Scribd
Upload
221 views47 pages

Active Directory Network Protocols and Traffic

The document discusses Active Directory network protocols and traffic analysis. It provides an overview of key Active Directory protocols like DNS, LDAP, Kerberos, SMB/CIFS and MSRPC and how network traffic for these protocols can be analyzed using tools like ethereal. Typical Active Directory scenarios that can be examined by analyzing network traffic are also covered.

Uploaded by

Daniel Olson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
221 views47 pages

Active Directory Network Protocols and Traffic

The document discusses Active Directory network protocols and traffic analysis. It provides an overview of key Active Directory protocols like DNS, LDAP, Kerberos, SMB/CIFS and MSRPC and how network traffic for these protocols can be analyzed using tools like ethereal. Typical Active Directory scenarios that can be examined by analyzing network traffic are also covered.

Uploaded by

Daniel Olson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

HERVSCHAUERCONSULTANTS

CabinetdeConsultantsenScuritInformatiquedepuis1989
SpcialissurUnix,Windows,TCP/IPetInternet

WindowsSecurityOSSIRgroup
13thSeptember2004

ActiveDirectorynetworkprotocolsand
traffic
JeanBaptisteMarchand

<[email protected]>

Agenda

ActiveDirectorynetworkprotocolsoverview

Networktrafficanalysiswithethereal

Networktrafficforeachprotocol

ActiveDirectorytypicalscenarios

Otherapproaches

Conclusion

References

CopyrightHervSchauerConsultants2004ReproductionInterdite

ActiveDirectorynetworkprotocols

ActiveDirectoryisbasedonnetworkprotocols

Standardized:DNS,LDAP,KerberosV,SNTP

Proprietary:SMB/CIFS,MSRPC

UseofInternetprotocols,enbracedandextendedbyMicrosoft

CopyrightHervSchauerConsultants2004ReproductionInterdite

Internetprotocols:DNS

DNS

Specifications:manyRFCs

Nameresolutionservice(replacesNetBIOSnameresolutionusedinNT
domains)

DynamicDNSentriesupdate

GSSTSIG(RFC3645)

Domainserviceslocalization

http://www.dns.net/dnsrd/rfc/

SRVDNSrecords

CopyrightHervSchauerConsultants2004ReproductionInterdite

Internetprotocols:LDAP

LDAP

Specifications:seeRFC3377

ActiveDirectoryisadirectorythatcanbequeriedusingLDAP

SpecificSASLmechanism:GSSSPNEGO

WindowssystemsalsoaccessActiveDirectoryusingMSRPC

samranddrsuapiRPCinterfaces

Sensitiveinformationisencrypted

LDAPsessionsusingTCPport389,encryptedusingGSSSPNEGO

EncryptedMSRPCoperations(packetprivacy)

LDAPdoesnotincludedirectoryreplicationstandardization

Ports389(TCPandUDP),636(LDAPS),3268and3269(ADGlobal
Catalog)

ActiveDirectoryreplicationusesMSRPCorSMTP

CopyrightHervSchauerConsultants2004ReproductionInterdite

Internetprotocols:KerberosV

KerberosV

Networkauthenticationprotocol
ProtocoldefinedatMITthenstandardizedattheIETF,widelyusedin
Unixenvironments
EmbracedandextendedbyMicrosoft

RC4HMACcipher,TCPtransport,PAC(PrivilegeAccessCertificate),
PKINIT,...
Standardinterfacesareimplementedforcompatibilitybutarenotusedby
nativeWindowsclients

KerberosVhasbeenintegratedtoWindowsservicesusingtheSSPIlayer

Example:kpasswdservice(forpasswordchanging)

SPNEGO,fornegotiationbetweendifferentsecuritypackages(NTLM,
KerberosV,Schannel, )
CopyrightHervSchauerConsultants2004ReproductionInterdite

Internetprotocols:SNTP

SNTP

SimpleNetworkTimeProtocol,version3(RFC1769)

SimplifiedversionoftheNTPprotocol(RFC1305)

samepacketformat,usingUDPport123

lessprecisethanNTP(butenoughforKerberosV)

Synchronizationpacketsaresigned

usuallyignoredinSNTP

usedtoauthenticatesynchronizationpackets

CopyrightHervSchauerConsultants2004ReproductionInterdite

Proprietaryprotocols:SMB/CIFS

SMB/CIFS

Windowsdomainsresourcesharingprotocol

FrequentlyconfusedwithNetBIOSoverTCP/IP

Usedforfileandprintersharing

AlsoapossibletransportforMSRPC

Transportusingnamedpipes(ncacn_np)

ActiveDirectoryprefersTCP/IPtransport,asopposedtoNT4.0

GroupPolicy:sysvol share

SMBtransportisstillusedwhenamachineisjoinedtoadomain

gpt.ini,registry.pol,*.adm,GptTmpl.inf files

Connectionscripts:netlogonshare

CopyrightHervSchauerConsultants2004ReproductionInterdite

Proprietaryprotocols:MSRPC

MSRPC

MSimplementationoftheDCERPCstandard
ActiveDirectorydomainsarebasedonkeyRPCinterfaces:

lsarpc:LSAaccess(LocalSecurityAuthority)

netlogon:networkauthenticationservice

samr:SAMaccess(NT4.0backwardcompatibility,workswithActive
Directory)
drsuapi:ActiveDirectoryaccess

ActiveDirectoryusesTCPtransportfortheseRPCservices

PortmapperlisteningonTCPport135
DefaultportsrangeforRPCserviceslisteningonTCP
10255000(defaultinterval),tobemodifiedwithrpccfg
Reminder:NT4.0wasbasedonRPCservicesoverSMB,overNetBIOS
overTCP/IP(TCPport139)
CopyrightHervSchauerConsultants2004ReproductionInterdite

Networkauthentication

KerberosVisthenetworkauthenticationprotocolusedinAD

ReplacesNTLM

Supportsmutualauthentication

Aforementionnednetworkprotocolshavebeenmodifiedtosupport
Kerberos

SMB/CIFSsessionsauthentication

LDAPsessionsauthentication

MSRPCcallsauthentication

DynamicDNSupdatesauthentication

KerberosVsupportwasaddedusinganegotiationprotocol,SPNEGO
(SimpleProtectedNegotiationMechanism,RFC2478)

10

MultipleerrorsinMicrosoftSPNEGOimplementation,leadingtoserious
interoperabilityproblems
CopyrightHervSchauerConsultants2004ReproductionInterdite

Networktrafficanalysis:goals

Possiblegoalsofnetworktrafficanalysis

UnderstandingActiveDirectory

ValidatingkeymechanismsofActiveDirectorydomains

11

Ex1:Kerberosticketsrenewal

Ex2:GroupPolicyprocessing

Trackinganomalies

CopyrightHervSchauerConsultants2004ReproductionInterdite

Networktrafficanalysis:methodology

Requireaccesstodomaincontrollersnetworktraffic

Tocapturenetworktraffic

Requireanetworkanalyzersupportingaforementionnedprotocols

Recommendednetworkanalyzer:ethereal

Freesoftware,workingonUnixandWindows

Supportofmultiplenetworkprotocols,includingWindowsoriented
protocols(SMB/CIFSandMSRPC)
SupportofKerberosticketsdecryption

12

OnUnixwithHeimdal(http://www.pdc.kth.se/heimdal/)

http://www.ethereal.com/

CopyrightHervSchauerConsultants2004ReproductionInterdite

Networktraffictypology

Networktraffictypologyoverview

Examiningobservedprotocols

13

etherealProtocol Hierarchyfunction

Examiningtraffictypology

etherealConversationsfunction

IPv4 conversations:conversationsattheIPlevel

TCP, UDP conversation:(IPaddresses,ports)(sourceand


destination)

CopyrightHervSchauerConsultants2004ReproductionInterdite

ProtocolHierarchyfunction

14

CopyrightHervSchauerConsultants2004ReproductionInterdite

TCPconversations

15

CopyrightHervSchauerConsultants2004ReproductionInterdite

UDPconversations

16

CopyrightHervSchauerConsultants2004ReproductionInterdite

Networktrafficfiltering

Networktrafficfiltering

17

etherealsupportsdisplayfilters
Mostofetherealdissectorsgiveaccesstofilterablefields,corresponding
todatafieldsdecodedindataframes

Displayedframesfilteringcanbespecifiedusinganyfilterablefields

Apply as filterandPrepare a filter functions

CopyrightHervSchauerConsultants2004ReproductionInterdite

Displayfiltersexamples

DisplayfiltersforActiveDirectoryprotocols

smb:SMBsessions

ldap && udp:CLDAPtraffic

ldap && tcp:LDAPtraffic

dcerpc:MSRPCtraffic

kerberos && udp:Kerberosexchanges(UDPport88)

kerberos.msg.type == 10:ASREQKerberosmessages

smb && kerberos,ldap && kerberos,dcerpc && kerberos:


KerberosauthentificationframesinsideSMB,LDAPandMSRPC(APREQ
andAPREPmessages)

18

Equivalentto:kerberos && tcp

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosauthentication:SMB,MSRPC,
LDAP

19

CopyrightHervSchauerConsultants2004ReproductionInterdite

Typicalscenarios

Typicalscenarios

SystemjointoanActiveDirectorydomain

Domainmemberordomaincontrollerstartup

Machineaccountpasswordchange

20

Every30daysbydefault

Userauthenticationonadomain

Domaincontrollersreplication

GroupPolicyapplications

...

CopyrightHervSchauerConsultants2004ReproductionInterdite

DNSandCLDAPtraffic

DNStraffic

SRVrecordsresolution

Ex:_ldap._tcp.sitename._sites.dc._msdcs.domainnameto
locateadomaincontrollerinsideagivensite

CLDAPtraffic

Obtainingtheclosestdomaincontroller
DsGetDcName()API,implementedbyapseudoRPCcalltoActive
Directory

21

_service._protocol.DnsDomainName

Sitenameiskeptincache(DynamicSiteNameregistryvalue)

etherealdisplayfilter:ldap && udp


DocumentedintheLocatingActiveDirectoryServerssectionofWindows
2000ResourceKitdocumentation
CopyrightHervSchauerConsultants2004ReproductionInterdite

DNStraffic:dynamicupdates(1/2)

DNSdynamicupdates

Implementedbythedhcpservice(evenifIPaddressisstatic)

Register this connection's addresses in DNS(enabledby


default)

atmachinestartupwithstaticIPaddress(AandPTR)

ateachIPaddresschangewithdynamicIPaddress(DHCP)

each24hoursbydefault

22

DependsonDHCPserverconfiguration(bydefault,onlyArecord)
DefaultRegistrationRefreshInterval registryvalue
DefaultTTLof20minutesforupdatedrecords{A,PTR}
(DefaultRegistrationTtl registryvalue)

manualregistration:ipconfig /registerdns

CopyrightHervSchauerConsultants2004ReproductionInterdite

DNStraffic:dynamicupdates(2/2)

23

CopyrightHervSchauerConsultants2004ReproductionInterdite

LDAPtraffic

LDAPtraffic

typicallyauthenticatedusingtheGSSSPNEGOSASLmechanism

emptydn(distinguishedname)inLDAPbind

startswitharequesttoobtaincertainattributesoftheRootDSE

SupportedSASLMechanisms

LdapServiceName

LDAPtrafficcanbeencrypted

Examinationofsearchparameterswhentrafficisunencrypted

BaseDN,scope,filters,attributes,...

LDAPrequesterrors

ldap.result.errormsg displayfilter

24

CopyrightHervSchauerConsultants2004ReproductionInterdite

MSRPCtraffic(1/2)

MSRPCtraffic

RPCserviceslocalizationoverTCP/IP

endpointmapper,TCPport135(epm)

ReturnstheTCPportonwhichagivenRPCserviceislistening

mapoperation,unauthenticated

LocalSecurityAuthorityaccess(lsa)

TCPport(typically1025,mustbesettoastaticport,asdocumentedin
MSKB#224196)
Ex:LsarQueryInformationPolicy(2) operations

ActiveDirectoryaccess,usingSAMRPCinterface(samr)

25

Kerberosauthentication

Kerberosauthentication,usingsameTCPportasLSAaccess
Ex:machineaccountcreationonaDCforanewmemberserveris
implementedusingtheSamrCreateUser2InDomainoperation
CopyrightHervSchauerConsultants2004ReproductionInterdite

MSRPCtraffic(2/2)

MSPRCtraffic(cont.)

Authenticationonthedomain,usingnetlogonservice(rpc_netlogon)

NetrServerReqChallengeandNetrServerAuthenticate3
operations

ActiveDirectoryaccess,usingRPC(insteadofLDAP)

drsuapiinterface,usingthesameTCPport

DRSCrackNamesoperation(DrsBindandDrsUnbind),implementing
theDsCrackNames() API

26

SameTCPportasLSAandSAMaccess

Encryptedtraffic,currentlynotdecodedbyethereal

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberostraffic

Kerberostraffic

27

ObtainingaTGT(TicketGrantingTicket)

Startupofadomainmemberserver

Userauthentication

ASREQ(10)andASREP(11)messages

Obtainingservicetickets

TGSREQ(12)andTGSREP(13)messages

Typicalservicenames:host,ldap,cifs,dns,...

Usingservicetickets

APREQ(14)andAPREP(15)messages

TypicallyencapsulatedinsideSPNEGO

CopyrightHervSchauerConsultants2004ReproductionInterdite

ActiveDirectoryServicePrincipalNames
(SPN)

ServicePrincipalNames

28

KerberosauthenticationtoActiveDirectorynetworkservicesis
implementedrequestingaticketforagivenservice
AserviceisdesignatedusingaSPN(ServicePrincipalName)
servicePrincipalNameattribute(caseinsensitive)intheUserActive
Directoryobjectclass
Also,sPNMappingsattribute(listofequivalentSPNstothehostSPN)

Onthewire

SPNappearinTGSREQ,TGSREPandASREQmessages

ATGSREPmessagecancontainadifferentSPNfromtheonerequested

CanonicalizationoptioninWindows2000

ReturnedSPNissimilartoSERVER$

CanonicalizationisdisabledinWindowsServer2003
CopyrightHervSchauerConsultants2004ReproductionInterdite

RegisteredSPNonaADDC

29

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsofadomainuser
(Windows2000)

30

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsofadomainuser
(WindowsXP)

31

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsonadomaincontroller
(1/2)(LOCALSYSTEMlogonsession)

32

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsonadomaincontroller
(2/2)(LOCALSYSTEMlogonsession)

33

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberostraffic:errors

Kerberostraffic:commonerrors

KRBERROR(30)messages(kerberos.msg.type == 30)

KRB5KRB_AP_ERR_SKEW

KRB5KDC_ERR_PREAUTH_FAILED

Preauthenticationerror(typically,incorrectpassword)

KRB5KRB_AP_ERR_TKT_EXPIRED

Timesynchronizationproblem

Expiredticket,toberenewed
LSAkeepsuserpasswordsincacheandcanrequestanewTGT,withina
maximumlimitof7days(Max.Lifetimeforuserticketrenewal)

KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

PrincipalnotrecognizedbytheKDC

MissingSPN(servicePrincipalNameattribute)inanADaccount?

AlsowhenanIPaddressisusedinaUNCpath

34

NTLMauthenticationfallback

CopyrightHervSchauerConsultants2004ReproductionInterdite

Kerberosticketsdecryption

35

CopyrightHervSchauerConsultants2004ReproductionInterdite

ActiveDirectoryreplication

ActiveDirectoryreplication

drsuapiMSRPCinterface(oneTCPport)
RestrictingActiveDirectoryReplicationTraffictoaSpecificPort(MSKB
#224196)
Betweendomaincontrollers

DRSReplicaSyncoperation(drsuapi)

DRSGetNCChangesoperation(drsuapi)

36

Usedtonotifyareplicationpartnerthatupdatesareavailableforreplication
UsedtoobtainupdatesforagivenADNamingContext

RPCconnectiontothedrsuapiserviceareauthenticatedusingaKerberos
ticketobtainedforthefollowingprincipal:

e3514235-4b06-11d1-ab04-00c04fc2dcd2(drsuapiinterfaceUUID)

DestinationdomaincontrollerGUID

DNSdomainname
CopyrightHervSchauerConsultants2004ReproductionInterdite

FRSreplication(FileReplicationService)

FRSreplication

37

frsrpcMSRPCinterface(1TCPport)
HowtoRestrictFRSReplicationTraffictoaSpecificStaticPort(MSKB
#319553)
Betweendomaincontrollers

FrsRpcStartPromotionParentoperationatDCstartup

FrsRpcSendCommPktoperationforupdatesreplication

CopyrightHervSchauerConsultants2004ReproductionInterdite

NTPtraffic

NTPtraffic

w32timeservice,startedondomainmemberservers

NT5DSmode(bydefault),usingADhierarchyfortimesynchronization

NTPsynchronizationatstartup,withadomaincontroller

IdentifiedusingCLDAPatsystemstartup

Each45minutes(3times),theneach8hours

Synchronizationmechanism

ClientsendstheRIDofthemachineaccountintherequest,usingthe
KeyIDfield

38

ThisRIDwaspreviouslyobtainedintheresponseofthe
NetrServerAuthenticate3 operation

Timestampissigned(messageauthenticationcodefield)

CopyrightHervSchauerConsultants2004ReproductionInterdite

Otherapproaches

Limitationsofthenetworkanalysisapproach

Withencryptedtraffic:LDAPandcertainMSRPCoperations

Traficnotproperlydissectedbythenetworkanalyzer

Otherapproaches

Correlationofnetworktracesandloggedevents

39

TypicallywithMSRPC,whereRPCoperationsdonotcontainenough
informationtoidentifytheDCERPCinterface
etherealDecodeAsDCERPCfunction

SecurityandSystemeventlogofWindowssystems

Diagnostictoolsonservers

Ex:NTDSobjectstatisticsusingtheSystemMonitortool(perfmon.msc)

Ex:toolstoexamineKerberosticketscache
CopyrightHervSchauerConsultants2004ReproductionInterdite

Conclusion

Agoodunderstandingofaforementionnedprotocolsisneededto
deployActiveDirectory
Networkanalysisisoneofthepossiblewaytoobtainthis
understanding

Networkanalysiscanalsobeusedtodiagnoseanomalies

40

Lookingattheseprotocolsonthewire,inarealenvironment,isagood
complementtotechnicalwhitepapersreading
Whendiagnostictoolsorlogfilesarenotenough...

etherealisatoolofchoicetoanalysenetworktracesobtainedin
ActiveDirectoryenvironments

CopyrightHervSchauerConsultants2004ReproductionInterdite

References:networktraffic

NetworktrafficinWindowsenvironments

Windows2000StartupandLogonTrafficAnalysis

NetworkPortsUsedbyKeyMicrosoftServerProducts

http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/
ref_net_ports_ms_prod.mspx

UsingWindows{XPSP1,2000SP4,Server2003}inaManaged
Environment

41

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deplo
y/confeat/w2kstart.mspx

http://go.microsoft.com/fwlink/?LinkId={22607,22608,22609}

CopyrightHervSchauerConsultants2004ReproductionInterdite

References:DNS

DNSimplementationinActiveDirectory

Windows2000DNSWhitePaper

42

http://www.microsoft.com/windows2000/techinfo/howitworks/commun
ications/nameadrmgmt/w2kdns.asp

RFC3645:GenericSecurityServiceAlgorithmforSecretKey
TransactionAuthenticationforDNS(GSSTSIG)

CopyrightHervSchauerConsultants2004ReproductionInterdite

References:Kerberos

Protocol

draftietfkrbwgkerberosclarifications08.txt

RFC1510update(originalspecificationofKerberosV)

http://kerberos.info/

Documents

TroubleshootingKerberosErrors(Microsoft)

43

http://www.microsoft.com/technet/prodtechnol/
windowsserver2003/technologies/security/tkerberr.mspx

Tools

klist,kerbtray(Microsoft)

tktview:http://msdn.microsoft.com/msdnmag/issues/0500/security/

leash32:http://web.mit.edu/kerberos/
CopyrightHervSchauerConsultants2004ReproductionInterdite

References:LDAP

LDAPandCLDAP

ActiveDirectoryDomainControllerLocationService(AnthonyLiguori,
Sambateam)

http://www.microsoft.com/windowsserver2003/techinfo/overview/ldapc
omp.mspx

ActiveDirectoryLDAPschema(Windows2000,WindowsServer2003
andADAM)

44

http://oss.software.ibm.com/linux/presentations/samba/cifs2003/Liguor
ifinal.pdf

ActiveDirectoryLDAPcompliance(Microsoft)

CLDAPdescription(ConnectionlessLDAP)

http://msdn.microsoft.com/library/en
us/adschema/adschema/active_directory_schema.asp
CopyrightHervSchauerConsultants2004ReproductionInterdite

References:SMB/CIFSandMSRPC

ReferencebookonSMB/CIFS

ImplementingCIFS

MSRPC

Windowsnetworkservicesinternals

http://samba.org/ftp/samba/slides/tridge_cifs04.pdf

MSRPCarchitecture&securityproblemsrelated

http://www.hsc.fr/ressources/articles/win_net_srv/

TestingMSRPC(AndrewTridgell,SambaTeam)

http://www.xfocus.net/projects/Xcon/2003/Xcon2003_kkqq.pdf

MicrosoftWindowsRPCSecurityVulnerabilities

45

http://www.ubiqx.org/cifs/

http://conference.hackinthebox.org/materials/lsd/
CopyrightHervSchauerConsultants2004ReproductionInterdite

References:SNTP

Microsoftreferences

TheWindowsTimeService

BasicOperationoftheWindowsTimeService(MSKB#224799)
WindowsTimeServiceToolsandSettings(WindowsServer2003
TechnicalReference)
UsingWindowsXPProfessionalwithServicePack1inaManaged
Environment(WindowsTimeService)

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xp
managed/27_xpwts.mspx

Securityaspectsoftimesynchronizationinfrastructure

46

http://www.microsoft.com/technet/prodtechnol/windows2000serv/main
tain/operate/wintime.mspx

http://www.security.nnov.ru/advisories/timesync.asp
CopyrightHervSchauerConsultants2004ReproductionInterdite

Greetings

EmmanuelLeChevoirandFabienDupont

etherealdevelopperscommunity

47

CopyrightHervSchauerConsultants2004ReproductionInterdite

You might also like