Summer has officially ended and Autumn is setting in. As the leaves begin to fall and September draws to a close, it’s a perfect time to sit back and reflect on the metasploit modules that filled our Summer months with joy. In the third installment of our “Module of the Month” series we examine enum_ad_computers, a post-exploitation module that combines the flexibility of LDAP queries in an Active Directory domain with the power of metasploit. Leveraging the abilities of the two allows an attacker to expedite information gathering following compromise. Note that the examples throughout this post are being made from an account that has authenticated to the domain, but does not have local or domain administrative privileges. Administrative privileges are not required to execute LDAP queries.
Situational awareness in a Windows domain is essential to escalation. Following compromise of a user’s machine, an attacker may drop into shell and execute some commands to expand their attack surface or identify specific targets. For example, enumerating all the domain users is a great way to cast a wider net when phishing and social engineering are in scope:
Another basic step is identifying the domain controller, perhaps via the “nslookup” command or printing the LOGONSERVER path variable:
Armed with these commands, why resort to LDAP queries? LDAP (Lightweight Directory Access Protocol) queries, though arguably more complicated, are also more flexible, and can be tailored to return the specific pieces of information that penetration testers seek. Not surprisingly, a metasploit module already exists to harness the LDAP queries. Located within the post/windows/gather path, the gather_ad_computers module allows attackers to craft refined LDAP queries from the comfort of msfconsole.
The options of primary importance within the gather_ad_computers module are FIELDS and FILTER. The fields are the AD fields from which LDAP will query information, within the constraints imposed by the filter. Take the default settings as an example:
FIELDS dNSHostName,distinguishedName,description,operatingSystem,operatingSystemServicePack FILTER (&(objectCategory=computer)(operatingSystem=*server*))
Running the query with these parameters will search for the host name, the distinguished name (a field that displays the unique object within its hierarchical AD context), a description (if the administrator was so kind as to include one), and the self-explanatory operating system and its service pack. The filter in use ensures that this query will only return results that are computers, containing the word “server” within the “operatingSystem” field. In the tiny domain used in this post, it produces the following output:
If an attacker wanted a list of all computers, he or she could simply remove the (operatingSystem=*server*) filter, and receive the following result, which now includes the single workstation on this tiny test domain:
One of the beautiful things about executing these queries through metasploit is the ability to utilize its database. Setting the “STORE_DB” value to true will resolve the IPs on identified hosts, storing them within the selected workspace:
If the attacker chooses to focus on users as opposed to (or in addition to) computers, he or she simply has to change the object category and select some more appropriate fields:
set FILTER (&(objectCategory=person)) set FIELDS distinguishedName,name,description,mail
If the description and mail fields within AD are both filled out, this sort of query has the potential to quickly expand the social engineering attack surface. (Note that this output is very similar to the enum_ad_users post-exploitation module).
The filters and fields can be refined to a much higher degree of granularity than in the examples above. In fact, the technet page referenced in the module’s information lists many useful queries, several of which are repeated below:
Enumerate domain controllers:
set FILTER (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
Find servers that aren’t DCs:
set FILTER (&(objectCategory=computer)(operatingSystem=*server*)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))
User workstations / non-server computers:
set FILTER (&(objectCategory=computer)(!(operatingSystem=*server*))
Enabled user accounts:
set FILTER (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Disabled user accounts:
set FILTER (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
Users with passwords that do not expire:
set FILTER (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
User accounts that start with “adm” (as in administrator):
set FILTER (&(objectCategory=person)(objectClass=user)(cn=adm*))
By combining these detailed queries into a logical sequence with a simple resource script that also sets the appropriate fields, an attacker can maximize the efficiency of the information gathering phase:
Look over the range of possible LDAP queries and consider how they can elicit the information necessary to plan and execute the next stages of an attack. enum_ad_computers is a perfect way to combine those queries with the tried-and-true capabilities of metasploit.
Happy hunting and happy Fall. digby sends.
