXEC master.dbo.sp_addlinkedserver @server = N'ADSI',
@srvproduct=N'Active Directory Service Interfaces',
@provider=N'ADSDSOObject',
@datasrc=N'adsdatasource'
ELSE
SELECT 'The target SQL Server link already exists.'
28. 28 Confidential & Proprietary
POWERUPSQL
OPENQUERY
-- Define authentication context - OPENQUERY
EXEC sp_addlinkedsrvlogin
@rmtsrvname=N'ADSI',
@useself=N'True',
@locallogin=NULL,
@rmtuser=NULL,
@rmtpassword=NULL
GO
-- Use OPENQUERY
SELECT *
FROM
OPENQUERY([ADSI],'<LDAP://path>;(&(objectCategory=Person)(objectClass
=user));name, adspath;subtree')
29. 29 Confidential & Proprietary
POWERUPSQL
OPENROWSET
-- Enable 'Show Advanced Options'
EXEC sp_configure 'Show Advanced Options', 1
RECONFIGURE
GO
-- Enable 'Ad Hoc Distributed Queries'
EXEC sp_configure 'Ad Hoc Distributed Queries', 1
RECONFIGURE
GO
-- Run with openrowset
SELECT *
FROM OPENROWSET('ADSDSOOBJECT','adsdatasource',
'<LDAP://path>;(&(objectCategory=Person)(objectClass=user));name,
adspath;subtree')
36. 36 Confidential & Proprietary
POWERUPSQL
OPENQUERY
Domain User
– Public
Domain User
– Sysadmin
SQL Login –
Public
SQL Login –
Sysadmin
Provided
Domain User
Access
X No
X No
X No
X X No
X X No
X Yes
X X Yes
X X Yes
37. 37 Confidential & Proprietary
POWERUPSQL
OPENROWSET
Domain User
– Public
Domain User
– Sysadmin
SQL Login –
Public
SQL Login –
Sysadmin
Provided
Domain User
Access
X No
X No
X X No
X X No
X Yes
X Yes
X X Yes
X X Yes
38. 38 Confidential & Proprietary
POWERUPSQL
Alternate Credentials
Sysadmin login to SQL Server and Windows domain credentials authenticate
to LDAP
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -Username sa -Password
'Pass123!' -LinkUsername 'demoadministrator' -LinkPassword 'BestPasswordEver!’
Sysadmin login to SQL Server and SQL Server Service account authenticate to
LDAP
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -UseAdHoc -Username sa -
Password 'Pass123!'
39. 39 Confidential & Proprietary
POWERUPSQL
PowerUpSQL caveats
Need sysadmin privileges to return data
Multi-valued attributes cannot be returned
Description, memberof
Multi-valued attributes not supported by OLE DB ADSI provider
“Msg 7346, Level 16, State 2, Line 1 Cannot get the data of the row from the OLE DB provider
"ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than
sign mismatch or overflow.”
SQL CLR workaround
Paging not supported
Max results returned limited
Default set at 1000 in Windows Server 2012
41. 41 Confidential & Proprietary
GODDI
What is goddi?
go dump domain info
Active Directory information gathering tool written in Go
Cross platform compile and compatibility
Performs well in larger environments
Uses go library
gopkg.in/ldap.v2
42. 42 Confidential & Proprietary
GODDI
goddi setup
Use the binaries in the Releases section
Build it yourself
Ensure go environment is set up
https://golang.org/doc/code.html
go get gopkg.in/ldap.v2
43. 43 Confidential & Proprietary
GODDI
Active Directory information gathering with goddi
LDAP
gopkg.in/ldap.v2
Dial and Bind
Golang tls.Client
Supports TLS on 636, startTLS, plaintext dial
Default is TLS connection
Certificates managed through tls.Certificates
Need to provide certs on Linux
44. 44 Confidential & Proprietary
GODDI
Optimizations
Querying for objectCategory when possible
Indexing
Only querying for attributes needed
Optimize search results and time
Paging
AD default is 1000 results
goddi paging set to 200 results
Prevents client blocking
Reduces memory stress on DC and avoids heavy query detection
46. 46 Confidential & Proprietary
GODDI
Feature List
Users
Computers
DCs
SPNs
Groups
OUs
LAPS passwords
GPP passwords
Sensitive data checks – description attribute
And more
47. 47 Confidential & Proprietary
GODDI
LAPS
Local Administrator Password Solution
Passwords stored in Active Directory
Password access can be limited with ACLs
ms-mcs-AdmPwd
Attribute that stores cleartext password
Domain Admin privileges needed to read
ms-mcs-AdmPwdExpirationTime
attribute stores password reset date/time
Authenticated users can read
48. 48 Confidential & Proprietary
GODDI
GPP
Group Policy Preference
Group Policy can be used to change local administrator passwords
XML files can contain encrypted cpassword if provided
AES 256 bit encrypted
demo.localSYSVOLdemo.localPolicies...
49. 49 Confidential & Proprietary
GODDI
GPP
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-
1f2fa45dd4be.aspx
Authenticated users have access to SYSVOL
“Fixed” in May 2014
55. 55 Confidential & Proprietary
GODDI
goddi caveats
Need to supply credentials every time
Does not run from current user context as PowerUpSQL or PowerView
Certificates can be tricky
Need to import them on Linux
GetGPP
Uses “net use” and “mount”
Needs more robust error handling
Need to improve XML parsing
Underlying library requires case sensitive attributes
56. 56 Confidential & Proprietary
GODDI
goddi Roadmap – ADSI and COM
Best solution for using user’s current Windows security context
Use the IADs interfaces (inherit from IDispatch)
Requires lower level system calls
var mod = syscall.LoadDLL("ole32.dll")
var proc = mod.FindProc("CoCreateInstanceEx")
ret, _, _ := proc.Call(...)
go-ole library
62. 62 Confidential & Proprietary62 Confidential & Proprietary
WRAPPING UP
63. 63 Confidential & Proprietary
WRAPPING UP
Thanks!
Everyone on the Previous Research slide
Scott Sutherland
Karl Fosaaen
Kevin Robertson
PowerUpSQL and goddi contributors
Everyone at this talk!
64. 64 Confidential & Proprietary
WRAPPING UP
References
Everyone on the Previous Research slide
Fancy Gopher, by Renée French,
https://blog.golang.org/gophergala/fancygopher.jpg
65. MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS
https://www.netspi.com
https://www.facebook.com/netspi
@NetSPI
https://www.slideshare.net/NetSPI