Blog

Active Directory: Users in Nested Groups Reconnaissance

By Stuart Morgan on 30 September, 2015

On most penetration tests on Windows networks, there will come a time when it is necessary to gather information from active directory. In its simplest form, this will involve retrieving AD users and groups; users who are members of the Domain Admins or Enterprise Admins groups are particularly desirable targets. However, most active directory structures will include nested groups and will not be completely flat. This post will present a trick to overcome this that is not commonly known, and present new features now available in Metasploit to make use of it.

For an example of the challenges of nested groups, consider the following example:

  • stufus may be a member of Group A
  • Group A may be a member of Group B
  • Group B may be a member of Group C
  • Group C may be a member of the ‘Domain Admins’ group

Therefore, stufus will effectively be a domain administrator, but this fact will not be obvious from a flat list of users and groups. On a large domain, with many nested groups, identifying the users who are effectively members of a target group is not always trivial. There are various ways of working around this, including using some of the excellent powershell scripts out there, or by using native windows commands such as net groups /domain and manually going through them all. This is how PowerView used to do it; it would simply download all of the groups and loop through them.

Solution

When Microsoft introduced the Active Directory Service Interfaces (ADSI), they implemented a particularly useful matching OID; LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941). This can be used to natively perform the above query, whilst taking into account nested groups. The benefit of this method over all other completely manual implementations is that this will perform a single query regardless of the size of the target AD. For example, the following LDAP query will list all members of the Domain Admins group, even if those members are members of intermediate or nested groups:

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=demo,DC=mwr))

In order to make this easier, I have added this functionality to Metasploit (http://mwr.to/u4gq) which was landed on 31st August 2015. As ADSI was natively introduced in Windows 2000, it will be an option for most corporate networks. The matching OID, despite being really useful, does not appear to be well known in the industry.

Metasploit

The following new commands have been added (accessible in meterpreter):

CommandDescription
adsi_dc_enum List the domain controllers for the specified domain. The information that is provided
will include the name, DNS hostname, DN, operating system, version, service pack,
host description and any comments.
adsi_group_enum List all groups on the specified domain. The information provided includes the name,
distinguished name (DN) and description.
adsi_nested_group_user_enum Recursively list all users who are effectively members of the specified group DN.

The following POST modules have been added or modified:

ModuleDescription
post/windows/gather/enum_ad_users Lists AD users, with the addition of the GROUP_MEMBER module option.
post/windows/gather/enum_ad_groups Lists AD groups.

Example

adsi_dc_enum:

This example will list the domain controllers for the MWRDEMO domain.

meterpreter > adsi_dc_enum MWRDEMO

MWRDEMO Objects
===============

name dnshostname distinguishedname operatingsystem operatingsystemversion operatingsystemservicepack description comment
---- ----------- ----------------- --------------- ---------------------- -------------------------- ----------- -------
W2K3DC w2k3dc.demo.mwr CN=W2K3DC,OU=Domain Controllers,DC=demo,DC=mwr Windows Server 2003 5.2 (3790) Service Pack 1
W2K8DC W2K8DC.demo.mwr CN=W2K8DC,OU=Domain Controllers,DC=demo,DC=mwr Windows Server 2008 R2 Enterprise 6.1 (7600)

Total objects: 2

adsi_group_enum:

This example will list all of the domain groups on the MWRDEMO domain.

meterpreter > adsi_group_enum MWRDEMO

MWRDEMO Objects
===============

name distinguishedname description
---- ----------------- -----------
Account Operators CN=Account Operators,CN=Builtin,DC=demo,DC=mwr Members can administer domain user and group accounts
Administrators CN=Administrators,CN=Builtin,DC=demo,DC=mwr Administrators have complete and unrestricted access to the computer/domain
Allowed RODC Password Replication Group CN=Allowed RODC Password Replication Group,CN=Users,DC=demo,DC=mwr Members in this group can have
their passwords replicated to all read-only domain controllers in the domain
Backup Operators CN=Backup Operators,CN=Builtin,DC=demo,DC=mwr Backup Operators can override security restrictions for the sole purpose of
backing up or restoring files
Cert Publishers CN=Cert Publishers,CN=Users,DC=demo,DC=mwr Members of this group are permitted to publish certificates to the directory
Certificate Service DCOM Access CN=Certificate Service DCOM Access,CN=Builtin,DC=demo,DC=mwr Members of this group are allowed to connect to
Certification Authorities in the enterprise
Cryptographic Operators CN=Cryptographic Operators,CN=Builtin,DC=demo,DC=mwr Members are authorized to perform cryptographic operations.
Denied RODC Password Replication Group CN=Denied RODC Password Replication Group,CN=Users,DC=demo,DC=mwr Members in this group cannot have
their passwords replicated to any read-only domain controllers in the domain
Distributed COM Users CN=Distributed COM Users,CN=Builtin,DC=demo,DC=mwr Members are allowed to launch, activate and use Distributed COM
objects on this machine.
DnsAdmins CN=DnsAdmins,CN=Users,DC=demo,DC=mwr DNS Administrators Group
DnsUpdateProxy CN=DnsUpdateProxy,CN=Users,DC=demo,DC=mwr DNS clients who are permitted to perform dynamic updates on behalf of some other
clients (such as DHCP servers).
Domain Admins CN=Domain Admins,CN=Users,DC=demo,DC=mwr Designated administrators of the domain
(...snipped...)

adsi_nested_group_user_enum:

This example will list all of the domain groups on the MWRDEMO domain.

meterpreter > adsi_nested_group_user_enum MWRDEMO "CN=Domain Admins,CN=Users,DC=demo,DC=mwr"

MWRDEMO Objects
===============

samaccountname name distinguishedname description comment
-------------- ---- ----------------- ----------- -------
Administrator Administrator CN=Administrator,CN=Users,DC=demo,DC=mwr Built-in account for administering the computer/domain
hidden.admin Hidden Admin CN=Hidden Admin,CN=Users,DC=demo,DC=mwr
stuart.morgan-admin Stuart Morgan CN=Stuart Morgan,CN=Users,DC=demo,DC=mwr

Total objects: 3

In this example, the ‘hidden.admin’ user is not a direct member of the Domain Admins group; it is effectively a member due to the nested groups.

enum_ad_groups:

use post/windows/gather/enum_ad_groups
set SESSION -1
run

Output is essentially the same as adsi_group_enum.

enum_ad_users:

use post/windows/gather/enum_ad_users
set GROUP_MEMBER CN=Domain Admins,CN=Users,DC=demo,DC=mwr
set SESSION -1
run

Output is essentially the same as adsi_nested_group_user_enum.

PowerView

As a result of this work a change was also submitted to PowerView to increase the speed of group queries, details of which can be found at http://mwr.to/l919.