Domain controller penetration testing

It's all in your perspective
Testing for security weaknesses in domain controllers isn't that much different from testing for security weaknesses in other Windows-based systems. The basic ethical hacking methodology of reconnaissance, enumeration, vulnerability discovery and vulnerability exploitation still applies. The big difference is that your servers may be protected by a firewall and thus not accessible from the public Internet. If you have a public IP bound to your systems or are running any publicly accessible services via network address translation or port forwarding, odds are something will crop up.

The best way to get started on domain controller penetration testing is to scan your systems from the outside to see what can be discovered. I've seen domain controllers supposedly protected by a firewall that turn out to be wide open to the outside world. If you confirm that your domain controllers are not publicly accessible, then the next phase is to see what you can do from the inside -- both as an unauthenticated user who is simply attached to the network as well as an authenticated "standard user" who should only have limited rights (if any) to your domain controllers. This latter step (which is often overlooked) will show you what a rogue insider with the right tools can exploit -- often in a matter of minutes.

When pen testing domain controllers, there are certain tools to use and vulnerabilities to look out for that you may not have thought about in other security testing scenarios. The vulnerabilities you'll find may be unique as well because, after all, domain controllers are slightly different beasts given the services they typically run. Depending on your domain controller location and configuration, the possibilities for security flaws are endless.

What to use when
Much of your security testing success depends on the quality of the tools you use. I've outlined some of my favorites in a tip about first-rate security testing tools. Here's a sampling of tools I've used in the past that worked really well for testing Windows domain controllers along with specific vulnerabilities you should test for:

Reconnaissance

• Ping your systems from the outside, look up DNS and IP address information available via the ARIN and WHOIS databases and perform various email tests to see what you can glean from Exchange or other SMB email servers you're running using the tools at DNSstuff.com.
• If you're running IIS, Apache or another Web server that's publicly accessible, you may be surprised when you find out what you're serving up. So check things out with Google. I've outlined how to get started doing this in my tip How to Google hack Windows servers.

Enumeration

• Determine which TCP ports are open, glean banner and software version information from running applications and establish null session connections using a tool such as SuperScan or LanSpy. Depending on your Windows version, you can download security policy information, user IDs and more. My tip about null session security threats has specific information on the null session weakness.

Vulnerability discovery

• Discover vulnerabilities brought on by misconfigurations and missing patches with a tool such as Sunbelt Network Security Inspector or QualysGuard. You can also search for Web server-specific vulnerabilities using tools like N-Stealth Security Scanner and Acunetix Web Vulnerability Scanner.
• With physical network access, you can monitor network conversations to and from the domain controller and capture cleartext traffic that may contain user IDs and passwords or other sensitive information that could lead to account compromise using Cain and Abel (via its built-in ARP spoofing) or EtherPeek (via a mirror/span port on your switch).

Vulnerability exploitation

• Capture and crack network passwords using a combination of pwdump3 (remote password hash grabber) and Proactive Password Auditor (a password security testing tool) or by using Ophcrack to glean hashes and crack passwords using rainbow tables. Domain controllers, after all, are where the authentication crown jewels are located.
• Exploit DNS zone transfer vulnerabilities on your domain controllers discovered via QualysGuard or another vulnerability scanner using a Sam Spade for Windows network-query tool.
• Exploit vulnerabilities due to missing patches using Metasploit or Core Impact, a penetration testing product for assessing specific security threats. Common domain controller-related issues I see in this area are backup software that hasn't been patched and Exchange, IIS and even SQL Server flaws that haven't been addressed.
• Find file and share permissions once you're able to find a weak account (or directly acting as a malicious user with an authorized account) using DumpSec or LANguard Network Security Scanner.
• Search for sensitive information stored in PDF, XLS, DOC, TXT, RTF, DBF and other file formats on your domain controller shares using a tool such as Effective File Search or FileLocator Pro.

If you don't find any security issues with your Windows domain controllers using these methods and tools, you may feel lucky. The likely truth is you haven't looked hard enough. There's almost always something to exploit either as an external hacker or malicious insider. That said, don't feel like you've got to perform every possible test using every possible tool to start with. Penetration testing can be very complex, so build your skills, techniques and toolbox over time. Keep your skills sharp and by this time next year you'll be ready to hack and relax at your favorite summer getaway -- if that's your idea of summer fun.

About the author: Kevin Beaver, CISSP, is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Protocols and Services Group Policy Object security in Windows Limit Windows Remote Desktop users' server rights Can I prevent network users from installing 3rd party software? Microsoft Rights Management Services: An introduction Locking down SMTP in Win2K and Server 2003 Windows security update may cause shell extensions to fail Multiple Connections - Management Active Directory Federation Services Finding extra security in R2 Step 6: Distribute the profile to remote users Configuration and Deployment Minasi talks Vista security, Windows Server 2008 features Is a Group Policy setting changing my user rights? How to use a GPO to improve Windows folder security Remote management for Windows system upgrades How to recover from lost BitLocker PINs and startup keys Deny access to Windows system properties with GPOs Rights management in Windows: Security expert roundup How to manage network access for single users in AD Windows server access management in Active Directory Securely manage Windows file sharing and folder permissions Configuration and Deployment Research Windows network testing Network security assessment for network infrastructure Critical systems to focus on during security testing Scan IP ports without Windows Firewall restrictions Pen testing your VPN BIOS password hacking Testing Group Policy security RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.