OR How to Pentest with AD Explorer!
Mark Russinovich’s Sysinternals tools (Microsoft) are nothing new. They have been a favorite among system administrators for many, many years. Maybe a little less known is that they are super helpful for pentesters too! One of my favorites is AD Explorer. My colleague Dave Fletcher, who has worn many hats including that of sysadmin extraordinaire, reminded me of this tool on an engagement and I have been using it on internal assessments faithfully ever since. Of course for organizations that expose domain controllers on the Internet this could be useful on external tests as well (read on for more about that using Shodan).
All you need is a domain account – any domain account – and you can talk to a domain controller and ask it to enumerate the domain for you. It will layout the OU structure, the user accounts, computer accounts. It may offer some help on finding juicy targets like privileged users and database servers.
Like all the Sysinternals tools, they are standalone executables, no installation required. So as long as you have write access somewhere you can download it from http://live.sysinternals.com.
But what if you don’t have write access or are not allowed to download executables? No worries, you can also give it the following UNC path directly from the Run box or an Explorer window and execute it without downloading the file to disk.
Click on an executable to load it directly into memory from Microsoft’s site
Let’s look at a couple examples of how awesome this tool is. First, you might find metadata giving you clues about an object like in the screenshot below. It looks like we found the CIO’s laptop. I don’t know about you but if I learn the machine name of the CIO’s computer I can’t resist finding a way to login there and grab their credentials from memory. That would typically be a pretty privileged account as well.
There may be other attributes with interesting information as well, such as the “info” attribute. In the example below, we show an AD record from a real test. The data is redacted but suffice it to say the data there is quite sensitive and presents some excellent social engineering opportunities (think password reset)!
If you need to find high-value target servers then more often than not the organization’s naming convention will help you with that. Servers are very frequently named according to their function, eg. with “SQL” or “Sharepoint” in the name.
The search feature in AD Explorer is also excellent and helps you slice and dice through the mountains of data to find just what you need. For example, do you need to identify the disabled accounts? Just select the userAccountControl attribute and search for values of 514. (Actually, the userAccountControl attribute is a value representing multiple flags, one of which is the “disabled” flag so there could be multiple values here that represent disabled accounts but the most common would be 514.)
If you have high enough privileges you can also add and modify objects and attributes. It doesn’t let you do as much as Active Directory Users and Computers but this feature still could be useful on a pentest. As a demo, I added the “Comment” attribute for user Grace in my test domain.
The tool also gives you the wonderful option of saving a snapshot…
…that you can copy off anywhere and open it back up in AD Explorer for your viewing pleasure.
Viewing a snapshot won’t let you make any changes but it is excellent for reconnaissance activities.
AD Explorer can also do a “diff” of two snapshots. How might this be useful on a pentest? Take a snapshot right away when you get access to the domain. Then after you have done some hacking and cracking and people start changing their passwords or disabling accounts you can take another snapshot and see who has changed their passwords or which are disabled. As far as I can tell, AD Explorer does not allow you to modify passwords or change the status from disabled to enabled (even as DA) but at least you can check and avoid disabled accounts to stay a bit stealthier using this method.
Now, about the external testing…..What if you do a Shodan search for DCs that are exposed on the Internet and log on to one that way? Of course, you’ll need to come up with a domain account if you want to connect to the server using AD Explorer. The search below is for two common LDAP ports and a hostname that contains the letters “DC”. There are plenty out there accessible from the Internet surprisingly enough.
Or take it a step further and add in port 445 to find Domain Controllers that may be vulnerable to some of the freshly leaked SMB exploits from Shadow Brokers. (Note: Not all these hits have all three ports open.)
A compromise of one of these servers could represent the compromise of an entire domain. Yikes. Make sure your organization is not on this list!
If you know of any other cool tricks with AD Explorer please let us know!