Security Basics mailing list archives
Re: Microsoft Active Directory security concerns
From: s.p.ariyapperuma () anglia ac uk
Date: 7 Jul 2006 04:13:05 -0000
Hi All, This might be off topic I have been doing a bit of research into Man in the Middle (MITM) Attacks in AD, and certainly no expert as http://support.microsoft.com/kb/q237675/ states, The Domain Name System (DNS) is the Active Directory locator in Windows 2000. Active Directory clients and client tools use DNS to locate domain controllers for administration and logon. I assume this definition would extend to Windows 2003 as well (?). At the protocol level, this whole saga is about, 1. Client, querying a DNS server 2. Client receiving the reply from DNS [AD_server_for_site.net.com, IP = 192.168.0.1] 3. Client finding a LDAP server using SRV records returned in step 2 above, by a DNS server. Capturing the traffic between the client, DNS server and the AD server Client queries the DNS to locate and AD server Client DNS ====== === Query = [_ldap._tcp.pdc._msdcs.subdom.net.com] ---------------------------------------------> Answer = [AD_server_for_site.net.com] <-------------------------------------- [AD_server IP =192.168.0.1] Connect to AD and setup a session using Kerberos ------------------------------------------------> (_ldap._tcp.pdc._msdcs.subdom.net.com) For this query the client expects a reply (AD_server_for_site.net.com) From the DNS At this point using a MITM attack tool you can inject a false reply e.g. In the additional answers section of the DNS reply , a different IP can be used (AD_server IP =192.168.0.100). This would redirect the client to attackers host on 192.168.0.100. Whole problem is that there is no pre-existing trust between the Client , DNS and AD ? as in a shared secret key mechanism. Kerberos is used between the AD server and the client , but this is only after the client has received the answer from DNS (as in the figure). During this initial period the traffic is not protected by Kerberos, therefore it is susceptible to MITM attacks. I have tested this by using 3 hosts and a modified dnshijacker.c [to answer SRV queries] ----------- ------------------- | Client | -----------------> | DNS & AD | ----------- ------------------- /\ | | -------------- | Attacker | -------------- Questions .. In a real world implementation of AD , would this still be possible ? . Has anyone come across this during a pentest ? Best regards, Suranjith --------------------------------------------------------------------------- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ---------------------------------------------------------------------------
Current thread:
- RE: Microsoft Active Directory security concerns NicS (Jul 06)
- RE: Microsoft Active Directory security concerns Jason Dinsdale (Jul 21)
- <Possible follow-ups>
- Re: Microsoft Active Directory security concerns s . p . ariyapperuma (Jul 07)