Nov 02 2014

Domain Controller Virtual Cloning

One of the best new features of Windows Server 2012 is virtual cloning.

The ASKPFE blog has an excellent article covering this new feature:

Tom Moser here with a post on one of the new ADDS features in Windows Server 2012; Virtual Domain Controller Cloning.

Until now, cloning, snapshotting, copying, or pretty much doing anything but rebuilding from scratch to a virtual domain controller wasn’t just unsupported; it had the potential to be really bad for your directory. Cloning or restoring snapshots of DCs could result in USN rollbacks or lingering objects, just to name a couple of problems.

Starting in Windows Server 2012, we now support DC cloning as well as snapshot restoration of domain controllers. With the RTM bits available, I found myself rebuilding my lab and took the opportunity to document the process to demonstrate just how easy it is to clone virtual domain controllers with Windows Server 2012.

Requirements

There are a few base infrastructure requirements to take advantage of DC cloning.

  • The hypervisor must support VM-GenerationID. Hyper-V running on Windows Server 2012 supports this feature. Other virtualization vendors will have the ability to implement this as well, so check with your vendor to see if it’s supported.
  • The source virtual DC must be running Windows Server 2012.
  • The PDC emulator role holder must be online and available to the cloned DC and must be running Windows Server 2012.

There are a few other steps and requirements and I’ll take you through those now.

Read the rest of the article here.

Nov 02 2014

Windows 8: Using PowerShell to Decrypt Wireless SSID Passwords with NetSH

Show the saved password for SSID named “SSID_NAME” in Windows 8.

((netsh wlan show profiles name="SSID_NAME" key=clear | select-string "Key Content" ) -split(" Key Content : "))[1]

 

 

 

Nov 01 2014

Active Directory Domain Trusts & Trust Password Management

Recently a customer asked me about Active Directory Domain Trusts and how the passwords were managed. I replied with some educated guesses based on how AD manages a variety of passwords. After stating how I thought it worked (and mentioned that I wasn’t sure), I decided to look it up. I was mostly correct.

Every trust a domain maintains is represented by a Trusted Domain Object (TDO) in the Domain partition’s System container. The TDO contains the following attributes for a domain trust:

  • DNS domain name
  • Domain SID
  • Trust type
  • Trust transitivity
  • Reciprocal domain name

Forest trusts store the following attributes:

  • DNS domain name
  • Domain SID
  • Trust type
  • Trust transitivity
  • Reciprocal domain name
  • Domain tree names
  • User Principal Name (UPN) suffixes
  • Service Principal Name (SPN) suffixes
  • Security ID (SID) namespaces

Since trust information is stored in Active Directory, all domains in the forest know about all of the trusts in place with all forest domains. External NT 4 trusts are not stored as TDOs and therefore are not in Active Directory.

Continue reading

Oct 31 2014

PowerShell Data Types

Useful table with Powershell’s data types and descriptions:

[string]  Fixed-length string of Unicode characters
 [array] Array of values
 [xml] Xml object
 [int] 32-bit signed integer
 [DateTime] Date and Time
 [long] 64-bit signed integer
 [decimal] 128-bit decimal value
 [single]  Single-precision 32-bit floating point number
 [double] Double-precision 64-bit floating point number
 [char] A Unicode 16-bit character
 [byte] An 8-bit unsigned character
 [bool] Boolean True/False value
 [hashtable]  Hashtable object
[void] Sends the datat to Null (same as piping to out-Null)

Oct 30 2014

BlueHat 2014 Slides: Reality Bites – The Attacker’s View of Windows Authentication and Post-exploitation

Each year, Microsoft invites security researchers (aka hackers) to speak to Microsoft employees about security issues.

One of the most interesting talks listed at “BlueHat” 2014 was the one by the “Pass-the-Hash” experts, Chris Campbell, Bejamin Delpy, and Skip Duckwall.

This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

BlueHat 2014 Slides: Reality Bites: The Attacker’s View of Windows Authentication and Post-exploitation – Chris Campbell, Benjamin Delpy, & Skip Duckwall

 

Oct 29 2014

Active Directory (and other) Security Resources

I just posted a “Security Resources” page that is a tab at the top of the site. This page contains useful security resources I have found over the years and plan on updating the content as needed.

Active Directory (and other) Security Resources

Oct 29 2014

Windows Server 2012 R2 deprecates FRS (File Replication Service)

Microsoft’s Tip of the Day has the following useful information on Domain Controller File Replication Service (FRS) depercation:

FRS (File Replication Service) has been deprecated in Windows Server 2012 R2.  The deprecation of FRS has been accomplished by enforcing a minimum domain functional level of Windows Server 2008.  This enforcement is present only if the new domain is created using Server Manager or PowerShell.  DCPromo still exists and is used by unattended installations.  Such domains can still be created at a lower domain functional level.

 

 

Oct 28 2014

PowerShell Code: Convert Integer8 to Date

There are several Active Directory attributes where the value is stored as an Integer8 value.
These include:

  • accountExpires
  • badPasswordTime
  • lastlogon
  • lastlogontimestamp
  • pwdLastSet

Here’s information on what Integer8 is:

Many attributes in Active Directory have a data type (syntax) called Integer8. These 64-bit numbers (8 bytes) often represent time in 100-nanosecond intervals. If the Integer8 attribute is a date, the value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. Any leap seconds are ignored.

In .NET Framework (and PowerShell) these 100-nanosecond intervals are called ticks, equal to one ten-millionth of a second. There are 10,000 ticks per millisecond. In addition, .NET Framework and PowerShell DateTime values represent dates as the number of ticks since 12:00 AM January 1, 0001.

Quick PowerShell code for converting Integer8 into a date/time value:

$Integer8 = “130567517440984934”
[datetime]::FromFileTimeUTC($Integer8)

Oct 25 2014

Microsoft EMET 5 Configuration to Mitigate PowerPoint Zero Day

Microsoft Security Advisory 3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Execution (Published: October 21, 2014)

PowerPoint Zero Day Vulnerability Executive Summary:

Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed.

At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.

PowerPoint Zero Day Mitigating Factors:

 

  • n observed attacks, User Account Control (UAC) displays a consent prompt or an elevation prompt, depending on the privileges of the current user, before a file containing the exploit is executed. UAC is enabled by default on Windows Vista and newer releases of Microsoft Windows.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
  • Files from the Internet and from other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer. To help protect your computer, files from these potentially unsafe locations are opened in Protected View. By using Protected View, you can read a file and see its contents while reducing the risks. Protected View is enabled by default.

 

EMET 5 Mitigation:

Deploy the Enhanced Mitigation Experience Toolkit 5.0 and configure Attack Surface Reduction
The Attack Surface Reduction feature in EMET 5.0 can help block current attacks. You need to add configuration to the standard one in order to be protected.

  1. Create a new file with the content below: 
    <EMET Version="5.0.5324.31801">
  <Settings />
  <EMET_Apps>
    <AppConfig Path="*" Executable="dllhost.exe">
      <Mitigation Name="DEP" Enabled="false" />
      <Mitigation Name="SEHOP" Enabled="false" />
      <Mitigation Name="NullPage" Enabled="false" />
      <Mitigation Name="HeapSpray" Enabled="false" />
      <Mitigation Name="EAF" Enabled="false" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="false" />
      <Mitigation Name="BottomUpASLR" Enabled="false" />
      <Mitigation Name="LoadLib" Enabled="false" />
      <Mitigation Name="MemProt" Enabled="false" />
      <Mitigation Name="Caller" Enabled="false" />
      <Mitigation Name="SimExecFlow" Enabled="false" />
      <Mitigation Name="StackPivot" Enabled="false" />
      <Mitigation Name="ASR" Enabled="true">
        <asr_modules>packager.dll</asr_modules>
      </Mitigation>
    </AppConfig>
    <AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
      <Mitigation Name="DEP" Enabled="true" />
      <Mitigation Name="SEHOP" Enabled="true" />
      <Mitigation Name="NullPage" Enabled="true" />
      <Mitigation Name="HeapSpray" Enabled="true" />
      <Mitigation Name="EAF" Enabled="true" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="true" />
      <Mitigation Name="BottomUpASLR" Enabled="true" />
      <Mitigation Name="LoadLib" Enabled="true" />
      <Mitigation Name="MemProt" Enabled="true" />
      <Mitigation Name="Caller" Enabled="true" />
      <Mitigation Name="SimExecFlow" Enabled="true" />
      <Mitigation Name="StackPivot" Enabled="true" />
      <Mitigation Name="ASR" Enabled="true">
        <asr_modules>flash*.ocx;packager.dll</asr_modules>
      </Mitigation>
    </AppConfig>
  </EMET_Apps>
</EMET>
  2. Save this file as EMET_CVE-2014-6352.xml.
  3. From the EMET user interface, click Import from the File ribbon.
  4. Select the EMET_CVE-2014-6352.xml file and click Open.
  5. Alternatively, run this command from a Command Prompt with elevated privileges to import the saved script “EMET_CVE-2014-6532.xml” into EMET: 
    EMET_Conf.exe  --import EMET_CVE-2014-6352.xml

 

Microsoft : https://technet.microsoft.com/library/security/3010060

 

 

 

Oct 22 2014

Powershell Code: Determine LastLogonTimeStamp Replication Time

It seems that I have been asked to provide a lot of user (& computer) logon information over the past few months. In order to provide this information, I (as others have) leveraged the LastLogonTimeStamp attribute to determine when a user (or computer) logged on last. Assuming you have a Windows 2003 forest mode Active Directory environment, this attribute is available for use. Prior to Windows 2003, the LastLogon attribute which is updated on the local authenticating DC could be queried to get this information with the caveat that it is not replicated. This means that one would have to query the LastLogon attribute for a user(s) on every Domain Controller in the domain to determine the actual last logon date & time.

Detailed information on the LastLogonTimeStamp attribute (Microsoft DS Team Blog)

According to the information on the blog, the LastLogonTimeStamp attribute was never meant to provide accurate logon information given that the attribute’s contents are behind by about 9-14 days.
NOTE: The default replication setting for this attribute is 14 days with a random replication skew of a percent of 5 days. However, if the replication value is set to 5 or less, no randomization is performed.

Furthermore, according to the blog entry:

The lastLogontimeStamp attribute is not updated with all logon types or at every logon. The good news is that the logon types that admins usually care about will update the attribute and often enough to accomplish its task of identifying inactive accounts.
Interactive and Network logons will update the lastLogontimeStamp.

At least one of my customer’s has changed the default value for ms-DS-Logon-Time-Sync-Interval which determines how frequently the LastLogonTimeStamp is replicated. I wanted to easily identify what the modified value is set to so I can provide information in the user logon script to state how accurate the information is. Obviously with the default being 14, the data in the attribute could be two weeks old.

I did quite a bit of research on the ms-DS-Logon-Time-Sync-Interval (displayname msDS-LogonTimeSyncInterval) and discovered that ms-DS-Logon-Time-Sync-Interval is an attribute of the naming context and has a value of “not set” by default (which enforces the default 14 days). Querying this attribute using the PowerShell commandlet Get-ADObject does not show the attribute listed for the naming context. However, when I manually set the value to a number, it shows up.

Changing the ms-DS-Logon-Time-Sync-Interval value is actually quite simple.

  1. Open ADSI Edit
  2. Right-Click on the domain DN (DC=domain,DC=com) under Default naming context and select Properties.
  3. Under Attribute Editor, scroll down to the msDS-LogonTimeSyncInterval attribute and Click Edit.
  4. Enter a value from 1 to 100,000 (280 years, max set in AD code) and Click OK.
  5. Click OK

NOTE: Entering a value of 0 for ms-DS-Logon-Time-Sync-Interval disables replication of the LastLogonTimeStamp attribute.

Use Repadmin to get the LastLogonTimeStamp value on all DCs for a specific user:

repadmin /showattr * (DN of the target user) /attrs:lastLogontimeStamp > lastLogontimeStamp.txt

I put together the following code to get the value for ms-DS-Logon-Time-Sync-Interval:

Import-Module ActiveDirectory

# Get Domain Info
write-output “Gathering Active Directory Domain Information… `r”
Write-Verbose “Performing Get-ADDomain powershell command `r”
$ADDomainInfo = Get-ADDomain

$ADDomainDistinguishedName = $ADDomainInfo.DistinguishedName

$DirectoryServicesNamingContext = Get-ADObject -Identity “$ADDomainDistinguishedName” -Properties *

$LLTReplicationValue = $DirectoryServicesNamingContext.”msDS-LogonTimeSyncInterval”

IF ($LLTReplicationValue -ge 1)
{ Write-Output “The msDS-LogonTimeSyncInterval attribute value on $DomainDNS was changed from the default value of 14 to $LLTReplicationValue which means the LastLogonTimeStamp attribute will replication about every $LLTReplicationValue days `r ” }
ELSE
{ Write-Output “The msDS-LogonTimeSyncInterval attribute value on $DomainDNS is configured with the default value of 14 (value is blank) `r ” }

When constructing a Powershell query for inactive users, I also check the PasswordLastSet value. As long as the LastLogonTimeStamp date is older than my threshold (say 365 days) AND the PasswordLastSet date is older than the domain required password, then I can be fairly certain the user is inactive.

Note that using the Powershell AD commandlets, there are additional automatically generated attributes that are most useful. One of these is the LastLogonDate which is the full date and time of the last logon instead of the Integer8 (64bit integer value) representation in the LastLogonTimeStamp attribute. The LastLogonTimeStamp value represents the number of 100-nanosecond intervals that occurred from January 1, 1601 until the time of user logon.  Before the Powershell commandlet, one would have to convert this number to the date/time format with which we are more familiar.

 Addtional information on LastLogon & LastLogonTimeStamp

Load more