Category: Technical Reference

Using PowerShell to Perform a Reverse DNS Lookup in Active Directory

Typically, one would use ping -a to get the hostname for a specific IP address which performs a DNS reverse lookup. Querying AD for a computer with an IP works great for computers joined to the Active Directory domain since most computers in AD have the IP Address configured on the computer account. When the …

Continue reading

Black Hat USA 2014 Presentation: Investigating PowerShell Attacks

Black Hat USA 2014 Presentation: Investigating PowerShell Attacks This is an excellent presentation and I highly recommend anyone who is an admin or who is responsible for AD security. Investigating PowerShell Attacks Ryan Kazanciyan Technical Director, Mandiant Matt Hastings Consultant, Mandiant Over the past two years, we’ve seen targeted attackers increasingly utilize PowerShell to conduct …

Continue reading

Azure & Active Directory

  Azure is big. It’s really big. Seriously, it’s hard to comprehend just how big it really is. (Apologies to Douglas Adams.) In July of last year, then-CEO Steve Ballmer stated that Azure data centers held “comfortably over a million physical servers.” Last year, Azure server purchases accounted for 17% of all server purchases worldwide. …

Continue reading

PowerShell: ADSI and Case Sensitivity

In developing a custom PowerShell script which leveraged ADSI, I noticed that the script wasn’t working properly. Here’s a sample block of the script which uses ADSI to get changes made to ExtensionAttribute11 as part of an Active Directory Convergence test script: 1 2 3 4 $ADSITarget = [ADSI]”LDAP://$DC” $Searcher = New-Object DirectoryServices.DirectorySearcher($ADSITarget,”(sAMAccountName=$ConvergenceObject)”) $ConvergenceObjectData = …

Continue reading

Azure Active Directory Stats

  Over 2.9 Million Organizations are using Azure Active Directory More than 10 Billion Authentications per week Azure Active Directory is spread out across 14 data centers Contains more than 240 million user accounts Organizations using Azure Active Directory across 127 countries Supports over 1400 integrated third-party apps Azure AD Statistics

LOL! Lingering Object Liquidator for Active Directory

Microsoft released the LOL GUI tool for removing Active Directory lingering objects. Historically, removing lingering objects from AD had been a painful process. Note that LOL is not a straightforward download. Follow the following steps to download: Log on to the Microsoft Connect site (using the Sign in) link with a Microsoft account:: http://connect.microsoft.com Note: …

Continue reading

PowerShell Code: Active Directory Domain Controller Discovery

There are several different ways to find AD Domain Controllers (DCs). Here are a few: AD PowerShell Module: Discover the closest Domain Controller running the AD web services (support PowerShell AD cmdlets): import-module activedirectory Get-ADDomainController -discover -forcediscover -nextclosestsite -service ADWS discover – find a DC forcediscover – re-discover a DC and not use a cached …

Continue reading

Read-Only Domain Controller (RODC) Information

The RODC is one of the most interesting new features of Windows Server 2008. RODCs provide the following: Read-only Active Directory Database – Read-only copy of Active Directory provides a more secure option for distant locations such as a branch office. Changes attempted against the RODC are referred to the next upstream DC. Read-only DNS Server …

Continue reading

Active Directory Pentest Recon Part 1: SPN Scanning aka Mining Kerberos Service Principal Names

I wrote a lengthy post on Kerberos earlier which describes the Kerberos protocol as well as how Active Directory leverages Kerberos. There are several interesting Active Directory components useful to the pentester. The one I cover here relates to how Kerberos works, specifically Service Principal Names. As I mentioned in my Kerberos post, Service Principal Names …

Continue reading

Kerberos, Active Directory’s Secret Decoder Ring

Kerberos Overview Kerberos is a protocol with roots in MIT named after the three-headed dog, Cerberus. Named because there are 3 parties: the client, the resource server, and a 3rd party (the Key Distribution Center, KDC). Kerberos can be a difficult authentication protocol to describe, so I will attempt to simplify it as best as …

Continue reading