Shulou(Shulou.com)06/02 Report--

This article mainly shows you "how to use the ADSI interface and reflective DLL to enumerate active directories", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to use the ADSI interface and reflective DLL to enumerate active directories" this article.

C / C +

If you use a traditional PowerShell/C#, you may need to place the written script on the disk of the target device, which may be detected by the security product. Here, we can choose to use methods such as assembly.load to load the tool directly into memory, and Cmax Clipper + can help us achieve similar functionality. Here, we can use the reflection method to inject the compiled CCPU + malicious program into the memory of the target device. Here are some popular methods:

1. DonutPE loader (Resources)

2. Reflective DLL injection (original version) (improved version)

3. Shellcode reflective DLL injection

Active Directory Service Interface (ADSI)

All right, let's get back to the point, that is, how to implement the enumeration of active directories. We hope to not trigger AMSI or leave no obvious event log when enumerating AD information (which can be achieved by falsifying the contents of the event log). To interface with the active directory and enumerate its object properties, we need to use the active directory service interface (ADSI).

Active Directory Interface (ADSI) introduction

ADSI, active Directory Service Interface (ActiveDirectoryServicesInterface), is a new technology introduced by Microsoft, which unifies the programming interfaces of many underlying services, and programmers can use consistent object technology to access these underlying services. ADSI extracts the public parts of these services and isolates the different parts. Programmers can access the public parts of the underlying services through a unified interface and extend to the proprietary parts of the underlying services. ADSI provides a set of COM interfaces that can be used to access directory service functions from different network providers, and independent software vendors and developers can use ADSI to enable directories for their products and applications.

Very good, so we will focus on how to build our own active Directory enumeration tool through Cramble +. Here, we don't really need to remake the wheel ourselves, because Microsoft's GitHub library has provided us with a very good reference example-QueryUsers, which we can use to develop our own client.

QueryUsers

QueryUsers: [GitHub Portal]

QueryUsers can implement partitioned queries in the active directory domain, and can specify user objects that the filter matches. The tool uses IDirectorySearch to implement the search function.

With the help of QueryUsers, we can search for a specific user or all users and return all attributes that identify the user. How QueryUsers works is as follows:

1. ADSI is built on COM, so we need to initialize COM in the program using the CoInitialize () function.

2. We need to bind LDAProotDSE with ADsOpenObject (), so we can collect information about the active directory and use the returned IADsCOM object to get defaultNamingContext information

3. After getting the defaultNamingContext, we can use ADsOpenObject () to bind the Domain container again. It will return the IDirectorySearchCOM interface, which can be used to query and search the active directory.

4. When the FindUsers () function is called, it will construct a LDAP filter based on the function parameters and the following string-"(& (objectClass=user) (objectCategory=person)% s)". If we provide the following search filter parameter "(sAMAccountName=Administrator)" for the modified program, then our LDAP filter is actually (& (objectClass=user) (objectCategory=person) (sAMAccountName=Administrator)) "

5. Use ADS_SEARCHPREF_INFO structure as the preference for search parameters

6. Execute the ExecuteSearch () method in the IDirectorySearch object, which will return all the results according to our LDAP filter

7. Finally, use the GetFirstRow (), GetNextColumnName (), GetColumn (), and GetNextRow () methods to traverse the results and output specific user attributes

Integrated into the commonly used C2 framework & PoC

Cobalt Strike has a variety of functional options for code / DLL injection, and embedded with very powerful scripting language support, so developers can extend the functionality of Cobalt Strike according to their own needs.

In order to verify the feasibility of this technology, we have developed an active directory enumeration tool based on ADSI and reflective DLL, which can be used directly in Cobalt Strike. Our PoC tool is called Recon-AD, which currently consists of a reflective DLL and a corresponding AggressorScript script.

Its main functions are as follows:

1. Recon-AD-Domain: query domain information (including domain name, GUID, site name, password policy, domain control list, etc.)

2. Recon-AD-Users: query user objects and corresponding attributes

3. Recon-AD-Groups: query group objects and corresponding attributes

4. Recon-AD-Computers: query computer objects and corresponding properties

5. Recon-AD-SPNs: query the user object configured with the service principal name (SPN) and display useful attributes

6. Recon-AD-AllLocalGroups: query all local groups and group members on the computer

7. Recon-AD-LocalGroups: query specific local groups and group members on the computer (default Administrators group)

The majority of researchers can download Recon-AD from the GitHub library of this project and load the corresponding scripts in Cobalt Strike to complete their tasks.

Screenshot of tool running

Use Recon-AD-Domain to display domain information for the local machine:

Use the Recon-AD-Groups Domain Admins command to enumerate the attribute information for the domain administrators group:

Use the Recon-AD-User username command to output attribute information for the specified user:

The above is all the contents of the article "how to use the ADSI interface and reflective DLL to enumerate active directories". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.