Security Basics mailing list archives

Re: Microsoft Active Directory security concerns

From: s.p.ariyapperuma () anglia ac uk
Date: 7 Jul 2006 04:13:05 -0000

Hi All,

This might be off topic
I have been doing a bit of research into Man in the Middle (MITM) Attacks in AD, and certainly no expert 
as http://support.microsoft.com/kb/q237675/ states, The Domain Name System (DNS) is the Active Directory locator in 
Windows 

2000. Active Directory clients and client tools use DNS to locate domain
controllers for administration and logon. I assume this definition would extend to Windows 2003 as well (?).

At the protocol level, this whole saga is about,
1.      Client, querying a DNS server
2.      Client receiving the reply from DNS  [AD_server_for_site.net.com, IP = 192.168.0.1]
3.      Client finding a LDAP server using SRV records returned in step 2 above, by a DNS server.
 
Capturing the traffic between the client, DNS server and the AD server
Client queries the DNS to locate and AD server 
Client                                          DNS 
======                                          ===
Query = [_ldap._tcp.pdc._msdcs.subdom.net.com]
--------------------------------------------->

Answer = [AD_server_for_site.net.com]
<--------------------------------------
  [AD_server IP =192.168.0.1]

Connect to AD and setup a session using Kerberos
------------------------------------------------>

(_ldap._tcp.pdc._msdcs.subdom.net.com) 
For this query the client expects a reply (AD_server_for_site.net.com) From the DNS 

At this point using a MITM attack tool you can inject a false reply e.g.  In the additional answers section of the DNS 
reply 

, a different IP can be used (AD_server IP =192.168.0.100). This would redirect the client to attackers host on 

192.168.0.100.


Whole problem is that there is no pre-existing trust between the Client , DNS and AD ? as in a shared secret key 
mechanism. 

Kerberos is used between the AD server and the client , but this is only after the client has received the answer from 
DNS 

(as in the figure). During this initial period the traffic is not protected by Kerberos, therefore it is susceptible to 
MITM 

attacks. 

I have tested this by using 3 hosts and a modified dnshijacker.c [to answer SRV queries]

-----------                     -------------------   
| Client  |  -----------------> |    DNS & AD     |
-----------                     -------------------
                   /\
                    |
                    |
              --------------    
              |   Attacker |
              --------------    

Questions  ..
In a real world implementation of AD , would this still be possible ? .
Has anyone come across this during a pentest ? 


Best regards,
Suranjith

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------

Current thread:

RE: Microsoft Active Directory security concerns NicS (Jul 06)
- RE: Microsoft Active Directory security concerns Jason Dinsdale (Jul 21)
- <Possible follow-ups>
- Re: Microsoft Active Directory security concerns s . p . ariyapperuma (Jul 07)