{"id":70193,"date":"2021-02-08T14:19:41","date_gmt":"2021-02-08T13:19:41","guid":{"rendered":"https:\/\/mwtsolutions.eu\/?p=70193"},"modified":"2021-03-31T11:38:07","modified_gmt":"2021-03-31T09:38:07","slug":"utok-na-active-directory-replikace-domenoveho-radice","status":"publish","type":"post","link":"https:\/\/i.mwtsolutions.eu\/cs\/clanky\/utok-na-active-directory-replikace-domenoveho-radice\/","title":{"rendered":"\u00datok na Active Directory: Replikace dom\u00e9nov\u00e9ho \u0159adi\u010de"},"content":{"rendered":"
\n
\n

B\u00fdvaly doby, kdy byly kybernetick\u00e9 \u00fatoky na infrastrukturu identity a autentizace, jako je Active Directory, nesm\u00edrn\u011b n\u00e1ro\u010dn\u00e9. P\u0159i navrhov\u00e1n\u00ed pl\u00e1nu pe\u010dliv\u00e9ho prov\u00e1d\u011bn\u00ed \u00fatok\u016f bylo t\u0159eba v\u011bnovat hodn\u011b p\u0159edv\u00eddavosti a nutnost\u00ed byly pokro\u010dil\u00e9 technick\u00e9 znalosti dom\u00e9n a s\u00edt\u00ed. Postupem \u010dasu se v\u0161ak otev\u0159elo nespo\u010det mo\u017enost\u00ed, kter\u00e9 hacker\u016fm tyto \u00fatoky podstatn\u011b uleh\u010dily.<\/p>\n

 <\/p>\n<\/div>\n<\/div>\n

\n

AD \u00fatoky: Pochopen\u00ed z\u00e1m\u011bru<\/h3>\n<\/div>\n
\n
\n

C\u00edl \u00fatok\u016f na AD nebo \u00fatok\u016f na jakoukoli infrastrukturu pro spr\u00e1vu identit je docela jednoduch\u00fd: z\u00edskat nejvy\u0161\u0161\u00ed p\u0159\u00edstup v co nejkrat\u0161\u00edm \u010dase. Bez ohledu na zdroj \u00fatoku nebo m\u00edsto vniknut\u00ed se \u00fato\u010dn\u00edci v\u017edy sna\u017e\u00ed eskalovat privilegia. A nejvy\u0161\u0161\u00ed \u00farove\u0148 p\u0159\u00edstupu ve slu\u017eb\u011b AD je p\u0159\u00edstup k \u0159adi\u010di dom\u00e9ny (DC), proto\u017ee pot\u00e9 \u00fato\u010dn\u00edci z\u00edskaj\u00ed okam\u017eit\u00fd p\u0159\u00edstup pro spr\u00e1vu ke ka\u017ed\u00e9mu kritick\u00e9mu prost\u0159edku v s\u00edti.<\/p>\n

 <\/p>\n<\/div>\n<\/div>\n

\n

Posloupnost \u00fatoku<\/h3>\n<\/div>\n
\n
\n

AD \u00fatoky jsou prov\u00e1d\u011bny v n\u011bkolika f\u00e1z\u00edch; \u00fato\u010dn\u00edci obvykle infikuj\u00ed pracovn\u00ed stanici koncov\u00e9ho u\u017eivatele (proto\u017ee maj\u00ed m\u00edrn\u011bj\u0161\u00ed kontroly zabezpe\u010den\u00ed), prohled\u00e1vaj\u00ed dom\u00e9nu, zda neobsahuj\u00ed slab\u00e1 m\u00edsta nebo nespr\u00e1vn\u011b nakonfigurovan\u00e1 opr\u00e1vn\u011bn\u00ed, a vyu\u017e\u00edvaj\u00ed je k later\u00e1ln\u00edmu p\u0159esunu a z\u00edsk\u00e1n\u00ed p\u0159\u00edstupu k serveru v\u00fd\u0161e v s\u00ed\u0165ov\u00e9 hierarchii, jako je kritick\u00fd souborov\u00fd server nebo \u0159adi\u010d dom\u00e9ny.<\/p>\n

 <\/p>\n<\/div>\n

\"\"<\/p>\n

 <\/p>\n<\/div>\n

\n
\n

Ale co kdybychom v\u00e1m \u0159ekli, \u017ee \u00fato\u010dn\u00edk by se mohl vyd\u00e1vat za samotn\u00fd dom\u00e9nov\u00fd \u0159adi\u010d a bez pov\u0161imnut\u00ed extrahovat citliv\u00e9 informace?<\/p>\n<\/div>\n<\/div>\n

\n
<\/div>\n

Replikace mezi \u0159adi\u010di dom\u00e9ny ve slu\u017eb\u011b AD<\/h3>\n<\/div>\n
\n
\n

IT infrastruktura organizace \u010dasto pot\u0159ebuje pro svou AD v\u00edce ne\u017e jeden dom\u00e9nov\u00fd \u0159adi\u010d. Aby byly informace mezi \u0159adi\u010di dom\u00e9ny konzistentn\u00ed, mus\u00ed b\u00fdt objekty AD replikov\u00e1ny.<\/p>\n

V\u011bt\u0161ina \u00fakol\u016f souvisej\u00edc\u00edch s replikac\u00ed je uvedena v protokolu Microsoft Directory Replication Service Remote Protocol (MS-DRSR). Rozhran\u00ed Microsoft API, kter\u00e9 implementuje protokol, se naz\u00fdv\u00e1 DRSUAPI.<\/p>\n<\/div>\n<\/div>\n

\n
<\/div>\n

Funkce DSGetNCChanges<\/h3>\n<\/div>\n
\n
\n

Prvn\u00ed dom\u00e9nov\u00fd \u0159adi\u010d ode\u0161le po\u017eadavek DSGetNCChanges, kdy\u017e chce z\u00edskat aktualizace objektu AD z druh\u00e9ho \u0159adi\u010de. Odpov\u011b\u010f obsahuje sadu aktualizac\u00ed, kter\u00e9 m\u00e1 prvn\u00ed \u0159adi\u010d pou\u017e\u00edt pro NC repliku (struktura, kter\u00e1 ukl\u00e1d\u00e1 informace o replikaci).<\/p>\n

 <\/p>\n

Pod\u00edvejme se, jak \u00fato\u010dn\u00edci vyu\u017e\u00edvaj\u00ed funkce replikace v AD, kterou nelze vypnout nebo deaktivovat.<\/p>\n

 <\/p>\n<\/div>\n<\/div>\n

\n

Vyu\u017eit\u00ed opr\u00e1vn\u011bn\u00ed k replikaci pro p\u0159\u00edstup k citliv\u00fdm \u00fadaj\u016fm dom\u00e9ny<\/h3>\n<\/div>\n
\n
\n

V\u00a0dne\u0161n\u00ed dob\u011b existuje spousta open-source n\u00e1stroj\u016f, kter\u00e9 mohou vyu\u017e\u00edvat specifick\u00e9 p\u0159\u00edkazy v r\u00e1mci MS-DRSR k simulaci chov\u00e1n\u00ed \u0159adi\u010de dom\u00e9ny a na\u010d\u00edt\u00e1n\u00ed hash\u016f hesel u\u017eivatel\u016f.<\/p>\n

 <\/p>\n

Takov\u00fdm \u00fatok\u016fm se \u0159\u00edk\u00e1 \u201epost-exploitation attacks\u201c, proto\u017ee \u00fato\u010dn\u00edci pot\u0159ebuj\u00ed p\u0159\u00edstup k u\u017eivatelsk\u00e9mu \u00fa\u010dtu, kter\u00fd m\u00e1 ve slu\u017eb\u011b AD opr\u00e1vn\u011bn\u00ed k replikaci. Administrators, Domain Admins, a Enterprise Admins zpravidla maj\u00ed po\u017eadovan\u00e1 pr\u00e1va. P\u0159esn\u011bji \u0159e\u010deno, jsou vy\u017eadov\u00e1na n\u00e1sleduj\u00edc\u00ed pr\u00e1va:<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n<\/div>\n<\/div>\n

Jakmile je p\u0159\u00edstup z\u00edsk\u00e1n, jsou kroky k proveden\u00ed \u00fatoku pom\u011brn\u011b jednoduch\u00e9:<\/p>\n

    \n
  1. \u00dato\u010dn\u00edk najde \u0159adi\u010d dom\u00e9ny a po\u017e\u00e1d\u00e1 o replikaci.\n
      \n
    • Pomoc\u00ed p\u0159\u00edkazu NLTEST \/dclist: [Domainname] zsjist\u00ed \u00fato\u010dn\u00edk podrobnosti o na\u0161\u00ed dom\u00e9n\u011b<\/li>\n<\/ul>\n<\/li>\n
    • Zm\u011bny replikace jsou po\u017eadov\u00e1ny pomoc\u00ed funkce GetNCChanges.<\/li>\n
    • \u0158adi\u010d dom\u00e9ny vrac\u00ed replika\u010dn\u00ed data, v\u010detn\u011b hash\u016f hesel, \u017eadateli.<\/li>\n<\/ol>\n

      Pod\u00edvejte se na toto kr\u00e1tk\u00e9 video a pod\u00edvejte se, jak je \u00fatok proveden.<\/p>\n

       <\/p>\n