SlideShare a Scribd company logo
1 of 65
Download to read offline
USING POWERUPSQL AND GODDI FOR
ACTIVE DIRECTORY INFORMATION
GATHERING
THOMAS ELLING
2 Confidential & Proprietary
ABOUT
Thomas Elling
 Web Application and Network Pentester at NetSPI
 PowerUpSQL contributor
 goddi (go dump domain info) creator
 I liked the Venom movie
 Twitter: @thomas_elling
 Slideshare: slideshare.net/thomaselling1
 Blog: blog.netspi.com
3 Confidential & Proprietary
PRESENTATION OVERVIEW
 Previous Research
 Active Directory Basics
 PowerUpSQL overview
 Install instructions
 Methodology
 Demo
 goddi overview
 Install instructions
 Methodology
 Demo
 Detection
4 Confidential & Proprietary
INTRODUCTION
Why is Active Directory Information Gathering useful?
 Situational Awareness
 What am I looking for?
 Escalation Paths
 Where are privileged users logged in?
 Identify Misconfigurations
 Are there passwords in the Description attribute?
5 Confidential & Proprietary
INTRODUCTION
Why PowerUpSQL and goddi?
 AD information gathering alternatives
 Using SQL Server and ADSI
 Using golang and LDAP
 Does not use typical PowerShell AD functions
6 Confidential & Proprietary6 Confidential & Proprietary
PREVIOUS RESEARCH
7 Confidential & Proprietary
PREVIOUS RESEARCH
harmj0y - https://blog.harmj0y.net/
PyroTek3 - https://adsecurity.org/
nikhil_mitt - https://www.labofapenetrationtester.com/
_nullbind - https://blog.netspi.com/author/scott-sutherland/
PowerView authors -
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
8 Confidential & Proprietary
PREVIOUS RESEARCH
PowerView
 Part of PowerSploit
 Recon module
 Basis of PowerShell ingestor in BloodHound
 PowerShell AD module hooks
 LDAP/.NET
 WMI
 Win32 API
9 Confidential & Proprietary9 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
10 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
What is Active Directory?
 Microsoft’s Directory Service
 Directory Service – provides resource and network mappings for objects
distributed across a network
 Includes wide variety of directory services - Federation services, Lightweight
directory services etc.
 Domain Services – hierarchical and scalable infrastructure for object
management
 Domain Services is our focus
11 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
What are the key components of Domain Services?
Forest Tree
Domains
12 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
 Domain - security boundary, collection of objects
 Domain Controller – server(s) where Active Directory is installed
 Users and Computers – security principals, represent physical entities on the
domain
 OU – containers for users/groups/computers, easy to apply group policies or
delegation
 Groups – collection of users/computers where access control can be applied
13 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
Accessing Domain Services
 Active Directory Service Interfaces (ADSI)
 COM interfaces for managing network resources
 OLE DB provider for ADSI used in SQL Server and PowerUpSQL
 LDAP provider
 Lightweight Directory Access Protocol (LDAP/LDAPS)
 LDAP is AD’s access protocol
 Used to send and retrieve domain information
 Supports different authentication methods
14 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
LDAP basics
 Entry – collection of attributes
 DN – unique identifier for an entry ex. cn=test test,dc=demo,dc=com
 Attributes – LDAP data identified by predefined names ex. sAMAccountName
 Scope – specifies search objects ex. WholeSubtree
 Filters – used to select data within a search ex. Groups
(&(objectCategory=group)(SamAccountName=*))
15 Confidential & Proprietary
ACTIVE DIRECTORY BASICS
Useful LDAP filters
 Users - (&(objectCategory=person)(objectClass=user)(SamAccountName=*))
 Locked Users - (&(sAMAccountType=805306368)(lockoutTime>=1))
 Computers - (&(objectCategory=Computer)(SamAccountName=*))
 DCs -
(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
 SPNs - (servicePrincipalName=*)
 Groups - (&(objectClass=group)(samaccountname=*))
 Domain Admins - (&(objectCategory=user)(memberOf=DomainAdminDN))
 OUs - (&(objectCategory=organizationalUnit)(ou=*))
16 Confidential & Proprietary16 Confidential & Proprietary
POWERUPSQL
17 Confidential & Proprietary
POWERUPSQL
What is PowerUpSQL?
 Written in PowerShell
 SQL Server discovery
 Weak configuration auditing
 Privilege escalation
 Post exploitation
 Hacking SQL Server on scale
18 Confidential & Proprietary
POWERUPSQL
Why SQL Server?
 Popular in enterprise environments
 Integration with Windows services
 Vertical escalation opportunities on the domain
Why PowerShell?
 Native to Windows
 Runs commands in memory
 Often flagged as trusted
 May need to start obfuscating or disabling security features soon…
19 Confidential & Proprietary
POWERUPSQL
PowerUpSQL wiki
 https://github.com/NetSPI/PowerUpSQL/wiki/Active-Directory-Recon-
Functions
 Setup instructions
 Cheat Sheets!
 Documentation
 Resource Links
20 Confidential & Proprietary
POWERUPSQL
PowerUpSQL setup
 Import-Module PowerUpSQL.psd1
 Install-Module -Name PowerUpSQL
 IEX(New-Object
System.Net.WebClient).DownloadString("https://raw.githubusercontent.com
/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")
 &([scriptblock]::Create((new-object
net.webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/
PowerUpSQL/master/PowerUpSQL.ps1")))
21 Confidential & Proprietary
POWERUPSQL
22 Confidential & Proprietary
POWERUPSQL
Getting started
 Get-Command –Module PowerUpSQL –Name 'Get-SQLDomain*'
 Get-Help Get-SQLDomainUser
23 Confidential & Proprietary
POWERUPSQL
Getting started
 Check out BlackHat Arsenal 2018 slides
 https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa-
arsenal-presentation
24 Confidential & Proprietary
POWERUPSQL
Active Directory information gathering with PowerUpSQL
 OLE DB Active Directory Service Interfaces (ADSI) Provider
 Two main methods
 OPENQUERY (Linked server)
 OPENROWSET (Ad Hoc query)
 OPENQUERY technique requires creating a SQL server link
25 Confidential & Proprietary
POWERUPSQL
OPENQUERY method
 Linked Server
 Configured to run queries in another instance of SQL Server or in another DB
 Can also be used to allow data access from outside of SQL Server
 ADSI Linked Server
 OPENQUERY
 Executes a pass through query on specified linked server
 Server can be OLE DB data source
26 Confidential & Proprietary
POWERUPSQL
OPENROWSET method
 Ad Hoc Queries
 Disabled by default
 Needs to be enabled and is done by default in PowerUpSQL
 OPENROWSET
 One time connection to access remote data through OLE DB
 Alternative to linked servers
27 Confidential & Proprietary
POWERUPSQL
OPENQUERY - Creating a SQL Server Link
-- Create SQL Server link to ADSI
IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0
EXEC master.dbo.sp_addlinkedserver @server = N'ADSI',
@srvproduct=N'Active Directory Service Interfaces',
@provider=N'ADSDSOObject',
@datasrc=N'adsdatasource'
ELSE
SELECT 'The target SQL Server link already exists.'
28 Confidential & Proprietary
POWERUPSQL
OPENQUERY
-- Define authentication context - OPENQUERY
EXEC sp_addlinkedsrvlogin
@rmtsrvname=N'ADSI',
@useself=N'True',
@locallogin=NULL,
@rmtuser=NULL,
@rmtpassword=NULL
GO
-- Use OPENQUERY
SELECT *
FROM
OPENQUERY([ADSI],'<LDAP://path>;(&(objectCategory=Person)(objectClass
=user));name, adspath;subtree')
29 Confidential & Proprietary
POWERUPSQL
OPENROWSET
-- Enable 'Show Advanced Options'
EXEC sp_configure 'Show Advanced Options', 1
RECONFIGURE
GO
-- Enable 'Ad Hoc Distributed Queries'
EXEC sp_configure 'Ad Hoc Distributed Queries', 1
RECONFIGURE
GO
-- Run with openrowset
SELECT *
FROM OPENROWSET('ADSDSOOBJECT','adsdatasource',
'<LDAP://path>;(&(objectCategory=Person)(objectClass=user));name,
adspath;subtree')
30 Confidential & Proprietary
POWERUPSQL
 Get-SQLDomainAccountPolicy
 Get-SQLDomainComputer
 Get-SQLDomainController
 Get-SQLDomainExploitableSystem
 Get-SQLDomainGroup
 Get-SQLDomainGroupMember
 Get-SQLDomainObject
 Get-SQLDomainOu
 Get-SQLDomainPasswordsLAPS
 Get-SQLDomainSite
 Get-SQLDomainSubnet
 Get-SQLDomainTrust
 Get-SQLDomainUser
31 Confidential & Proprietary
POWERUPSQL
Demo - Linked Server via OPENQUERY
32 Confidential & Proprietary
POWERUPSQL
Demo - Linked Server via OPENQUERY
33 Confidential & Proprietary
POWERUPSQL
Demo - Ad Hoc queries via OPENROWSET
34 Confidential & Proprietary
POWERUPSQL
Demo - Ad Hoc queries via OPENROWSET
35 Confidential & Proprietary
POWERUPSQL
Demo – Grabbing LAPS passwords
36 Confidential & Proprietary
POWERUPSQL
OPENQUERY
Domain User
– Public
Domain User
– Sysadmin
SQL Login –
Public
SQL Login –
Sysadmin
Provided
Domain User
Access
X No
X No
X No
X X No
X X No
X Yes
X X Yes
X X Yes
37 Confidential & Proprietary
POWERUPSQL
OPENROWSET
Domain User
– Public
Domain User
– Sysadmin
SQL Login –
Public
SQL Login –
Sysadmin
Provided
Domain User
Access
X No
X No
X X No
X X No
X Yes
X Yes
X X Yes
X X Yes
38 Confidential & Proprietary
POWERUPSQL
Alternate Credentials
 Sysadmin login to SQL Server and Windows domain credentials authenticate
to LDAP
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -Username sa -Password
'Pass123!' -LinkUsername 'demoadministrator' -LinkPassword 'BestPasswordEver!’
 Sysadmin login to SQL Server and SQL Server Service account authenticate to
LDAP
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -UseAdHoc -Username sa -
Password 'Pass123!'
39 Confidential & Proprietary
POWERUPSQL
PowerUpSQL caveats
 Need sysadmin privileges to return data
 Multi-valued attributes cannot be returned
 Description, memberof
 Multi-valued attributes not supported by OLE DB ADSI provider
“Msg 7346, Level 16, State 2, Line 1 Cannot get the data of the row from the OLE DB provider
"ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than
sign mismatch or overflow.”
 SQL CLR workaround
 Paging not supported
 Max results returned limited
 Default set at 1000 in Windows Server 2012
40 Confidential & Proprietary40 Confidential & Proprietary
GODDI
41 Confidential & Proprietary
GODDI
What is goddi?
 go dump domain info
 Active Directory information gathering tool written in Go
 Cross platform compile and compatibility
 Performs well in larger environments
 Uses go library
 gopkg.in/ldap.v2
42 Confidential & Proprietary
GODDI
goddi setup
 Use the binaries in the Releases section
 Build it yourself
 Ensure go environment is set up
 https://golang.org/doc/code.html
 go get gopkg.in/ldap.v2
43 Confidential & Proprietary
GODDI
Active Directory information gathering with goddi
 LDAP
 gopkg.in/ldap.v2
 Dial and Bind
 Golang tls.Client
 Supports TLS on 636, startTLS, plaintext dial
 Default is TLS connection
 Certificates managed through tls.Certificates
 Need to provide certs on Linux
44 Confidential & Proprietary
GODDI
Optimizations
 Querying for objectCategory when possible
 Indexing
 Only querying for attributes needed
 Optimize search results and time
 Paging
 AD default is 1000 results
 goddi paging set to 200 results
 Prevents client blocking
 Reduces memory stress on DC and avoids heavy query detection
45 Confidential & Proprietary
GODDI
func GetLAPS(conn *ldap.Conn, baseDN string) {
attributes := []string{
"dNSHostName",
"ms-Mcs-AdmPwd",
"ms-Mcs-AdmPwdExpirationTime"}
filter := "(objectCategory=Computer)"
sr := ldapSearch(baseDN, filter, attributes, conn)
46 Confidential & Proprietary
GODDI
Feature List
 Users
 Computers
 DCs
 SPNs
 Groups
 OUs
 LAPS passwords
 GPP passwords
 Sensitive data checks – description attribute
 And more
47 Confidential & Proprietary
GODDI
LAPS
 Local Administrator Password Solution
 Passwords stored in Active Directory
 Password access can be limited with ACLs
 ms-mcs-AdmPwd
 Attribute that stores cleartext password
 Domain Admin privileges needed to read
 ms-mcs-AdmPwdExpirationTime
 attribute stores password reset date/time
 Authenticated users can read
48 Confidential & Proprietary
GODDI
GPP
 Group Policy Preference
 Group Policy can be used to change local administrator passwords
 XML files can contain encrypted cpassword if provided
 AES 256 bit encrypted
 demo.localSYSVOLdemo.localPolicies...
49 Confidential & Proprietary
GODDI
GPP
 https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-
1f2fa45dd4be.aspx
 Authenticated users have access to SYSVOL
 “Fixed” in May 2014
50 Confidential & Proprietary
GODDI
GPP
 ...MachinePreferencesGroupsGroups.xml
 ...UserPreferencesGroupsGroups.xml
 ...MachinePreferencesServicesServices.xml
 ...UserPreferencesServicesServices.xml
 ...MachinePreferencesScheduledtasksScheduledtasks.xml
 ...UserPreferencesScheduledtasksScheduledtasks.xml
 ...MachinePreferencesDataSourcesDataSources.xml
 ...UserPreferencesDataSourcesDataSources.xml
 ...MachinePreferencesPrintersPrinters.xml
 ...UserPreferencesPrintersPrinters.xml
 ...MachinePreferencesDrivesDrives.xml
 ...UserPreferencesDrivesDrives.xml
51 Confidential & Proprietary
GODDI
Demo – Windows
52 Confidential & Proprietary
GODDI
Demo – Linux
53 Confidential & Proprietary
GODDI
54 Confidential & Proprietary
GODDI
Output
 CSV output
 Creates csv directory
55 Confidential & Proprietary
GODDI
goddi caveats
 Need to supply credentials every time
 Does not run from current user context as PowerUpSQL or PowerView
 Certificates can be tricky
 Need to import them on Linux
 GetGPP
 Uses “net use” and “mount”
 Needs more robust error handling
 Need to improve XML parsing
 Underlying library requires case sensitive attributes
56 Confidential & Proprietary
GODDI
goddi Roadmap – ADSI and COM
 Best solution for using user’s current Windows security context
 Use the IADs interfaces (inherit from IDispatch)
 Requires lower level system calls
var mod = syscall.LoadDLL("ole32.dll")
var proc = mod.FindProc("CoCreateInstanceEx")
ret, _, _ := proc.Call(...)
 go-ole library
57 Confidential & Proprietary57 Confidential & Proprietary
DETECTION
58 Confidential & Proprietary
DETECTION
Setting Up Logging Options
 HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics
 LDAP Interface Events
 Field Engineering
59 Confidential & Proprietary
DETECTION
Windows Event IDs
 2889 – LDAP bind without signing or cleartext connection
 1644 – Costly LDAP searches
 https://docs.microsoft.com/en-us/windows-server/identity/ad-
ds/manage/component-updates/directory-services-component-updates
60 Confidential & Proprietary
DETECTION
61 Confidential & Proprietary
DETECTION
62 Confidential & Proprietary62 Confidential & Proprietary
WRAPPING UP
63 Confidential & Proprietary
WRAPPING UP
Thanks!
 Everyone on the Previous Research slide
 Scott Sutherland
 Karl Fosaaen
 Kevin Robertson
 PowerUpSQL and goddi contributors
 Everyone at this talk!
64 Confidential & Proprietary
WRAPPING UP
References
 Everyone on the Previous Research slide
 Fancy Gopher, by Renée French,
https://blog.golang.org/gophergala/fancygopher.jpg
MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS
https://www.netspi.com
https://www.facebook.com/netspi
@NetSPI
https://www.slideshare.net/NetSPI

More Related Content

What's hot

Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Lucidworks
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqelajobandesther
 
Second Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSecond Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSveta Smirnova
 
Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2javagroup2006
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demoViaggio Italia
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Ryosuke Uchitate
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
ARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CIARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CICosmin Poieana
 
Wicket Security Presentation
Wicket Security PresentationWicket Security Presentation
Wicket Security Presentationmrmean
 
Oracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirOracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirilkerb
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoDavid Lapsley
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureTiago Simões
 

What's hot (20)

Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqela
 
Second Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSecond Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON Functions
 
Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demo
 
MySQL Router REST API
MySQL Router REST APIMySQL Router REST API
MySQL Router REST API
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploit
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
ARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CIARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CI
 
Wicket Security Presentation
Wicket Security PresentationWicket Security Presentation
Wicket Security Presentation
 
Oracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirOracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakir
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using Django
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architecture
 
MySQL JSON Functions
MySQL JSON FunctionsMySQL JSON Functions
MySQL JSON Functions
 
Elasticsearch security
Elasticsearch securityElasticsearch security
Elasticsearch security
 
Elasticsearch Security Strategy
Elasticsearch Security StrategyElasticsearch Security Strategy
Elasticsearch Security Strategy
 

Similar to WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTChristian Gohmann
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTrivadis
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Under the Hood 11g Identity Management
Under the Hood  11g Identity ManagementUnder the Hood  11g Identity Management
Under the Hood 11g Identity ManagementInSync Conference
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerLuong Vo
 
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Mihai Criveti
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellKarl Fosaaen
 
Monitoring your technology stack with New Relic
Monitoring your technology stack with New RelicMonitoring your technology stack with New Relic
Monitoring your technology stack with New RelicRonald Bradford
 
OSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamOSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamNETWAYS
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...NomanKhalid56
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2aIvan Ma
 

Similar to WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering (20)

Con4445 jesus
Con4445 jesusCon4445 jesus
Con4445 jesus
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous Database
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using REST
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security Features
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Under the Hood 11g Identity Management
Under the Hood  11g Identity ManagementUnder the Hood  11g Identity Management
Under the Hood 11g Identity Management
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
 
WebGUI Developers Workshop
WebGUI Developers WorkshopWebGUI Developers Workshop
WebGUI Developers Workshop
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShell
 
Monitoring your technology stack with New Relic
Monitoring your technology stack with New RelicMonitoring your technology stack with New Relic
Monitoring your technology stack with New Relic
 
OSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamOSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga Team
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
Iac d.damyanov 4.pptx
Iac d.damyanov 4.pptxIac d.damyanov 4.pptx
Iac d.damyanov 4.pptx
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2a
 

Recently uploaded

JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...BookNet Canada
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxmprakaash5
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionDEEPRAJ PATHAK
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemSafe Software
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactivestartupro
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023Joshua Flannery
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxatharvdev2010
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 

Recently uploaded (20)

JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptx
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile Evolution
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data Ecosystem
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactive
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptx
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
BoSEU24 | Bill Thompson | Talk From Another Century
BoSEU24 | Bill Thompson | Talk From Another CenturyBoSEU24 | Bill Thompson | Talk From Another Century
BoSEU24 | Bill Thompson | Talk From Another Century
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 

WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

  • 1. USING POWERUPSQL AND GODDI FOR ACTIVE DIRECTORY INFORMATION GATHERING THOMAS ELLING
  • 2. 2 Confidential & Proprietary ABOUT Thomas Elling  Web Application and Network Pentester at NetSPI  PowerUpSQL contributor  goddi (go dump domain info) creator  I liked the Venom movie  Twitter: @thomas_elling  Slideshare: slideshare.net/thomaselling1  Blog: blog.netspi.com
  • 3. 3 Confidential & Proprietary PRESENTATION OVERVIEW  Previous Research  Active Directory Basics  PowerUpSQL overview  Install instructions  Methodology  Demo  goddi overview  Install instructions  Methodology  Demo  Detection
  • 4. 4 Confidential & Proprietary INTRODUCTION Why is Active Directory Information Gathering useful?  Situational Awareness  What am I looking for?  Escalation Paths  Where are privileged users logged in?  Identify Misconfigurations  Are there passwords in the Description attribute?
  • 5. 5 Confidential & Proprietary INTRODUCTION Why PowerUpSQL and goddi?  AD information gathering alternatives  Using SQL Server and ADSI  Using golang and LDAP  Does not use typical PowerShell AD functions
  • 6. 6 Confidential & Proprietary6 Confidential & Proprietary PREVIOUS RESEARCH
  • 7. 7 Confidential & Proprietary PREVIOUS RESEARCH harmj0y - https://blog.harmj0y.net/ PyroTek3 - https://adsecurity.org/ nikhil_mitt - https://www.labofapenetrationtester.com/ _nullbind - https://blog.netspi.com/author/scott-sutherland/ PowerView authors - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
  • 8. 8 Confidential & Proprietary PREVIOUS RESEARCH PowerView  Part of PowerSploit  Recon module  Basis of PowerShell ingestor in BloodHound  PowerShell AD module hooks  LDAP/.NET  WMI  Win32 API
  • 9. 9 Confidential & Proprietary9 Confidential & Proprietary ACTIVE DIRECTORY BASICS
  • 10. 10 Confidential & Proprietary ACTIVE DIRECTORY BASICS What is Active Directory?  Microsoft’s Directory Service  Directory Service – provides resource and network mappings for objects distributed across a network  Includes wide variety of directory services - Federation services, Lightweight directory services etc.  Domain Services – hierarchical and scalable infrastructure for object management  Domain Services is our focus
  • 11. 11 Confidential & Proprietary ACTIVE DIRECTORY BASICS What are the key components of Domain Services? Forest Tree Domains
  • 12. 12 Confidential & Proprietary ACTIVE DIRECTORY BASICS  Domain - security boundary, collection of objects  Domain Controller – server(s) where Active Directory is installed  Users and Computers – security principals, represent physical entities on the domain  OU – containers for users/groups/computers, easy to apply group policies or delegation  Groups – collection of users/computers where access control can be applied
  • 13. 13 Confidential & Proprietary ACTIVE DIRECTORY BASICS Accessing Domain Services  Active Directory Service Interfaces (ADSI)  COM interfaces for managing network resources  OLE DB provider for ADSI used in SQL Server and PowerUpSQL  LDAP provider  Lightweight Directory Access Protocol (LDAP/LDAPS)  LDAP is AD’s access protocol  Used to send and retrieve domain information  Supports different authentication methods
  • 14. 14 Confidential & Proprietary ACTIVE DIRECTORY BASICS LDAP basics  Entry – collection of attributes  DN – unique identifier for an entry ex. cn=test test,dc=demo,dc=com  Attributes – LDAP data identified by predefined names ex. sAMAccountName  Scope – specifies search objects ex. WholeSubtree  Filters – used to select data within a search ex. Groups (&(objectCategory=group)(SamAccountName=*))
  • 15. 15 Confidential & Proprietary ACTIVE DIRECTORY BASICS Useful LDAP filters  Users - (&(objectCategory=person)(objectClass=user)(SamAccountName=*))  Locked Users - (&(sAMAccountType=805306368)(lockoutTime>=1))  Computers - (&(objectCategory=Computer)(SamAccountName=*))  DCs - (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))  SPNs - (servicePrincipalName=*)  Groups - (&(objectClass=group)(samaccountname=*))  Domain Admins - (&(objectCategory=user)(memberOf=DomainAdminDN))  OUs - (&(objectCategory=organizationalUnit)(ou=*))
  • 16. 16 Confidential & Proprietary16 Confidential & Proprietary POWERUPSQL
  • 17. 17 Confidential & Proprietary POWERUPSQL What is PowerUpSQL?  Written in PowerShell  SQL Server discovery  Weak configuration auditing  Privilege escalation  Post exploitation  Hacking SQL Server on scale
  • 18. 18 Confidential & Proprietary POWERUPSQL Why SQL Server?  Popular in enterprise environments  Integration with Windows services  Vertical escalation opportunities on the domain Why PowerShell?  Native to Windows  Runs commands in memory  Often flagged as trusted  May need to start obfuscating or disabling security features soon…
  • 19. 19 Confidential & Proprietary POWERUPSQL PowerUpSQL wiki  https://github.com/NetSPI/PowerUpSQL/wiki/Active-Directory-Recon- Functions  Setup instructions  Cheat Sheets!  Documentation  Resource Links
  • 20. 20 Confidential & Proprietary POWERUPSQL PowerUpSQL setup  Import-Module PowerUpSQL.psd1  Install-Module -Name PowerUpSQL  IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com /NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")  &([scriptblock]::Create((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/ PowerUpSQL/master/PowerUpSQL.ps1")))
  • 21. 21 Confidential & Proprietary POWERUPSQL
  • 22. 22 Confidential & Proprietary POWERUPSQL Getting started  Get-Command –Module PowerUpSQL –Name 'Get-SQLDomain*'  Get-Help Get-SQLDomainUser
  • 23. 23 Confidential & Proprietary POWERUPSQL Getting started  Check out BlackHat Arsenal 2018 slides  https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa- arsenal-presentation
  • 24. 24 Confidential & Proprietary POWERUPSQL Active Directory information gathering with PowerUpSQL  OLE DB Active Directory Service Interfaces (ADSI) Provider  Two main methods  OPENQUERY (Linked server)  OPENROWSET (Ad Hoc query)  OPENQUERY technique requires creating a SQL server link
  • 25. 25 Confidential & Proprietary POWERUPSQL OPENQUERY method  Linked Server  Configured to run queries in another instance of SQL Server or in another DB  Can also be used to allow data access from outside of SQL Server  ADSI Linked Server  OPENQUERY  Executes a pass through query on specified linked server  Server can be OLE DB data source
  • 26. 26 Confidential & Proprietary POWERUPSQL OPENROWSET method  Ad Hoc Queries  Disabled by default  Needs to be enabled and is done by default in PowerUpSQL  OPENROWSET  One time connection to access remote data through OLE DB  Alternative to linked servers
  • 27. 27 Confidential & Proprietary POWERUPSQL OPENQUERY - Creating a SQL Server Link -- Create SQL Server link to ADSI IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0 EXEC master.dbo.sp_addlinkedserver @server = N'ADSI', @srvproduct=N'Active Directory Service Interfaces', @provider=N'ADSDSOObject', @datasrc=N'adsdatasource' ELSE SELECT 'The target SQL Server link already exists.'
  • 28. 28 Confidential & Proprietary POWERUPSQL OPENQUERY -- Define authentication context - OPENQUERY EXEC sp_addlinkedsrvlogin @rmtsrvname=N'ADSI', @useself=N'True', @locallogin=NULL, @rmtuser=NULL, @rmtpassword=NULL GO -- Use OPENQUERY SELECT * FROM OPENQUERY([ADSI],'<LDAP://path>;(&(objectCategory=Person)(objectClass =user));name, adspath;subtree')
  • 29. 29 Confidential & Proprietary POWERUPSQL OPENROWSET -- Enable 'Show Advanced Options' EXEC sp_configure 'Show Advanced Options', 1 RECONFIGURE GO -- Enable 'Ad Hoc Distributed Queries' EXEC sp_configure 'Ad Hoc Distributed Queries', 1 RECONFIGURE GO -- Run with openrowset SELECT * FROM OPENROWSET('ADSDSOOBJECT','adsdatasource', '<LDAP://path>;(&(objectCategory=Person)(objectClass=user));name, adspath;subtree')
  • 30. 30 Confidential & Proprietary POWERUPSQL  Get-SQLDomainAccountPolicy  Get-SQLDomainComputer  Get-SQLDomainController  Get-SQLDomainExploitableSystem  Get-SQLDomainGroup  Get-SQLDomainGroupMember  Get-SQLDomainObject  Get-SQLDomainOu  Get-SQLDomainPasswordsLAPS  Get-SQLDomainSite  Get-SQLDomainSubnet  Get-SQLDomainTrust  Get-SQLDomainUser
  • 31. 31 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
  • 32. 32 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
  • 33. 33 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
  • 34. 34 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
  • 35. 35 Confidential & Proprietary POWERUPSQL Demo – Grabbing LAPS passwords
  • 36. 36 Confidential & Proprietary POWERUPSQL OPENQUERY Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X No X X No X X No X Yes X X Yes X X Yes
  • 37. 37 Confidential & Proprietary POWERUPSQL OPENROWSET Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X X No X X No X Yes X Yes X X Yes X X Yes
  • 38. 38 Confidential & Proprietary POWERUPSQL Alternate Credentials  Sysadmin login to SQL Server and Windows domain credentials authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -Username sa -Password 'Pass123!' -LinkUsername 'demoadministrator' -LinkPassword 'BestPasswordEver!’  Sysadmin login to SQL Server and SQL Server Service account authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -UseAdHoc -Username sa - Password 'Pass123!'
  • 39. 39 Confidential & Proprietary POWERUPSQL PowerUpSQL caveats  Need sysadmin privileges to return data  Multi-valued attributes cannot be returned  Description, memberof  Multi-valued attributes not supported by OLE DB ADSI provider “Msg 7346, Level 16, State 2, Line 1 Cannot get the data of the row from the OLE DB provider "ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than sign mismatch or overflow.”  SQL CLR workaround  Paging not supported  Max results returned limited  Default set at 1000 in Windows Server 2012
  • 40. 40 Confidential & Proprietary40 Confidential & Proprietary GODDI
  • 41. 41 Confidential & Proprietary GODDI What is goddi?  go dump domain info  Active Directory information gathering tool written in Go  Cross platform compile and compatibility  Performs well in larger environments  Uses go library  gopkg.in/ldap.v2
  • 42. 42 Confidential & Proprietary GODDI goddi setup  Use the binaries in the Releases section  Build it yourself  Ensure go environment is set up  https://golang.org/doc/code.html  go get gopkg.in/ldap.v2
  • 43. 43 Confidential & Proprietary GODDI Active Directory information gathering with goddi  LDAP  gopkg.in/ldap.v2  Dial and Bind  Golang tls.Client  Supports TLS on 636, startTLS, plaintext dial  Default is TLS connection  Certificates managed through tls.Certificates  Need to provide certs on Linux
  • 44. 44 Confidential & Proprietary GODDI Optimizations  Querying for objectCategory when possible  Indexing  Only querying for attributes needed  Optimize search results and time  Paging  AD default is 1000 results  goddi paging set to 200 results  Prevents client blocking  Reduces memory stress on DC and avoids heavy query detection
  • 45. 45 Confidential & Proprietary GODDI func GetLAPS(conn *ldap.Conn, baseDN string) { attributes := []string{ "dNSHostName", "ms-Mcs-AdmPwd", "ms-Mcs-AdmPwdExpirationTime"} filter := "(objectCategory=Computer)" sr := ldapSearch(baseDN, filter, attributes, conn)
  • 46. 46 Confidential & Proprietary GODDI Feature List  Users  Computers  DCs  SPNs  Groups  OUs  LAPS passwords  GPP passwords  Sensitive data checks – description attribute  And more
  • 47. 47 Confidential & Proprietary GODDI LAPS  Local Administrator Password Solution  Passwords stored in Active Directory  Password access can be limited with ACLs  ms-mcs-AdmPwd  Attribute that stores cleartext password  Domain Admin privileges needed to read  ms-mcs-AdmPwdExpirationTime  attribute stores password reset date/time  Authenticated users can read
  • 48. 48 Confidential & Proprietary GODDI GPP  Group Policy Preference  Group Policy can be used to change local administrator passwords  XML files can contain encrypted cpassword if provided  AES 256 bit encrypted  demo.localSYSVOLdemo.localPolicies...
  • 49. 49 Confidential & Proprietary GODDI GPP  https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx  Authenticated users have access to SYSVOL  “Fixed” in May 2014
  • 50. 50 Confidential & Proprietary GODDI GPP  ...MachinePreferencesGroupsGroups.xml  ...UserPreferencesGroupsGroups.xml  ...MachinePreferencesServicesServices.xml  ...UserPreferencesServicesServices.xml  ...MachinePreferencesScheduledtasksScheduledtasks.xml  ...UserPreferencesScheduledtasksScheduledtasks.xml  ...MachinePreferencesDataSourcesDataSources.xml  ...UserPreferencesDataSourcesDataSources.xml  ...MachinePreferencesPrintersPrinters.xml  ...UserPreferencesPrintersPrinters.xml  ...MachinePreferencesDrivesDrives.xml  ...UserPreferencesDrivesDrives.xml
  • 51. 51 Confidential & Proprietary GODDI Demo – Windows
  • 52. 52 Confidential & Proprietary GODDI Demo – Linux
  • 53. 53 Confidential & Proprietary GODDI
  • 54. 54 Confidential & Proprietary GODDI Output  CSV output  Creates csv directory
  • 55. 55 Confidential & Proprietary GODDI goddi caveats  Need to supply credentials every time  Does not run from current user context as PowerUpSQL or PowerView  Certificates can be tricky  Need to import them on Linux  GetGPP  Uses “net use” and “mount”  Needs more robust error handling  Need to improve XML parsing  Underlying library requires case sensitive attributes
  • 56. 56 Confidential & Proprietary GODDI goddi Roadmap – ADSI and COM  Best solution for using user’s current Windows security context  Use the IADs interfaces (inherit from IDispatch)  Requires lower level system calls var mod = syscall.LoadDLL("ole32.dll") var proc = mod.FindProc("CoCreateInstanceEx") ret, _, _ := proc.Call(...)  go-ole library
  • 57. 57 Confidential & Proprietary57 Confidential & Proprietary DETECTION
  • 58. 58 Confidential & Proprietary DETECTION Setting Up Logging Options  HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics  LDAP Interface Events  Field Engineering
  • 59. 59 Confidential & Proprietary DETECTION Windows Event IDs  2889 – LDAP bind without signing or cleartext connection  1644 – Costly LDAP searches  https://docs.microsoft.com/en-us/windows-server/identity/ad- ds/manage/component-updates/directory-services-component-updates
  • 60. 60 Confidential & Proprietary DETECTION
  • 61. 61 Confidential & Proprietary DETECTION
  • 62. 62 Confidential & Proprietary62 Confidential & Proprietary WRAPPING UP
  • 63. 63 Confidential & Proprietary WRAPPING UP Thanks!  Everyone on the Previous Research slide  Scott Sutherland  Karl Fosaaen  Kevin Robertson  PowerUpSQL and goddi contributors  Everyone at this talk!
  • 64. 64 Confidential & Proprietary WRAPPING UP References  Everyone on the Previous Research slide  Fancy Gopher, by Renée French, https://blog.golang.org/gophergala/fancygopher.jpg
  • 65. MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS https://www.netspi.com https://www.facebook.com/netspi @NetSPI https://www.slideshare.net/NetSPI