Domain controller penetration testing requires quality tools and special tactics, reconnaissance, enumeration and vulnerability discovery. Learn the techniques you'll need to perform a thorough test on your customer's DC, and make sure their system is free of vulnerabilities in this tip, courtesy of
It's all in your perspective
Testing for security weaknesses in domain controllers isn't that much different from testing for security weaknesses in other Windows-based systems. The basic ethical hacking methodology of reconnaissance, enumeration, vulnerability discovery and vulnerability exploitation still applies. The big difference is that your servers may be protected by a firewall and thus not accessible from the public Internet. If you have a public IP bound to your systems or are running any publicly accessible services via network address translation or port forwarding, odds are something will crop up.
The best way to get started on domain controller penetration testing is to scan your systems from the outside to see what can be discovered. I've seen domain controllers supposedly protected by a firewall that turn out to be wide open to the outside world. If you confirm that your domain controllers are not publicly accessible, then the next phase is to see what you can do from the inside -- both as an unauthenticated user who is simply attached to the network as well as an authenticated "standard user" who should only have limited rights (if any) to your domain controllers. This latter step (which is often overlooked) will show you what a rogue insider with the right tools can exploit -- often in a matter of minutes.
When pen testing domain controllers, there are certain tools to use and vulnerabilities to look out for that you may not have thought about in other security testing scenarios. The vulnerabilities you'll find may be unique as well because, after all, domain controllers are slightly different beasts given the services they typically run. Depending on your domain controller location and configuration, the possibilities for security flaws are endless.
What to use when
Much of your security testing success depends on the quality of the tools you use. I've outlined some of my favorites in a tip about first-rate security testing tools. Here's a sampling of tools I've used in the past that worked really well for testing Windows domain controllers along with specific vulnerabilities you should test for:
- Ping your systems from the outside, look up DNS and IP address information available via the ARIN and WHOIS databases and perform various email tests to see what you can glean from Exchange or other SMB email servers you're running using the tools at DNSstuff.com.
- If you're running IIS, Apache or another Web server that's publicly accessible, you may be surprised when you find out what you're serving up. So check things out with Google. I've outlined how to get started doing this in my tip How to Google hack Windows servers.
- Determine which TCP ports are open, glean banner and software version information from running applications and establish null session connections using a tool such as SuperScan or LanSpy. Depending on your Windows version, you can download security policy information, user IDs and more. My tip about null session security threats has specific information on the null session weakness.
- Discover vulnerabilities brought on by misconfigurations and missing patches with a tool such as Sunbelt Network Security Inspector or QualysGuard. You can also search for Web server-specific vulnerabilities using tools like N-Stealth Security Scanner and Acunetix Web Vulnerability Scanner.
- With physical network access, you can monitor network conversations to and from the domain controller and capture cleartext traffic that may contain user IDs and passwords or other sensitive information that could lead to account compromise using Cain and Abel (via its built-in ARP spoofing) or EtherPeek (via a mirror/span port on your switch).
- Capture and crack network passwords using a combination of pwdump3 (remote password hash grabber) and Proactive Password Auditor (a password security testing tool) or by using Ophcrack to glean hashes and crack passwords using rainbow tables. Domain controllers, after all, are where the authentication crown jewels are located.
- Exploit DNS zone transfer vulnerabilities on your domain controllers discovered via QualysGuard or another vulnerability scanner using a Sam Spade for Windows network-query tool.
- Exploit vulnerabilities due to missing patches using Metasploit or Core Impact, a penetration testing product for assessing specific security threats. Common domain controller-related issues I see in this area are backup software that hasn't been patched and Exchange, IIS and even SQL Server flaws that haven't been addressed.
- Find file and share permissions once you're able to find a weak account (or directly acting as a malicious user with an authorized account) using DumpSec or LANguard Network Security Scanner.
- Search for sensitive information stored in PDF, XLS, DOC, TXT, RTF, DBF and other file formats on your domain controller shares using a tool such as Effective File Search or FileLocator Pro.
If you don't find any security issues with your Windows domain controllers using these methods and tools, you may feel lucky. The likely truth is you haven't looked hard enough. There's almost always something to exploit either as an external hacker or malicious insider. That said, don't feel like you've got to perform every possible test using every possible tool to start with. Penetration testing can be very complex, so build your skills, techniques and toolbox over time.
About the author:
Kevin Beaver, CISSP, is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org.
This tip originally appeared on SearchWindowsSecurity.com.
This was first published in February 2007