In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article analyzes "how to use the hunting intranet information reconnaissance tool Goddi". The content is detailed and easy to understand. Friends who are interested in "how to use the hunting intranet information reconnaissance tool Goddi" can follow the editor's train of thought to read it slowly and deeply. I hope it will be helpful to everyone after reading. Let's follow the editor to learn more about "how to use Goddi, a hunting intranet information reconnaissance tool."
Goddi
Goddi is a tool written by NetSPI in the Go language that helps collect Active Directory domain information and is considered an alternative to several other common tools such as BloodHound, ADInfo, PowerSploit, and windapsearch.
Goddi relies on a series of custom LDAP queries for domain controls to obtain information. In addition, encrypted communication with domain control is supported through StartTLS on TCP/389. Goodi can retrieve the following types of information:
Domain user
Users of privileged user groups
Users whose password is not set to expire
Users who are locked or disabled
Users with passwords longer than 45 days
Domain computer
Domain control
Trusted domain relationship
SPN
Domain group
Domain organizational unit
Domain account policy
Domain delegated user
Domain Group Policy object (GPO)
Technical analysis
By default, Windows domain controls support basic LDAP operations. As long as you have a valid domain account, you can execute a LDAP query through TCP/389 to enumerate.
Goddi is very easy to use. The following figure shows how to make an enumeration attempt:
What about the situation in network traffic? Capturing network traffic, you can see that Goddi is using LDAP queries. In general, we see a lot of LDAP searchRequest messages, including specific protocol data units (PDU) based on the type of data to be queried.
For example, enumerate the list of computers in the domain and extract some properties for each computer, as follows:
Parsing the traffic in Wireshark shows the filter and attributes of LDAP:
It is also convenient to use tshark. For example, use tshark to extract LDAP searchRequest requests sent to domain control queries.
Detection model
Parse the LDAP query in the traffic and provide an abstraction layer to obtain the record type. When such reconnaissance behavior (MITRE ATT&CK ID:T1087, T1018, T1082, T1016, T1033) is found in AWAKE, it is as follows:
The visualization clearly shows that the source Windows device is trying to query the list of operating systems and workstations of the target computer.
Suggestion
Because of the universality of reconnaissance behavior, it is very difficult to detect reconnaissance behavior. Teams can take the time to classify reconnaissance activities and normal domain activities, such as based on frequency, time range, requesting entity, and other suspicious behavior from that entity.
From a defense point of view, it is recommended to tighten the ACL and permissions of domain control. Unfortunately, many legitimate tools and services also depend on this.
About the hunting intranet information reconnaissance tool Goddi how to share here, I hope the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.