Active Directory Enumeration with ChatGPT

I’ve not slept well for the last week and my brain is hurting, so I thought I would see if I can take our lovely new SKYNET overload AI “CHATGPT” and make it do all my work for me!

A common vulnerability in systems like Active Directory is where a system administrator writes a password in the description field. So the easy answer to this is DO NOT DO THIS. However during penetration testing we want to check. There’s tons of ways to do this but I thought I’d ask our AI roboto to help, so let’s see!

Hacking

Active Directory Security Cheat Sheet

Ok you need to do some AD Security Auditing or Security Testing/Exploitation, great. Let’s look at some of the common misconfigurations and some tools to help you, a list of things will obviously not be the answer, you will need a method and process to go through from recon/enumeration through to exploitation and impact (effects), but that’s what google is for (and CTFs/Labs)! This post is just me jotting down some notes, hopefully they help defenders think about improving their posture.

Defense

How to restore AdminSDHolder Object Permissions using ADSIedit

Ok so the other day “we” as a community put out some guidance around post active directory compromise actions for when you can’t simply nuke the forest from orbit. Well, following on from that a friend asked about how to restore AdminSDHolder permissions? Read more “How to restore AdminSDHolder Object Permissions using ADSIedit” →

Guides

Rapid Active Directory Security Testing of Windows Server 2022…

Introduction

Ever needed to test active directory in a hurry? Well, here’s some common commands to test active directory domain services. In this post today we are going to focus on DNS and username enumeration, there are however a range of weaknesses you want to look for:

SMB Null Session/Guest Access
LDAP Null Bind
Sensitive Information Disclosure
Weak Password Policies
Unpatched Software Vulnerabilities

Active Recon

Port Scanning and Service Fingerprinting

nmap -p- -sC -sV -Pn -v -A -oA ecorp.local.txt 192.168.1.22

Domain Name and Domain Controller Enumeation

Guides

From Zero to DA using ‘PetitPotam’

Introduction

Whilst I was on ‘holiday’ (seriously even when on holiday I almost always must do some work!) a few Windows vulnerabilities were published. Great work by Gilles Lionel, Benjamin Delpy and many many others!

Lab Setup

A Domain Controller
A Separate ADCS Install with Web Enrolment or two DCs one with ADCS installed.
A windows Client Device (non-domain joined)
An attacker device (I used Kali)

You do not need any domain credentials to conduct this exploit chain, so from a network adjacent unauthenticated position you can get DA with the right circumstances (default configuration). Read more “From Zero to DA using ‘PetitPotam’” →

CTF

How to enable NULL Bind on LDAP with Windows…

History of NULL bind

Back in the early Active Directory days NULL bind was actually enabled by default, these days you can get a rootDSE NULL bind out of the box but on Windows Server 2019 you can even disable this!

So why would I want to enable NULL bind? Well, some legacy apps may need it but generally speaking you don’t want NULL bind enabled.

The lesson here is DO NOT copy what I am doing here! Simples! Read more “How to enable NULL Bind on LDAP with Windows Server 2019” →

Defense

Active Directory Effective Permission Auditing

Active directory permissions are a complex beast, at the core of Active Directory you have databases and partitions.

These have access controls lists, there are two types of these:

DACL
SACL

https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists

In active directory auditing these with out of the box tools can be a pain, especially when you are looking to enumerate effective permissions. Luckily a nice chap as made a great PowerShell app which can help you with your auditing activities! Read more “Active Directory Effective Permission Auditing” →

Defense

Retrieving Passwords From Veeam Backup Servers

Firstly before we get into recovering passwords from the veeam servers we have to think why is this technique so important to know?

It’s not what you think, so if you are a red teamer/penetration tester then sure you are going to want to know this to support your goals. But the real value in knowing this is to drive home a specific message.

DO NOT (PRODUCTION) DOMAIN JOIN BACKUP SERVERS

Veeam expicitly suports not being on a domain for this very reason. Why Dan? Why is it so important to not (PRODUCTION) domain join them? Well my friends, if a threat actor gets into your network, gains high priviledge access to active directory and get’s onto you veeam server they will probably disrupt and destroy your backup just prior to ransoming everyhing they can. You do no want this!

Defense

New Year , New You! Securing Active Directory

By default, a ‘domain user’ can read mostly everything in active directory. I’m not sure every sysadmin knows this as I often find passwords stored in the description filed (see the example screenshot, this was from a domain user with no third-party tools leveraged). Read more “New Year , New You! Securing Active Directory” →