Anda di halaman 1dari 47

HERVSCHAUERCONSULTANTS

CabinetdeConsultantsenScuritInformatiquedepuis1989
SpcialissurUnix,Windows,TCP/IPetInternet

WindowsSecurityOSSIRgroup
13thSeptember2004

ActiveDirectorynetworkprotocolsand
traffic
JeanBaptisteMarchand

<JeanBaptiste.Marchand@hsc.fr>

Agenda

ActiveDirectorynetworkprotocolsoverview

Networktrafficanalysiswithethereal

Networktrafficforeachprotocol

ActiveDirectorytypicalscenarios

Otherapproaches

Conclusion

References

CopyrightHervSchauerConsultants2004ReproductionInterdite

ActiveDirectorynetworkprotocols

ActiveDirectoryisbasedonnetworkprotocols

Standardized:DNS,LDAP,KerberosV,SNTP

Proprietary:SMB/CIFS,MSRPC

UseofInternetprotocols,enbracedandextendedbyMicrosoft

CopyrightHervSchauerConsultants2004ReproductionInterdite

Internetprotocols:DNS

DNS

Specifications:manyRFCs

Nameresolutionservice(replacesNetBIOSnameresolutionusedinNT
domains)

DynamicDNSentriesupdate

GSSTSIG(RFC3645)

Domainserviceslocalization

http://www.dns.net/dnsrd/rfc/

SRVDNSrecords

CopyrightHervSchauerConsultants2004ReproductionInterdite

Internetprotocols:LDAP

LDAP

Specifications:seeRFC3377

ActiveDirectoryisadirectorythatcanbequeriedusingLDAP

SpecificSASLmechanism:GSSSPNEGO

WindowssystemsalsoaccessActiveDirectoryusingMSRPC

samranddrsuapiRPCinterfaces

Sensitiveinformationisencrypted

LDAPsessionsusingTCPport389,encryptedusingGSSSPNEGO

EncryptedMSRPCoperations(packetprivacy)

LDAPdoesnotincludedirectoryreplicationstandardization

Ports389(TCPandUDP),636(LDAPS),3268and3269(ADGlobal
Catalog)

ActiveDirectoryreplicationusesMSRPCorSMTP

CopyrightHervSchauerConsultants2004ReproductionInterdite

Internetprotocols:KerberosV

KerberosV

Networkauthenticationprotocol
ProtocoldefinedatMITthenstandardizedattheIETF,widelyusedin
Unixenvironments
EmbracedandextendedbyMicrosoft

RC4HMACcipher,TCPtransport,PAC(PrivilegeAccessCertificate),
PKINIT,...
Standardinterfacesareimplementedforcompatibilitybutarenotusedby
nativeWindowsclients

KerberosVhasbeenintegratedtoWindowsservicesusingtheSSPIlayer

Example:kpasswdservice(forpasswordchanging)

SPNEGO,fornegotiationbetweendifferentsecuritypackages(NTLM,
KerberosV,Schannel, )
CopyrightHervSchauerConsultants2004ReproductionInterdite

Internetprotocols:SNTP

SNTP

SimpleNetworkTimeProtocol,version3(RFC1769)

SimplifiedversionoftheNTPprotocol(RFC1305)

samepacketformat,usingUDPport123

lessprecisethanNTP(butenoughforKerberosV)

Synchronizationpacketsaresigned

usuallyignoredinSNTP

usedtoauthenticatesynchronizationpackets

CopyrightHervSchauerConsultants2004ReproductionInterdite

Proprietaryprotocols:SMB/CIFS

SMB/CIFS

Windowsdomainsresourcesharingprotocol

FrequentlyconfusedwithNetBIOSoverTCP/IP

Usedforfileandprintersharing

AlsoapossibletransportforMSRPC

Transportusingnamedpipes(ncacn_np)

ActiveDirectoryprefersTCP/IPtransport,asopposedtoNT4.0

GroupPolicy:sysvol share

SMBtransportisstillusedwhenamachineisjoinedtoadomain

gpt.ini,registry.pol,*.adm,GptTmpl.inf files

Connectionscripts:netlogonshare

CopyrightHervSchauerConsultants2004ReproductionInterdite

Proprietaryprotocols:MSRPC

MSRPC

MSimplementationoftheDCERPCstandard
ActiveDirectorydomainsarebasedonkeyRPCinterfaces:

lsarpc:LSAaccess(LocalSecurityAuthority)

netlogon:networkauthenticationservice

samr:SAMaccess(NT4.0backwardcompatibility,workswithActive
Directory)
drsuapi:ActiveDirectoryaccess

ActiveDirectoryusesTCPtransportfortheseRPCservices

PortmapperlisteningonTCPport135
DefaultportsrangeforRPCserviceslisteningonTCP
10255000(defaultinterval),tobemodifiedwithrpccfg
Reminder:NT4.0wasbasedonRPCservicesoverSMB,overNetBIOS
overTCP/IP(TCPport139)
CopyrightHervSchauerConsultants2004ReproductionInterdite

Networkauthentication

KerberosVisthenetworkauthenticationprotocolusedinAD

ReplacesNTLM

Supportsmutualauthentication

Aforementionnednetworkprotocolshavebeenmodifiedtosupport
Kerberos

SMB/CIFSsessionsauthentication

LDAPsessionsauthentication

MSRPCcallsauthentication

DynamicDNSupdatesauthentication

KerberosVsupportwasaddedusinganegotiationprotocol,SPNEGO
(SimpleProtectedNegotiationMechanism,RFC2478)

10

MultipleerrorsinMicrosoftSPNEGOimplementation,leadingtoserious
interoperabilityproblems
CopyrightHervSchauerConsultants2004ReproductionInterdite

Networktrafficanalysis:goals

Possiblegoalsofnetworktrafficanalysis

UnderstandingActiveDirectory

ValidatingkeymechanismsofActiveDirectorydomains

11

Ex1:Kerberosticketsrenewal

Ex2:GroupPolicyprocessing

Trackinganomalies

CopyrightHervSchauerConsultants2004ReproductionInterdite

Networktrafficanalysis:methodology

Requireaccesstodomaincontrollersnetworktraffic

Tocapturenetworktraffic

Requireanetworkanalyzersupportingaforementionnedprotocols

Recommendednetworkanalyzer:ethereal

Freesoftware,workingonUnixandWindows

Supportofmultiplenetworkprotocols,includingWindowsoriented
protocols(SMB/CIFSandMSRPC)
SupportofKerberosticketsdecryption

12

OnUnixwithHeimdal(http://www.pdc.kth.se/heimdal/)

http://www.ethereal.com/

CopyrightHervSchauerConsultants2004ReproductionInterdite

Networktraffictypology

Networktraffictypologyoverview

Examiningobservedprotocols

13

etherealProtocol Hierarchyfunction

Examiningtraffictypology

etherealConversationsfunction

IPv4 conversations:conversationsattheIPlevel

TCP, UDP conversation:(IPaddresses,ports)(sourceand


destination)

CopyrightHervSchauerConsultants2004ReproductionInterdite

ProtocolHierarchyfunction

14

CopyrightHervSchauerConsultants2004ReproductionInterdite

TCPconversations

15

CopyrightHervSchauerConsultants2004ReproductionInterdite

UDPconversations

16

CopyrightHervSchauerConsultants2004ReproductionInterdite

Networktrafficfiltering

Networktrafficfiltering

17

etherealsupportsdisplayfilters
Mostofetherealdissectorsgiveaccesstofilterablefields,corresponding
todatafieldsdecodedindataframes

Displayedframesfilteringcanbespecifiedusinganyfilterablefields

Apply as filterandPrepare a filter functions

CopyrightHervSchauerConsultants2004ReproductionInterdite

Displayfiltersexamples

DisplayfiltersforActiveDirectoryprotocols

smb:SMBsessions

ldap && udp:CLDAPtraffic

ldap && tcp:LDAPtraffic

dcerpc:MSRPCtraffic

kerberos && udp:Kerberosexchanges(UDPport88)

kerberos.msg.type == 10:ASREQKerberosmessages

smb && kerberos,ldap && kerberos,dcerpc && kerberos:


KerberosauthentificationframesinsideSMB,LDAPandMSRPC(APREQ
andAPREPmessages)

18

Equivalentto:kerberos && tcp

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosauthentication:SMB,MSRPC,
LDAP

19

CopyrightHervSchauerConsultants2004ReproductionInterdite

Typicalscenarios

Typicalscenarios

SystemjointoanActiveDirectorydomain

Domainmemberordomaincontrollerstartup

Machineaccountpasswordchange

20

Every30daysbydefault

Userauthenticationonadomain

Domaincontrollersreplication

GroupPolicyapplications

...

CopyrightHervSchauerConsultants2004ReproductionInterdite

DNSandCLDAPtraffic

DNStraffic

SRVrecordsresolution

Ex:_ldap._tcp.sitename._sites.dc._msdcs.domainnameto
locateadomaincontrollerinsideagivensite

CLDAPtraffic

Obtainingtheclosestdomaincontroller
DsGetDcName()API,implementedbyapseudoRPCcalltoActive
Directory

21

_service._protocol.DnsDomainName

Sitenameiskeptincache(DynamicSiteNameregistryvalue)

etherealdisplayfilter:ldap && udp


DocumentedintheLocatingActiveDirectoryServerssectionofWindows
2000ResourceKitdocumentation
CopyrightHervSchauerConsultants2004ReproductionInterdite

DNStraffic:dynamicupdates(1/2)

DNSdynamicupdates

Implementedbythedhcpservice(evenifIPaddressisstatic)

Register this connection's addresses in DNS(enabledby


default)

atmachinestartupwithstaticIPaddress(AandPTR)

ateachIPaddresschangewithdynamicIPaddress(DHCP)

each24hoursbydefault

22

DependsonDHCPserverconfiguration(bydefault,onlyArecord)
DefaultRegistrationRefreshInterval registryvalue
DefaultTTLof20minutesforupdatedrecords{A,PTR}
(DefaultRegistrationTtl registryvalue)

manualregistration:ipconfig /registerdns

CopyrightHervSchauerConsultants2004ReproductionInterdite

DNStraffic:dynamicupdates(2/2)

23

CopyrightHervSchauerConsultants2004ReproductionInterdite

LDAPtraffic

LDAPtraffic

typicallyauthenticatedusingtheGSSSPNEGOSASLmechanism

emptydn(distinguishedname)inLDAPbind

startswitharequesttoobtaincertainattributesoftheRootDSE

SupportedSASLMechanisms

LdapServiceName

LDAPtrafficcanbeencrypted

Examinationofsearchparameterswhentrafficisunencrypted

BaseDN,scope,filters,attributes,...

LDAPrequesterrors

ldap.result.errormsg displayfilter

24

CopyrightHervSchauerConsultants2004ReproductionInterdite

MSRPCtraffic(1/2)

MSRPCtraffic

RPCserviceslocalizationoverTCP/IP

endpointmapper,TCPport135(epm)

ReturnstheTCPportonwhichagivenRPCserviceislistening

mapoperation,unauthenticated

LocalSecurityAuthorityaccess(lsa)

TCPport(typically1025,mustbesettoastaticport,asdocumentedin
MSKB#224196)
Ex:LsarQueryInformationPolicy(2) operations

ActiveDirectoryaccess,usingSAMRPCinterface(samr)

25

Kerberosauthentication

Kerberosauthentication,usingsameTCPportasLSAaccess
Ex:machineaccountcreationonaDCforanewmemberserveris
implementedusingtheSamrCreateUser2InDomainoperation
CopyrightHervSchauerConsultants2004ReproductionInterdite

MSRPCtraffic(2/2)

MSPRCtraffic(cont.)

Authenticationonthedomain,usingnetlogonservice(rpc_netlogon)

NetrServerReqChallengeandNetrServerAuthenticate3
operations

ActiveDirectoryaccess,usingRPC(insteadofLDAP)

drsuapiinterface,usingthesameTCPport

DRSCrackNamesoperation(DrsBindandDrsUnbind),implementing
theDsCrackNames() API

26

SameTCPportasLSAandSAMaccess

Encryptedtraffic,currentlynotdecodedbyethereal

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberostraffic

Kerberostraffic

27

ObtainingaTGT(TicketGrantingTicket)

Startupofadomainmemberserver

Userauthentication

ASREQ(10)andASREP(11)messages

Obtainingservicetickets

TGSREQ(12)andTGSREP(13)messages

Typicalservicenames:host,ldap,cifs,dns,...

Usingservicetickets

APREQ(14)andAPREP(15)messages

TypicallyencapsulatedinsideSPNEGO

CopyrightHervSchauerConsultants2004ReproductionInterdite

ActiveDirectoryServicePrincipalNames
(SPN)

ServicePrincipalNames

28

KerberosauthenticationtoActiveDirectorynetworkservicesis
implementedrequestingaticketforagivenservice
AserviceisdesignatedusingaSPN(ServicePrincipalName)
servicePrincipalNameattribute(caseinsensitive)intheUserActive
Directoryobjectclass
Also,sPNMappingsattribute(listofequivalentSPNstothehostSPN)

Onthewire

SPNappearinTGSREQ,TGSREPandASREQmessages

ATGSREPmessagecancontainadifferentSPNfromtheonerequested

CanonicalizationoptioninWindows2000

ReturnedSPNissimilartoSERVER$

CanonicalizationisdisabledinWindowsServer2003
CopyrightHervSchauerConsultants2004ReproductionInterdite

RegisteredSPNonaADDC

29

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsofadomainuser
(Windows2000)

30

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsofadomainuser
(WindowsXP)

31

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsonadomaincontroller
(1/2)(LOCALSYSTEMlogonsession)

32

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsonadomaincontroller
(2/2)(LOCALSYSTEMlogonsession)

33

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberostraffic:errors

Kerberostraffic:commonerrors

KRBERROR(30)messages(kerberos.msg.type == 30)

KRB5KRB_AP_ERR_SKEW

KRB5KDC_ERR_PREAUTH_FAILED

Preauthenticationerror(typically,incorrectpassword)

KRB5KRB_AP_ERR_TKT_EXPIRED

Timesynchronizationproblem

Expiredticket,toberenewed
LSAkeepsuserpasswordsincacheandcanrequestanewTGT,withina
maximumlimitof7days(Max.Lifetimeforuserticketrenewal)

KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

PrincipalnotrecognizedbytheKDC

MissingSPN(servicePrincipalNameattribute)inanADaccount?

AlsowhenanIPaddressisusedinaUNCpath

34

NTLMauthenticationfallback

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsdecryption

35

CopyrightHervSchauerConsultants2004ReproductionInterdite

ActiveDirectoryreplication

ActiveDirectoryreplication

drsuapiMSRPCinterface(oneTCPport)
RestrictingActiveDirectoryReplicationTraffictoaSpecificPort(MSKB
#224196)
Betweendomaincontrollers

DRSReplicaSyncoperation(drsuapi)

DRSGetNCChangesoperation(drsuapi)

36

Usedtonotifyareplicationpartnerthatupdatesareavailableforreplication
UsedtoobtainupdatesforagivenADNamingContext

RPCconnectiontothedrsuapiserviceareauthenticatedusingaKerberos
ticketobtainedforthefollowingprincipal:

e3514235-4b06-11d1-ab04-00c04fc2dcd2(drsuapiinterfaceUUID)

DestinationdomaincontrollerGUID

DNSdomainname
CopyrightHervSchauerConsultants2004ReproductionInterdite

FRSreplication(FileReplicationService)

FRSreplication

37

frsrpcMSRPCinterface(1TCPport)
HowtoRestrictFRSReplicationTraffictoaSpecificStaticPort(MSKB
#319553)
Betweendomaincontrollers

FrsRpcStartPromotionParentoperationatDCstartup

FrsRpcSendCommPktoperationforupdatesreplication

CopyrightHervSchauerConsultants2004ReproductionInterdite

NTPtraffic

NTPtraffic

w32timeservice,startedondomainmemberservers

NT5DSmode(bydefault),usingADhierarchyfortimesynchronization

NTPsynchronizationatstartup,withadomaincontroller

IdentifiedusingCLDAPatsystemstartup

Each45minutes(3times),theneach8hours

Synchronizationmechanism

ClientsendstheRIDofthemachineaccountintherequest,usingthe
KeyIDfield

38

ThisRIDwaspreviouslyobtainedintheresponseofthe
NetrServerAuthenticate3 operation

Timestampissigned(messageauthenticationcodefield)

CopyrightHervSchauerConsultants2004ReproductionInterdite

Otherapproaches

Limitationsofthenetworkanalysisapproach

Withencryptedtraffic:LDAPandcertainMSRPCoperations

Traficnotproperlydissectedbythenetworkanalyzer

Otherapproaches

Correlationofnetworktracesandloggedevents

39

TypicallywithMSRPC,whereRPCoperationsdonotcontainenough
informationtoidentifytheDCERPCinterface
etherealDecodeAsDCERPCfunction

SecurityandSystemeventlogofWindowssystems

Diagnostictoolsonservers

Ex:NTDSobjectstatisticsusingtheSystemMonitortool(perfmon.msc)

Ex:toolstoexamineKerberosticketscache
CopyrightHervSchauerConsultants2004ReproductionInterdite

Conclusion

Agoodunderstandingofaforementionnedprotocolsisneededto
deployActiveDirectory
Networkanalysisisoneofthepossiblewaytoobtainthis
understanding

Networkanalysiscanalsobeusedtodiagnoseanomalies

40

Lookingattheseprotocolsonthewire,inarealenvironment,isagood
complementtotechnicalwhitepapersreading
Whendiagnostictoolsorlogfilesarenotenough...

etherealisatoolofchoicetoanalysenetworktracesobtainedin
ActiveDirectoryenvironments

CopyrightHervSchauerConsultants2004ReproductionInterdite

References:networktraffic

NetworktrafficinWindowsenvironments

Windows2000StartupandLogonTrafficAnalysis

NetworkPortsUsedbyKeyMicrosoftServerProducts

http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/
ref_net_ports_ms_prod.mspx

UsingWindows{XPSP1,2000SP4,Server2003}inaManaged
Environment

41

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deplo
y/confeat/w2kstart.mspx

http://go.microsoft.com/fwlink/?LinkId={22607,22608,22609}

CopyrightHervSchauerConsultants2004ReproductionInterdite

References:DNS

DNSimplementationinActiveDirectory

Windows2000DNSWhitePaper

42

http://www.microsoft.com/windows2000/techinfo/howitworks/commun
ications/nameadrmgmt/w2kdns.asp

RFC3645:GenericSecurityServiceAlgorithmforSecretKey
TransactionAuthenticationforDNS(GSSTSIG)

CopyrightHervSchauerConsultants2004ReproductionInterdite

References:Kerberos

Protocol

draftietfkrbwgkerberosclarifications08.txt

RFC1510update(originalspecificationofKerberosV)

http://kerberos.info/

Documents

TroubleshootingKerberosErrors(Microsoft)

43

http://www.microsoft.com/technet/prodtechnol/
windowsserver2003/technologies/security/tkerberr.mspx

Tools

klist,kerbtray(Microsoft)

tktview:http://msdn.microsoft.com/msdnmag/issues/0500/security/

leash32:http://web.mit.edu/kerberos/
CopyrightHervSchauerConsultants2004ReproductionInterdite

References:LDAP

LDAPandCLDAP

ActiveDirectoryDomainControllerLocationService(AnthonyLiguori,
Sambateam)

http://www.microsoft.com/windowsserver2003/techinfo/overview/ldapc
omp.mspx

ActiveDirectoryLDAPschema(Windows2000,WindowsServer2003
andADAM)

44

http://oss.software.ibm.com/linux/presentations/samba/cifs2003/Liguor
ifinal.pdf

ActiveDirectoryLDAPcompliance(Microsoft)

CLDAPdescription(ConnectionlessLDAP)

http://msdn.microsoft.com/library/en
us/adschema/adschema/active_directory_schema.asp
CopyrightHervSchauerConsultants2004ReproductionInterdite

References:SMB/CIFSandMSRPC

ReferencebookonSMB/CIFS

ImplementingCIFS

MSRPC

Windowsnetworkservicesinternals

http://samba.org/ftp/samba/slides/tridge_cifs04.pdf

MSRPCarchitecture&securityproblemsrelated

http://www.hsc.fr/ressources/articles/win_net_srv/

TestingMSRPC(AndrewTridgell,SambaTeam)

http://www.xfocus.net/projects/Xcon/2003/Xcon2003_kkqq.pdf

MicrosoftWindowsRPCSecurityVulnerabilities

45

http://www.ubiqx.org/cifs/

http://conference.hackinthebox.org/materials/lsd/
CopyrightHervSchauerConsultants2004ReproductionInterdite

References:SNTP

Microsoftreferences

TheWindowsTimeService

BasicOperationoftheWindowsTimeService(MSKB#224799)
WindowsTimeServiceToolsandSettings(WindowsServer2003
TechnicalReference)
UsingWindowsXPProfessionalwithServicePack1inaManaged
Environment(WindowsTimeService)

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xp
managed/27_xpwts.mspx

Securityaspectsoftimesynchronizationinfrastructure

46

http://www.microsoft.com/technet/prodtechnol/windows2000serv/main
tain/operate/wintime.mspx

http://www.security.nnov.ru/advisories/timesync.asp
CopyrightHervSchauerConsultants2004ReproductionInterdite

Greetings

EmmanuelLeChevoirandFabienDupont

etherealdevelopperscommunity

47

CopyrightHervSchauerConsultants2004ReproductionInterdite