SlideShare a Scribd company logo

WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

Download as PPTX, PDF
T
ThomasElling1

Wild West Hackin' Fest 2018. Using PowerUpSQL and goddi for Active Directory Information Gathering.

Technology
1 of 65
USING POWERUPSQL AND GODDI FOR ACTIVE DIRECTORY INFORMATION GATHERING THOMAS ELLING
2 Confidential & Proprietary ABOUT Thomas Elling  Web Application and Network Pentester at NetSPI  PowerUpSQL contributor  goddi (go dump domain info) creator  I liked the Venom movie  Twitter: @thomas_elling  Slideshare: slideshare.net/thomaselling1  Blog: blog.netspi.com
3 Confidential & Proprietary PRESENTATION OVERVIEW  Previous Research  Active Directory Basics  PowerUpSQL overview  Install instructions  Methodology  Demo  goddi overview  Install instructions  Methodology  Demo  Detection
4 Confidential & Proprietary INTRODUCTION Why is Active Directory Information Gathering useful?  Situational Awareness  What am I looking for?  Escalation Paths  Where are privileged users logged in?  Identify Misconfigurations  Are there passwords in the Description attribute?
5 Confidential & Proprietary INTRODUCTION Why PowerUpSQL and goddi?  AD information gathering alternatives  Using SQL Server and ADSI  Using golang and LDAP  Does not use typical PowerShell AD functions
6 Confidential & Proprietary6 Confidential & Proprietary PREVIOUS RESEARCH
7 Confidential & Proprietary PREVIOUS RESEARCH harmj0y - https://blog.harmj0y.net/ PyroTek3 - https://adsecurity.org/ nikhil_mitt - https://www.labofapenetrationtester.com/ _nullbind - https://blog.netspi.com/author/scott-sutherland/ PowerView authors - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
8 Confidential & Proprietary PREVIOUS RESEARCH PowerView  Part of PowerSploit  Recon module  Basis of PowerShell ingestor in BloodHound  PowerShell AD module hooks  LDAP/.NET  WMI  Win32 API
9 Confidential & Proprietary9 Confidential & Proprietary ACTIVE DIRECTORY BASICS
10 Confidential & Proprietary ACTIVE DIRECTORY BASICS What is Active Directory?  Microsoft’s Directory Service  Directory Service – provides resource and network mappings for objects distributed across a network  Includes wide variety of directory services - Federation services, Lightweight directory services etc.  Domain Services – hierarchical and scalable infrastructure for object management  Domain Services is our focus
11 Confidential & Proprietary ACTIVE DIRECTORY BASICS What are the key components of Domain Services? Forest Tree Domains
12 Confidential & Proprietary ACTIVE DIRECTORY BASICS  Domain - security boundary, collection of objects  Domain Controller – server(s) where Active Directory is installed  Users and Computers – security principals, represent physical entities on the domain  OU – containers for users/groups/computers, easy to apply group policies or delegation  Groups – collection of users/computers where access control can be applied
13 Confidential & Proprietary ACTIVE DIRECTORY BASICS Accessing Domain Services  Active Directory Service Interfaces (ADSI)  COM interfaces for managing network resources  OLE DB provider for ADSI used in SQL Server and PowerUpSQL  LDAP provider  Lightweight Directory Access Protocol (LDAP/LDAPS)  LDAP is AD’s access protocol  Used to send and retrieve domain information  Supports different authentication methods
14 Confidential & Proprietary ACTIVE DIRECTORY BASICS LDAP basics  Entry – collection of attributes  DN – unique identifier for an entry ex. cn=test test,dc=demo,dc=com  Attributes – LDAP data identified by predefined names ex. sAMAccountName  Scope – specifies search objects ex. WholeSubtree  Filters – used to select data within a search ex. Groups (&(objectCategory=group)(SamAccountName=*))
15 Confidential & Proprietary ACTIVE DIRECTORY BASICS Useful LDAP filters  Users - (&(objectCategory=person)(objectClass=user)(SamAccountName=*))  Locked Users - (&(sAMAccountType=805306368)(lockoutTime>=1))  Computers - (&(objectCategory=Computer)(SamAccountName=*))  DCs - (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))  SPNs - (servicePrincipalName=*)  Groups - (&(objectClass=group)(samaccountname=*))  Domain Admins - (&(objectCategory=user)(memberOf=DomainAdminDN))  OUs - (&(objectCategory=organizationalUnit)(ou=*))
16 Confidential & Proprietary16 Confidential & Proprietary POWERUPSQL
17 Confidential & Proprietary POWERUPSQL What is PowerUpSQL?  Written in PowerShell  SQL Server discovery  Weak configuration auditing  Privilege escalation  Post exploitation  Hacking SQL Server on scale
18 Confidential & Proprietary POWERUPSQL Why SQL Server?  Popular in enterprise environments  Integration with Windows services  Vertical escalation opportunities on the domain Why PowerShell?  Native to Windows  Runs commands in memory  Often flagged as trusted  May need to start obfuscating or disabling security features soon…
19 Confidential & Proprietary POWERUPSQL PowerUpSQL wiki  https://github.com/NetSPI/PowerUpSQL/wiki/Active-Directory-Recon- Functions  Setup instructions  Cheat Sheets!  Documentation  Resource Links
20 Confidential & Proprietary POWERUPSQL PowerUpSQL setup  Import-Module PowerUpSQL.psd1  Install-Module -Name PowerUpSQL  IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com /NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")  &([scriptblock]::Create((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/ PowerUpSQL/master/PowerUpSQL.ps1")))
21 Confidential & Proprietary POWERUPSQL
22 Confidential & Proprietary POWERUPSQL Getting started  Get-Command –Module PowerUpSQL –Name 'Get-SQLDomain*'  Get-Help Get-SQLDomainUser
23 Confidential & Proprietary POWERUPSQL Getting started  Check out BlackHat Arsenal 2018 slides  https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa- arsenal-presentation
24 Confidential & Proprietary POWERUPSQL Active Directory information gathering with PowerUpSQL  OLE DB Active Directory Service Interfaces (ADSI) Provider  Two main methods  OPENQUERY (Linked server)  OPENROWSET (Ad Hoc query)  OPENQUERY technique requires creating a SQL server link
25 Confidential & Proprietary POWERUPSQL OPENQUERY method  Linked Server  Configured to run queries in another instance of SQL Server or in another DB  Can also be used to allow data access from outside of SQL Server  ADSI Linked Server  OPENQUERY  Executes a pass through query on specified linked server  Server can be OLE DB data source
26 Confidential & Proprietary POWERUPSQL OPENROWSET method  Ad Hoc Queries  Disabled by default  Needs to be enabled and is done by default in PowerUpSQL  OPENROWSET  One time connection to access remote data through OLE DB  Alternative to linked servers
27 Confidential & Proprietary POWERUPSQL OPENQUERY - Creating a SQL Server Link -- Create SQL Server link to ADSI IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0 EXEC master.dbo.sp_addlinkedserver @server = N'ADSI', @srvproduct=N'Active Directory Service Interfaces', @provider=N'ADSDSOObject', @datasrc=N'adsdatasource' ELSE SELECT 'The target SQL Server link already exists.'
28 Confidential & Proprietary POWERUPSQL OPENQUERY -- Define authentication context - OPENQUERY EXEC sp_addlinkedsrvlogin @rmtsrvname=N'ADSI', @useself=N'True', @locallogin=NULL, @rmtuser=NULL, @rmtpassword=NULL GO -- Use OPENQUERY SELECT * FROM OPENQUERY([ADSI],'<LDAP://path>;(&(objectCategory=Person)(objectClass =user));name, adspath;subtree')
29 Confidential & Proprietary POWERUPSQL OPENROWSET -- Enable 'Show Advanced Options' EXEC sp_configure 'Show Advanced Options', 1 RECONFIGURE GO -- Enable 'Ad Hoc Distributed Queries' EXEC sp_configure 'Ad Hoc Distributed Queries', 1 RECONFIGURE GO -- Run with openrowset SELECT * FROM OPENROWSET('ADSDSOOBJECT','adsdatasource', '<LDAP://path>;(&(objectCategory=Person)(objectClass=user));name, adspath;subtree')
30 Confidential & Proprietary POWERUPSQL  Get-SQLDomainAccountPolicy  Get-SQLDomainComputer  Get-SQLDomainController  Get-SQLDomainExploitableSystem  Get-SQLDomainGroup  Get-SQLDomainGroupMember  Get-SQLDomainObject  Get-SQLDomainOu  Get-SQLDomainPasswordsLAPS  Get-SQLDomainSite  Get-SQLDomainSubnet  Get-SQLDomainTrust  Get-SQLDomainUser
31 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
32 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
33 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
34 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
35 Confidential & Proprietary POWERUPSQL Demo – Grabbing LAPS passwords
36 Confidential & Proprietary POWERUPSQL OPENQUERY Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X No X X No X X No X Yes X X Yes X X Yes
37 Confidential & Proprietary POWERUPSQL OPENROWSET Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X X No X X No X Yes X Yes X X Yes X X Yes
38 Confidential & Proprietary POWERUPSQL Alternate Credentials  Sysadmin login to SQL Server and Windows domain credentials authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -Username sa -Password 'Pass123!' -LinkUsername 'demoadministrator' -LinkPassword 'BestPasswordEver!’  Sysadmin login to SQL Server and SQL Server Service account authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -UseAdHoc -Username sa - Password 'Pass123!'
39 Confidential & Proprietary POWERUPSQL PowerUpSQL caveats  Need sysadmin privileges to return data  Multi-valued attributes cannot be returned  Description, memberof  Multi-valued attributes not supported by OLE DB ADSI provider “Msg 7346, Level 16, State 2, Line 1 Cannot get the data of the row from the OLE DB provider "ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than sign mismatch or overflow.”  SQL CLR workaround  Paging not supported  Max results returned limited  Default set at 1000 in Windows Server 2012
40 Confidential & Proprietary40 Confidential & Proprietary GODDI
41 Confidential & Proprietary GODDI What is goddi?  go dump domain info  Active Directory information gathering tool written in Go  Cross platform compile and compatibility  Performs well in larger environments  Uses go library  gopkg.in/ldap.v2
42 Confidential & Proprietary GODDI goddi setup  Use the binaries in the Releases section  Build it yourself  Ensure go environment is set up  https://golang.org/doc/code.html  go get gopkg.in/ldap.v2
43 Confidential & Proprietary GODDI Active Directory information gathering with goddi  LDAP  gopkg.in/ldap.v2  Dial and Bind  Golang tls.Client  Supports TLS on 636, startTLS, plaintext dial  Default is TLS connection  Certificates managed through tls.Certificates  Need to provide certs on Linux
44 Confidential & Proprietary GODDI Optimizations  Querying for objectCategory when possible  Indexing  Only querying for attributes needed  Optimize search results and time  Paging  AD default is 1000 results  goddi paging set to 200 results  Prevents client blocking  Reduces memory stress on DC and avoids heavy query detection
45 Confidential & Proprietary GODDI func GetLAPS(conn *ldap.Conn, baseDN string) { attributes := []string{ "dNSHostName", "ms-Mcs-AdmPwd", "ms-Mcs-AdmPwdExpirationTime"} filter := "(objectCategory=Computer)" sr := ldapSearch(baseDN, filter, attributes, conn)
46 Confidential & Proprietary GODDI Feature List  Users  Computers  DCs  SPNs  Groups  OUs  LAPS passwords  GPP passwords  Sensitive data checks – description attribute  And more
47 Confidential & Proprietary GODDI LAPS  Local Administrator Password Solution  Passwords stored in Active Directory  Password access can be limited with ACLs  ms-mcs-AdmPwd  Attribute that stores cleartext password  Domain Admin privileges needed to read  ms-mcs-AdmPwdExpirationTime  attribute stores password reset date/time  Authenticated users can read
48 Confidential & Proprietary GODDI GPP  Group Policy Preference  Group Policy can be used to change local administrator passwords  XML files can contain encrypted cpassword if provided  AES 256 bit encrypted  demo.localSYSVOLdemo.localPolicies...
49 Confidential & Proprietary GODDI GPP  https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx  Authenticated users have access to SYSVOL  “Fixed” in May 2014
50 Confidential & Proprietary GODDI GPP  ...MachinePreferencesGroupsGroups.xml  ...UserPreferencesGroupsGroups.xml  ...MachinePreferencesServicesServices.xml  ...UserPreferencesServicesServices.xml  ...MachinePreferencesScheduledtasksScheduledtasks.xml  ...UserPreferencesScheduledtasksScheduledtasks.xml  ...MachinePreferencesDataSourcesDataSources.xml  ...UserPreferencesDataSourcesDataSources.xml  ...MachinePreferencesPrintersPrinters.xml  ...UserPreferencesPrintersPrinters.xml  ...MachinePreferencesDrivesDrives.xml  ...UserPreferencesDrivesDrives.xml
51 Confidential & Proprietary GODDI Demo – Windows
52 Confidential & Proprietary GODDI Demo – Linux
53 Confidential & Proprietary GODDI
54 Confidential & Proprietary GODDI Output  CSV output  Creates csv directory
55 Confidential & Proprietary GODDI goddi caveats  Need to supply credentials every time  Does not run from current user context as PowerUpSQL or PowerView  Certificates can be tricky  Need to import them on Linux  GetGPP  Uses “net use” and “mount”  Needs more robust error handling  Need to improve XML parsing  Underlying library requires case sensitive attributes
56 Confidential & Proprietary GODDI goddi Roadmap – ADSI and COM  Best solution for using user’s current Windows security context  Use the IADs interfaces (inherit from IDispatch)  Requires lower level system calls var mod = syscall.LoadDLL("ole32.dll") var proc = mod.FindProc("CoCreateInstanceEx") ret, _, _ := proc.Call(...)  go-ole library
57 Confidential & Proprietary57 Confidential & Proprietary DETECTION
58 Confidential & Proprietary DETECTION Setting Up Logging Options  HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics  LDAP Interface Events  Field Engineering
59 Confidential & Proprietary DETECTION Windows Event IDs  2889 – LDAP bind without signing or cleartext connection  1644 – Costly LDAP searches  https://docs.microsoft.com/en-us/windows-server/identity/ad- ds/manage/component-updates/directory-services-component-updates
60 Confidential & Proprietary DETECTION
61 Confidential & Proprietary DETECTION
62 Confidential & Proprietary62 Confidential & Proprietary WRAPPING UP
63 Confidential & Proprietary WRAPPING UP Thanks!  Everyone on the Previous Research slide  Scott Sutherland  Karl Fosaaen  Kevin Robertson  PowerUpSQL and goddi contributors  Everyone at this talk!
64 Confidential & Proprietary WRAPPING UP References  Everyone on the Previous Research slide  Fancy Gopher, by Renée French, https://blog.golang.org/gophergala/fancygopher.jpg
MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS https://www.netspi.com https://www.facebook.com/netspi @NetSPI https://www.slideshare.net/NetSPI

Recommended

Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixProvisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixDavid Bosschaert
 
OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)David Bosschaert
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)David Bosschaert
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGiDavid Bosschaert
 
CRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongCRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongKeith Lee
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Voeurng Sovann
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLErick Vidbaz
 

Recommended

Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixProvisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixDavid Bosschaert
 
OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)David Bosschaert
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)What's cool in the new and updated OSGi Specs (EclipseCon 2014)
What's cool in the new and updated OSGi Specs (EclipseCon 2014)David Bosschaert
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGiDavid Bosschaert
 
CRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongCRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongKeith Lee
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Voeurng Sovann
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
Manual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLManual Tecnico OGG Oracle to MySQL
Manual Tecnico OGG Oracle to MySQLErick Vidbaz
 
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Lucidworks
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqelajobandesther
 
Second Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSecond Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSveta Smirnova
 
Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2javagroup2006
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demoViaggio Italia
 
MySQL Router REST API
MySQL Router REST APIMySQL Router REST API
MySQL Router REST APIFrederic Descamps
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploitAlberto García Illera
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Ryosuke Uchitate
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
ARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CIARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CICosmin Poieana
 
Wicket Security Presentation
Wicket Security PresentationWicket Security Presentation
Wicket Security Presentationmrmean
 
Oracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirOracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirilkerb
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoDavid Lapsley
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureTiago Simões
 
MySQL JSON Functions
MySQL JSON FunctionsMySQL JSON Functions
MySQL JSON FunctionsSveta Smirnova
 
Elasticsearch security
Elasticsearch securityElasticsearch security
Elasticsearch securityNag Arvind Gudiseva
 
Elasticsearch Security Strategy
Elasticsearch Security StrategyElasticsearch Security Strategy
Elasticsearch Security StrategyNag Arvind Gudiseva
 
Con4445 jesus
Con4445 jesusCon4445 jesus
Con4445 jesusPaulo Jesus
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 

More Related Content

What's hot

Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Lucidworks
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqelajobandesther
 
Second Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSecond Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSveta Smirnova
 
Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2javagroup2006
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demoViaggio Italia
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Ryosuke Uchitate
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
ARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CIARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CICosmin Poieana
 
Wicket Security Presentation
Wicket Security PresentationWicket Security Presentation
Wicket Security Presentationmrmean
 
Oracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirOracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirilkerb
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoDavid Lapsley
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureTiago Simões
 

What's hot (20)

Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqela
 
Second Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON FunctionsSecond Step to the NoSQL Side: MySQL JSON Functions
Second Step to the NoSQL Side: MySQL JSON Functions
 
Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2Clean Sweep FileSystem - Java NIO 2
Clean Sweep FileSystem - Java NIO 2
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demo
 
MySQL Router REST API
MySQL Router REST APIMySQL Router REST API
MySQL Router REST API
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploit
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
ARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CIARGUS - THE OMNISCIENT CI
ARGUS - THE OMNISCIENT CI
 
Wicket Security Presentation
Wicket Security PresentationWicket Security Presentation
Wicket Security Presentation
 
Oracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakirOracle11g suse11 ilker bakir
Oracle11g suse11 ilker bakir
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using Django
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architecture
 
MySQL JSON Functions
MySQL JSON FunctionsMySQL JSON Functions
MySQL JSON Functions
 
Elasticsearch security
Elasticsearch securityElasticsearch security
Elasticsearch security
 
Elasticsearch Security Strategy
Elasticsearch Security StrategyElasticsearch Security Strategy
Elasticsearch Security Strategy
 

Similar to WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTChristian Gohmann
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTrivadis
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity ManagementInSync Conference
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerLuong Vo
 
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Mihai Criveti
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellKarl Fosaaen
 
Monitoring your technology stack with New Relic
Monitoring your technology stack with New RelicMonitoring your technology stack with New Relic
Monitoring your technology stack with New RelicRonald Bradford
 
OSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamOSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamNETWAYS
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...NomanKhalid56
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2aIvan Ma
 

Similar to WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering (20)

Con4445 jesus
Con4445 jesusCon4445 jesus
Con4445 jesus
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous Database
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using REST
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security Features
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity Management
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
 
WebGUI Developers Workshop
WebGUI Developers WorkshopWebGUI Developers Workshop
WebGUI Developers Workshop
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShell
 
Monitoring your technology stack with New Relic
Monitoring your technology stack with New RelicMonitoring your technology stack with New Relic
Monitoring your technology stack with New Relic
 
OSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga TeamOSMC 2009 | Icinga by Icinga Team
OSMC 2009 | Icinga by Icinga Team
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
Iac d.damyanov 4.pptx
Iac d.damyanov 4.pptxIac d.damyanov 4.pptx
Iac d.damyanov 4.pptx
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2a
 

Recently uploaded

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathering

  • 1. USING POWERUPSQL AND GODDI FOR ACTIVE DIRECTORY INFORMATION GATHERING THOMAS ELLING
  • 2. 2 Confidential & Proprietary ABOUT Thomas Elling  Web Application and Network Pentester at NetSPI  PowerUpSQL contributor  goddi (go dump domain info) creator  I liked the Venom movie  Twitter: @thomas_elling  Slideshare: slideshare.net/thomaselling1  Blog: blog.netspi.com
  • 3. 3 Confidential & Proprietary PRESENTATION OVERVIEW  Previous Research  Active Directory Basics  PowerUpSQL overview  Install instructions  Methodology  Demo  goddi overview  Install instructions  Methodology  Demo  Detection
  • 4. 4 Confidential & Proprietary INTRODUCTION Why is Active Directory Information Gathering useful?  Situational Awareness  What am I looking for?  Escalation Paths  Where are privileged users logged in?  Identify Misconfigurations  Are there passwords in the Description attribute?
  • 5. 5 Confidential & Proprietary INTRODUCTION Why PowerUpSQL and goddi?  AD information gathering alternatives  Using SQL Server and ADSI  Using golang and LDAP  Does not use typical PowerShell AD functions
  • 6. 6 Confidential & Proprietary6 Confidential & Proprietary PREVIOUS RESEARCH
  • 7. 7 Confidential & Proprietary PREVIOUS RESEARCH harmj0y - https://blog.harmj0y.net/ PyroTek3 - https://adsecurity.org/ nikhil_mitt - https://www.labofapenetrationtester.com/ _nullbind - https://blog.netspi.com/author/scott-sutherland/ PowerView authors - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
  • 8. 8 Confidential & Proprietary PREVIOUS RESEARCH PowerView  Part of PowerSploit  Recon module  Basis of PowerShell ingestor in BloodHound  PowerShell AD module hooks  LDAP/.NET  WMI  Win32 API
  • 9. 9 Confidential & Proprietary9 Confidential & Proprietary ACTIVE DIRECTORY BASICS
  • 10. 10 Confidential & Proprietary ACTIVE DIRECTORY BASICS What is Active Directory?  Microsoft’s Directory Service  Directory Service – provides resource and network mappings for objects distributed across a network  Includes wide variety of directory services - Federation services, Lightweight directory services etc.  Domain Services – hierarchical and scalable infrastructure for object management  Domain Services is our focus
  • 11. 11 Confidential & Proprietary ACTIVE DIRECTORY BASICS What are the key components of Domain Services? Forest Tree Domains
  • 12. 12 Confidential & Proprietary ACTIVE DIRECTORY BASICS  Domain - security boundary, collection of objects  Domain Controller – server(s) where Active Directory is installed  Users and Computers – security principals, represent physical entities on the domain  OU – containers for users/groups/computers, easy to apply group policies or delegation  Groups – collection of users/computers where access control can be applied
  • 13. 13 Confidential & Proprietary ACTIVE DIRECTORY BASICS Accessing Domain Services  Active Directory Service Interfaces (ADSI)  COM interfaces for managing network resources  OLE DB provider for ADSI used in SQL Server and PowerUpSQL  LDAP provider  Lightweight Directory Access Protocol (LDAP/LDAPS)  LDAP is AD’s access protocol  Used to send and retrieve domain information  Supports different authentication methods
  • 14. 14 Confidential & Proprietary ACTIVE DIRECTORY BASICS LDAP basics  Entry – collection of attributes  DN – unique identifier for an entry ex. cn=test test,dc=demo,dc=com  Attributes – LDAP data identified by predefined names ex. sAMAccountName  Scope – specifies search objects ex. WholeSubtree  Filters – used to select data within a search ex. Groups (&(objectCategory=group)(SamAccountName=*))
  • 15. 15 Confidential & Proprietary ACTIVE DIRECTORY BASICS Useful LDAP filters  Users - (&(objectCategory=person)(objectClass=user)(SamAccountName=*))  Locked Users - (&(sAMAccountType=805306368)(lockoutTime>=1))  Computers - (&(objectCategory=Computer)(SamAccountName=*))  DCs - (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))  SPNs - (servicePrincipalName=*)  Groups - (&(objectClass=group)(samaccountname=*))  Domain Admins - (&(objectCategory=user)(memberOf=DomainAdminDN))  OUs - (&(objectCategory=organizationalUnit)(ou=*))
  • 16. 16 Confidential & Proprietary16 Confidential & Proprietary POWERUPSQL
  • 17. 17 Confidential & Proprietary POWERUPSQL What is PowerUpSQL?  Written in PowerShell  SQL Server discovery  Weak configuration auditing  Privilege escalation  Post exploitation  Hacking SQL Server on scale
  • 18. 18 Confidential & Proprietary POWERUPSQL Why SQL Server?  Popular in enterprise environments  Integration with Windows services  Vertical escalation opportunities on the domain Why PowerShell?  Native to Windows  Runs commands in memory  Often flagged as trusted  May need to start obfuscating or disabling security features soon…
  • 19. 19 Confidential & Proprietary POWERUPSQL PowerUpSQL wiki  https://github.com/NetSPI/PowerUpSQL/wiki/Active-Directory-Recon- Functions  Setup instructions  Cheat Sheets!  Documentation  Resource Links
  • 20. 20 Confidential & Proprietary POWERUPSQL PowerUpSQL setup  Import-Module PowerUpSQL.psd1  Install-Module -Name PowerUpSQL  IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com /NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")  &([scriptblock]::Create((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/ PowerUpSQL/master/PowerUpSQL.ps1")))
  • 21. 21 Confidential & Proprietary POWERUPSQL
  • 22. 22 Confidential & Proprietary POWERUPSQL Getting started  Get-Command –Module PowerUpSQL –Name 'Get-SQLDomain*'  Get-Help Get-SQLDomainUser
  • 23. 23 Confidential & Proprietary POWERUPSQL Getting started  Check out BlackHat Arsenal 2018 slides  https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa- arsenal-presentation
  • 24. 24 Confidential & Proprietary POWERUPSQL Active Directory information gathering with PowerUpSQL  OLE DB Active Directory Service Interfaces (ADSI) Provider  Two main methods  OPENQUERY (Linked server)  OPENROWSET (Ad Hoc query)  OPENQUERY technique requires creating a SQL server link
  • 25. 25 Confidential & Proprietary POWERUPSQL OPENQUERY method  Linked Server  Configured to run queries in another instance of SQL Server or in another DB  Can also be used to allow data access from outside of SQL Server  ADSI Linked Server  OPENQUERY  Executes a pass through query on specified linked server  Server can be OLE DB data source
  • 26. 26 Confidential & Proprietary POWERUPSQL OPENROWSET method  Ad Hoc Queries  Disabled by default  Needs to be enabled and is done by default in PowerUpSQL  OPENROWSET  One time connection to access remote data through OLE DB  Alternative to linked servers
  • 27. 27 Confidential & Proprietary POWERUPSQL OPENQUERY - Creating a SQL Server Link -- Create SQL Server link to ADSI IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0 EXEC master.dbo.sp_addlinkedserver @server = N'ADSI', @srvproduct=N'Active Directory Service Interfaces', @provider=N'ADSDSOObject', @datasrc=N'adsdatasource' ELSE SELECT 'The target SQL Server link already exists.'
  • 28. 28 Confidential & Proprietary POWERUPSQL OPENQUERY -- Define authentication context - OPENQUERY EXEC sp_addlinkedsrvlogin @rmtsrvname=N'ADSI', @useself=N'True', @locallogin=NULL, @rmtuser=NULL, @rmtpassword=NULL GO -- Use OPENQUERY SELECT * FROM OPENQUERY([ADSI],'<LDAP://path>;(&(objectCategory=Person)(objectClass =user));name, adspath;subtree')
  • 29. 29 Confidential & Proprietary POWERUPSQL OPENROWSET -- Enable 'Show Advanced Options' EXEC sp_configure 'Show Advanced Options', 1 RECONFIGURE GO -- Enable 'Ad Hoc Distributed Queries' EXEC sp_configure 'Ad Hoc Distributed Queries', 1 RECONFIGURE GO -- Run with openrowset SELECT * FROM OPENROWSET('ADSDSOOBJECT','adsdatasource', '<LDAP://path>;(&(objectCategory=Person)(objectClass=user));name, adspath;subtree')
  • 30. 30 Confidential & Proprietary POWERUPSQL  Get-SQLDomainAccountPolicy  Get-SQLDomainComputer  Get-SQLDomainController  Get-SQLDomainExploitableSystem  Get-SQLDomainGroup  Get-SQLDomainGroupMember  Get-SQLDomainObject  Get-SQLDomainOu  Get-SQLDomainPasswordsLAPS  Get-SQLDomainSite  Get-SQLDomainSubnet  Get-SQLDomainTrust  Get-SQLDomainUser
  • 31. 31 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
  • 32. 32 Confidential & Proprietary POWERUPSQL Demo - Linked Server via OPENQUERY
  • 33. 33 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
  • 34. 34 Confidential & Proprietary POWERUPSQL Demo - Ad Hoc queries via OPENROWSET
  • 35. 35 Confidential & Proprietary POWERUPSQL Demo – Grabbing LAPS passwords
  • 36. 36 Confidential & Proprietary POWERUPSQL OPENQUERY Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X No X X No X X No X Yes X X Yes X X Yes
  • 37. 37 Confidential & Proprietary POWERUPSQL OPENROWSET Domain User – Public Domain User – Sysadmin SQL Login – Public SQL Login – Sysadmin Provided Domain User Access X No X No X X No X X No X Yes X Yes X X Yes X X Yes
  • 38. 38 Confidential & Proprietary POWERUPSQL Alternate Credentials  Sysadmin login to SQL Server and Windows domain credentials authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -Username sa -Password 'Pass123!' -LinkUsername 'demoadministrator' -LinkPassword 'BestPasswordEver!’  Sysadmin login to SQL Server and SQL Server Service account authenticate to LDAP Get-SQLDomainUser -Verbose -Instance MSSQLSRV04SQLSERVER2014 -UseAdHoc -Username sa - Password 'Pass123!'
  • 39. 39 Confidential & Proprietary POWERUPSQL PowerUpSQL caveats  Need sysadmin privileges to return data  Multi-valued attributes cannot be returned  Description, memberof  Multi-valued attributes not supported by OLE DB ADSI provider “Msg 7346, Level 16, State 2, Line 1 Cannot get the data of the row from the OLE DB provider "ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than sign mismatch or overflow.”  SQL CLR workaround  Paging not supported  Max results returned limited  Default set at 1000 in Windows Server 2012
  • 40. 40 Confidential & Proprietary40 Confidential & Proprietary GODDI
  • 41. 41 Confidential & Proprietary GODDI What is goddi?  go dump domain info  Active Directory information gathering tool written in Go  Cross platform compile and compatibility  Performs well in larger environments  Uses go library  gopkg.in/ldap.v2
  • 42. 42 Confidential & Proprietary GODDI goddi setup  Use the binaries in the Releases section  Build it yourself  Ensure go environment is set up  https://golang.org/doc/code.html  go get gopkg.in/ldap.v2
  • 43. 43 Confidential & Proprietary GODDI Active Directory information gathering with goddi  LDAP  gopkg.in/ldap.v2  Dial and Bind  Golang tls.Client  Supports TLS on 636, startTLS, plaintext dial  Default is TLS connection  Certificates managed through tls.Certificates  Need to provide certs on Linux
  • 44. 44 Confidential & Proprietary GODDI Optimizations  Querying for objectCategory when possible  Indexing  Only querying for attributes needed  Optimize search results and time  Paging  AD default is 1000 results  goddi paging set to 200 results  Prevents client blocking  Reduces memory stress on DC and avoids heavy query detection
  • 45. 45 Confidential & Proprietary GODDI func GetLAPS(conn *ldap.Conn, baseDN string) { attributes := []string{ "dNSHostName", "ms-Mcs-AdmPwd", "ms-Mcs-AdmPwdExpirationTime"} filter := "(objectCategory=Computer)" sr := ldapSearch(baseDN, filter, attributes, conn)
  • 46. 46 Confidential & Proprietary GODDI Feature List  Users  Computers  DCs  SPNs  Groups  OUs  LAPS passwords  GPP passwords  Sensitive data checks – description attribute  And more
  • 47. 47 Confidential & Proprietary GODDI LAPS  Local Administrator Password Solution  Passwords stored in Active Directory  Password access can be limited with ACLs  ms-mcs-AdmPwd  Attribute that stores cleartext password  Domain Admin privileges needed to read  ms-mcs-AdmPwdExpirationTime  attribute stores password reset date/time  Authenticated users can read
  • 48. 48 Confidential & Proprietary GODDI GPP  Group Policy Preference  Group Policy can be used to change local administrator passwords  XML files can contain encrypted cpassword if provided  AES 256 bit encrypted  demo.localSYSVOLdemo.localPolicies...
  • 49. 49 Confidential & Proprietary GODDI GPP  https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70- 1f2fa45dd4be.aspx  Authenticated users have access to SYSVOL  “Fixed” in May 2014
  • 50. 50 Confidential & Proprietary GODDI GPP  ...MachinePreferencesGroupsGroups.xml  ...UserPreferencesGroupsGroups.xml  ...MachinePreferencesServicesServices.xml  ...UserPreferencesServicesServices.xml  ...MachinePreferencesScheduledtasksScheduledtasks.xml  ...UserPreferencesScheduledtasksScheduledtasks.xml  ...MachinePreferencesDataSourcesDataSources.xml  ...UserPreferencesDataSourcesDataSources.xml  ...MachinePreferencesPrintersPrinters.xml  ...UserPreferencesPrintersPrinters.xml  ...MachinePreferencesDrivesDrives.xml  ...UserPreferencesDrivesDrives.xml
  • 51. 51 Confidential & Proprietary GODDI Demo – Windows
  • 52. 52 Confidential & Proprietary GODDI Demo – Linux
  • 53. 53 Confidential & Proprietary GODDI
  • 54. 54 Confidential & Proprietary GODDI Output  CSV output  Creates csv directory
  • 55. 55 Confidential & Proprietary GODDI goddi caveats  Need to supply credentials every time  Does not run from current user context as PowerUpSQL or PowerView  Certificates can be tricky  Need to import them on Linux  GetGPP  Uses “net use” and “mount”  Needs more robust error handling  Need to improve XML parsing  Underlying library requires case sensitive attributes
  • 56. 56 Confidential & Proprietary GODDI goddi Roadmap – ADSI and COM  Best solution for using user’s current Windows security context  Use the IADs interfaces (inherit from IDispatch)  Requires lower level system calls var mod = syscall.LoadDLL("ole32.dll") var proc = mod.FindProc("CoCreateInstanceEx") ret, _, _ := proc.Call(...)  go-ole library
  • 57. 57 Confidential & Proprietary57 Confidential & Proprietary DETECTION
  • 58. 58 Confidential & Proprietary DETECTION Setting Up Logging Options  HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics  LDAP Interface Events  Field Engineering
  • 59. 59 Confidential & Proprietary DETECTION Windows Event IDs  2889 – LDAP bind without signing or cleartext connection  1644 – Costly LDAP searches  https://docs.microsoft.com/en-us/windows-server/identity/ad- ds/manage/component-updates/directory-services-component-updates
  • 60. 60 Confidential & Proprietary DETECTION
  • 61. 61 Confidential & Proprietary DETECTION
  • 62. 62 Confidential & Proprietary62 Confidential & Proprietary WRAPPING UP
  • 63. 63 Confidential & Proprietary WRAPPING UP Thanks!  Everyone on the Previous Research slide  Scott Sutherland  Karl Fosaaen  Kevin Robertson  PowerUpSQL and goddi contributors  Everyone at this talk!
  • 64. 64 Confidential & Proprietary WRAPPING UP References  Everyone on the Previous Research slide  Fancy Gopher, by Renée French, https://blog.golang.org/gophergala/fancygopher.jpg
  • 65. MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS https://www.netspi.com https://www.facebook.com/netspi @NetSPI https://www.slideshare.net/NetSPI