WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

USING POWERUPSQL AND GODDI FOR
ACTIVE DIRECTORY INFORMATION
GATHERING
THOMAS ELLING

2 Confidential & Proprietary
ABOUT
Thomas Elling
 Web Application and Network Pentester at NetSPI
 PowerUpSQL contributor
 goddi (go dump domain info) creator
 I liked the Venom movie
 Twitter: @thomas_elling
 Slideshare: slideshare.net/thomaselling1
 Blog: blog.netspi.com

PRESENTATION OVERVIEW
 Previous Research
 Active Directory Basics
 PowerUpSQL overview
 Install instructions
 Methodology
 Demo
 goddi overview
 Install instructions
 Methodology
 Demo
 Detection

INTRODUCTION
Why is Active Directory Information Gathering useful?
 Situational Awareness
 What am I looking for?
 Escalation Paths
 Where are privileged users logged in?
 Identify Misconfigurations
 Are there passwords in the Description attribute?

INTRODUCTION
Why PowerUpSQL and goddi?
 AD information gathering alternatives
 Using SQL Server and ADSI
 Using golang and LDAP
 Does not use typical PowerShell AD functions

6 Confidential & Proprietary6 Confidential & Proprietary
PREVIOUS RESEARCH

PREVIOUS RESEARCH
harmj0y - https://blog.harmj0y.net/
PyroTek3 - https://adsecurity.org/
nikhil_mitt - https://www.labofapenetrationtester.com/
_nullbind - https://blog.netspi.com/author/scott-sutherland/
PowerView authors -
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

PREVIOUS RESEARCH
PowerView
 Part of PowerSploit
 Recon module
 Basis of PowerShell ingestor in BloodHound
 PowerShell AD module hooks
 LDAP/.NET
 WMI
 Win32 API

ACTIVE DIRECTORY BASICS

What is Active Directory?
 Microsoft’s Directory Service
 Directory Service – provides resource and network mappings for objects
distributed across a network
 Includes wide variety of directory services - Federation services, Lightweight
directory services etc.
 Domain Services – hierarchical and scalable infrastructure for object
management
 Domain Services is our focus

What are the key components of Domain Services?
Forest Tree
Domains

 Domain - security boundary, collection of objects
 Domain Controller – server(s) where Active Directory is installed
 Users and Computers – security principals, represent physical entities on the
domain
 OU – containers for users/groups/computers, easy to apply group policies or
delegation
 Groups – collection of users/computers where access control can be applied

Accessing Domain Services
 Active Directory Service Interfaces (ADSI)
 COM interfaces for managing network resources
 OLE DB provider for ADSI used in SQL Server and PowerUpSQL
 LDAP provider
 Lightweight Directory Access Protocol (LDAP/LDAPS)
 LDAP is AD’s access protocol
 Used to send and retrieve domain information
 Supports different authentication methods

LDAP basics
 Entry – collection of attributes
 DN – unique identifier for an entry ex. cn=test test,dc=demo,dc=com
 Attributes – LDAP data identified by predefined names ex. sAMAccountName
 Scope – specifies search objects ex. WholeSubtree
 Filters – used to select data within a search ex. Groups
(&(objectCategory=group)(SamAccountName=*))

Useful LDAP filters
 Users - (&(objectCategory=person)(objectClass=user)(SamAccountName=*))
 Locked Users - (&(sAMAccountType=805306368)(lockoutTime>=1))
 Computers - (&(objectCategory=Computer)(SamAccountName=*))
 DCs -
(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
 SPNs - (servicePrincipalName=*)
 Groups - (&(objectClass=group)(samaccountname=*))
 Domain Admins - (&(objectCategory=user)(memberOf=DomainAdminDN))
 OUs - (&(objectCategory=organizationalUnit)(ou=*))

POWERUPSQL

POWERUPSQL
What is PowerUpSQL?
 Written in PowerShell
 SQL Server discovery
 Weak configuration auditing
 Privilege escalation
 Post exploitation
 Hacking SQL Server on scale

POWERUPSQL
Why SQL Server?
 Popular in enterprise environments
 Integration with Windows services
 Vertical escalation opportunities on the domain
Why PowerShell?
 Native to Windows
 Runs commands in memory
 Often flagged as trusted
 May need to start obfuscating or disabling security features soon…

POWERUPSQL
PowerUpSQL wiki
 https://github.com/NetSPI/PowerUpSQL/wiki/Active-Directory-Recon-
Functions
 Setup instructions
 Cheat Sheets!
 Documentation
 Resource Links

POWERUPSQL
PowerUpSQL setup
 Import-Module PowerUpSQL.psd1
 Install-Module -Name PowerUpSQL
 IEX(New-Object
System.Net.WebClient).DownloadString("https://raw.githubusercontent.com
/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")
 &([scriptblock]::Create((new-object
net.webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/
PowerUpSQL/master/PowerUpSQL.ps1")))

POWERUPSQL

POWERUPSQL
Getting started
 Get-Command –Module PowerUpSQL –Name 'Get-SQLDomain*'
 Get-Help Get-SQLDomainUser

POWERUPSQL
Getting started
 Check out BlackHat Arsenal 2018 slides
 https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa-
arsenal-presentation

POWERUPSQL
Active Directory information gathering with PowerUpSQL
 OLE DB Active Directory Service Interfaces (ADSI) Provider
 Two main methods
 OPENQUERY (Linked server)
 OPENROWSET (Ad Hoc query)
 OPENQUERY technique requires creating a SQL server link

POWERUPSQL
OPENQUERY method
 Linked Server
 Configured to run queries in another instance of SQL Server or in another DB
 Can also be used to allow data access from outside of SQL Server
 ADSI Linked Server
 OPENQUERY
 Executes a pass through query on specified linked server
 Server can be OLE DB data source

POWERUPSQL
OPENROWSET method
 Ad Hoc Queries
 Disabled by default
 Needs to be enabled and is done by default in PowerUpSQL
 OPENROWSET
 One time connection to access remote data through OLE DB
 Alternative to linked servers

POWERUPSQL
OPENQUERY - Creating a SQL Server Link
-- Create SQL Server link to ADSI
IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0
EXEC master.dbo.sp_addlinkedserver @server = N'ADSI',
@srvproduct=N'Active Directory Service Interfaces',
@provider=N'ADSDSOObject',
@datasrc=N'adsdatasource'
ELSE
SELECT 'The target SQL Server link already exists.'

POWERUPSQL
OPENQUERY
-- Define authentication context - OPENQUERY
EXEC sp_addlinkedsrvlogin
@rmtsrvname=N'ADSI',
@useself=N'True',
@locallogin=NULL,
@rmtuser=NULL,
@rmtpassword=NULL
GO
-- Use OPENQUERY
SELECT *
FROM
OPENQUERY([ADSI],'<LDAP://path>;(&(objectCategory=Person)(objectClass
=user));name, adspath;subtree')

POWERUPSQL
OPENROWSET
-- Enable 'Show Advanced Options'
EXEC sp_configure 'Show Advanced Options', 1
RECONFIGURE
GO
-- Enable 'Ad Hoc Distributed Queries'
EXEC sp_configure 'Ad Hoc Distributed Queries', 1
RECONFIGURE
GO
-- Run with openrowset
SELECT *
FROM OPENROWSET('ADSDSOOBJECT','adsdatasource',
'<LDAP://path>;(&(objectCategory=Person)(objectClass=user));name,
adspath;subtree')

POWERUPSQL
 Get-SQLDomainAccountPolicy
 Get-SQLDomainComputer
 Get-SQLDomainController
 Get-SQLDomainExploitableSystem
 Get-SQLDomainGroup
 Get-SQLDomainGroupMember
 Get-SQLDomainObject
 Get-SQLDomainOu
 Get-SQLDomainPasswordsLAPS
 Get-SQLDomainSite
 Get-SQLDomainSubnet
 Get-SQLDomainTrust
 Get-SQLDomainUser

POWERUPSQL
Demo - Linked Server via OPENQUERY

POWERUPSQL
Demo - Ad Hoc queries via OPENROWSET

POWERUPSQL
Demo – Grabbing LAPS passwords

POWERUPSQL
OPENQUERY
Domain User
– Public
Domain User
– Sysadmin
SQL Login –
Public
SQL Login –
Sysadmin
Provided
Domain User
Access
X No
X No
X No
X X No
X X No
X Yes
X X Yes
X X Yes

POWERUPSQL
OPENROWSET
Domain User
– Public
Domain User
– Sysadmin
SQL Login –
Public
SQL Login –
Sysadmin
Provided
Domain User
Access
X No
X No
X X No
X X No
X Yes
X Yes
X X Yes
X X Yes

POWERUPSQL
Alternate Credentials
 Sysadmin login to SQL Server and Windows domain credentials authenticate
to LDAP
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -Username sa -Password
'Pass123!' -LinkUsername 'demoadministrator' -LinkPassword 'BestPasswordEver!’
 Sysadmin login to SQL Server and SQL Server Service account authenticate to
LDAP
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -UseAdHoc -Username sa -
Password 'Pass123!'

POWERUPSQL
PowerUpSQL caveats
 Need sysadmin privileges to return data
 Multi-valued attributes cannot be returned
 Description, memberof
 Multi-valued attributes not supported by OLE DB ADSI provider
“Msg 7346, Level 16, State 2, Line 1 Cannot get the data of the row from the OLE DB provider
"ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than
sign mismatch or overflow.”
 SQL CLR workaround
 Paging not supported
 Max results returned limited
 Default set at 1000 in Windows Server 2012

GODDI

GODDI
What is goddi?
 go dump domain info
 Active Directory information gathering tool written in Go
 Cross platform compile and compatibility
 Performs well in larger environments
 Uses go library
 gopkg.in/ldap.v2

GODDI
goddi setup
 Use the binaries in the Releases section
 Build it yourself
 Ensure go environment is set up
 https://golang.org/doc/code.html
 go get gopkg.in/ldap.v2

GODDI
Active Directory information gathering with goddi
 LDAP
 gopkg.in/ldap.v2
 Dial and Bind
 Golang tls.Client
 Supports TLS on 636, startTLS, plaintext dial
 Default is TLS connection
 Certificates managed through tls.Certificates
 Need to provide certs on Linux

GODDI
Optimizations
 Querying for objectCategory when possible
 Indexing
 Only querying for attributes needed
 Optimize search results and time
 Paging
 AD default is 1000 results
 goddi paging set to 200 results
 Prevents client blocking
 Reduces memory stress on DC and avoids heavy query detection

GODDI
func GetLAPS(conn *ldap.Conn, baseDN string) {
attributes := []string{
"dNSHostName",
"ms-Mcs-AdmPwd",
"ms-Mcs-AdmPwdExpirationTime"}
filter := "(objectCategory=Computer)"
sr := ldapSearch(baseDN, filter, attributes, conn)

GODDI
Feature List
 Users
 Computers
 DCs
 SPNs
 Groups
 OUs
 LAPS passwords
 GPP passwords
 Sensitive data checks – description attribute
 And more

GODDI
LAPS
 Local Administrator Password Solution
 Passwords stored in Active Directory
 Password access can be limited with ACLs
 ms-mcs-AdmPwd
 Attribute that stores cleartext password
 Domain Admin privileges needed to read
 ms-mcs-AdmPwdExpirationTime
 attribute stores password reset date/time
 Authenticated users can read

GODDI
GPP
 Group Policy Preference
 Group Policy can be used to change local administrator passwords
 XML files can contain encrypted cpassword if provided
 AES 256 bit encrypted
 demo.localSYSVOLdemo.localPolicies...

GODDI
GPP
 https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-
1f2fa45dd4be.aspx
 Authenticated users have access to SYSVOL
 “Fixed” in May 2014

GODDI
GPP
 ...MachinePreferencesGroupsGroups.xml
 ...UserPreferencesGroupsGroups.xml
 ...MachinePreferencesServicesServices.xml
 ...UserPreferencesServicesServices.xml
 ...MachinePreferencesScheduledtasksScheduledtasks.xml
 ...UserPreferencesScheduledtasksScheduledtasks.xml
 ...MachinePreferencesDataSourcesDataSources.xml
 ...UserPreferencesDataSourcesDataSources.xml
 ...MachinePreferencesPrintersPrinters.xml
 ...UserPreferencesPrintersPrinters.xml
 ...MachinePreferencesDrivesDrives.xml
 ...UserPreferencesDrivesDrives.xml

GODDI
Demo – Windows

GODDI
Demo – Linux

GODDI

GODDI
Output
 CSV output
 Creates csv directory

GODDI
goddi caveats
 Need to supply credentials every time
 Does not run from current user context as PowerUpSQL or PowerView
 Certificates can be tricky
 Need to import them on Linux
 GetGPP
 Uses “net use” and “mount”
 Needs more robust error handling
 Need to improve XML parsing
 Underlying library requires case sensitive attributes

GODDI
goddi Roadmap – ADSI and COM
 Best solution for using user’s current Windows security context
 Use the IADs interfaces (inherit from IDispatch)
 Requires lower level system calls
var mod = syscall.LoadDLL("ole32.dll")
var proc = mod.FindProc("CoCreateInstanceEx")
ret, _, _ := proc.Call(...)
 go-ole library

DETECTION

DETECTION
Setting Up Logging Options
 HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics
 LDAP Interface Events
 Field Engineering

DETECTION
Windows Event IDs
 2889 – LDAP bind without signing or cleartext connection
 1644 – Costly LDAP searches
 https://docs.microsoft.com/en-us/windows-server/identity/ad-
ds/manage/component-updates/directory-services-component-updates

DETECTION

WRAPPING UP

WRAPPING UP
Thanks!
 Everyone on the Previous Research slide
 Scott Sutherland
 Karl Fosaaen
 Kevin Robertson
 PowerUpSQL and goddi contributors
 Everyone at this talk!

WRAPPING UP
References
 Everyone on the Previous Research slide
 Fancy Gopher, by Renée French,
https://blog.golang.org/gophergala/fancygopher.jpg

MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS
https://www.netspi.com
https://www.facebook.com/netspi
@NetSPI
https://www.slideshare.net/NetSPI

WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

More Related Content

What's hot (20)

Similar to WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering (20)

Recently uploaded (20)

WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering