Shulou(Shulou.com)05/31 Report--

This article analyzes "how to use the hunting intranet information reconnaissance tool Goddi". The content is detailed and easy to understand. Friends who are interested in "how to use the hunting intranet information reconnaissance tool Goddi" can follow the editor's train of thought to read it slowly and deeply. I hope it will be helpful to everyone after reading. Let's follow the editor to learn more about "how to use Goddi, a hunting intranet information reconnaissance tool."

Goddi

Goddi is a tool written by NetSPI in the Go language that helps collect Active Directory domain information and is considered an alternative to several other common tools such as BloodHound, ADInfo, PowerSploit, and windapsearch.

Goddi relies on a series of custom LDAP queries for domain controls to obtain information. In addition, encrypted communication with domain control is supported through StartTLS on TCP/389. Goodi can retrieve the following types of information:

Domain user

Users of privileged user groups

Users whose password is not set to expire

Users who are locked or disabled

Users with passwords longer than 45 days

Domain computer

Domain control

Trusted domain relationship

SPN

Domain group

Domain organizational unit

Domain account policy

Domain delegated user

Domain Group Policy object (GPO)

Technical analysis

By default, Windows domain controls support basic LDAP operations. As long as you have a valid domain account, you can execute a LDAP query through TCP/389 to enumerate.

Goddi is very easy to use. The following figure shows how to make an enumeration attempt:

What about the situation in network traffic? Capturing network traffic, you can see that Goddi is using LDAP queries. In general, we see a lot of LDAP searchRequest messages, including specific protocol data units (PDU) based on the type of data to be queried.

For example, enumerate the list of computers in the domain and extract some properties for each computer, as follows:

Parsing the traffic in Wireshark shows the filter and attributes of LDAP:

It is also convenient to use tshark. For example, use tshark to extract LDAP searchRequest requests sent to domain control queries.

Detection model

Parse the LDAP query in the traffic and provide an abstraction layer to obtain the record type. When such reconnaissance behavior (MITRE ATT&CK ID:T1087, T1018, T1082, T1016, T1033) is found in AWAKE, it is as follows:

The visualization clearly shows that the source Windows device is trying to query the list of operating systems and workstations of the target computer.

Suggestion

Because of the universality of reconnaissance behavior, it is very difficult to detect reconnaissance behavior. Teams can take the time to classify reconnaissance activities and normal domain activities, such as based on frequency, time range, requesting entity, and other suspicious behavior from that entity.

From a defense point of view, it is recommended to tighten the ACL and permissions of domain control. Unfortunately, many legitimate tools and services also depend on this.

About the hunting intranet information reconnaissance tool Goddi how to share here, I hope the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.