Secure the domain controller with a penetration test

Domain controller penetration testing requires quality tools and special tactics, reconnaissance, enumeration and vulnerability discovery. Learn the techniques you'll need to perform a thorough test on your customer's DC, and make sure their system is free of vulnerabilities in this tip, courtesy of SearchWindowsSecurity.com.

It's all in your perspective

Testing for security weaknesses in domain controllers isn't that much different from testing for security weaknesses in other Windows-based systems. The basic ethical hacking methodology of reconnaissance, enumeration, vulnerability discovery and vulnerability exploitation still applies. The big difference is that your servers may be protected by a firewall and thus not accessible from the public Internet. If you have a public IP bound to your systems or are running any publicly accessible services via network address translation or port forwarding, odds are something will crop up.

The best way to get started on domain controller penetration testing is to scan your systems from the outside to see what can be discovered. I've seen domain controllers supposedly protected by a firewall that turn out to be wide open to the outside world. If you confirm that your domain controllers are not publicly accessible, then the next phase is to see what you can do from the inside -- both as an unauthenticated user who is simply attached to the network as well as an authenticated "standard user" who should only have limited rights (if any) to your domain controllers. This latter step (which is often overlooked) will show you what a rogue insider with the right tools can exploit -- often in a matter of minutes.

When pen testing domain controllers, there are certain tools to use and vulnerabilities to look out for that you may not have thoug...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Pen Testing Methodology Penetration testing 101: How to offer pen test services Penetration testing reconnaissance -- Footprinting, scanning and enumerating Penetration testing -- Big bad bugs Penetration testing -- Social engineering, IDS and honey pots Penetration testing -- Securing wireless access points Cross-site scripting vulnerability penetration testing VPN penetration testing Storage penetration testing When should automated penetration testing be supplemented with manual pen testing? Web application penetration testing: Best practices Penetration Testing and Ethical Hacking Security site assessment FAQ: Podcast with Joel Scambray Penetration testing 101: How to offer pen test services How to prepare for network penetration testing services Network penetration tools Top five security service provider tips of 2007 Checklist: Top five security assessment tools Penetration testing tutorial for service providers An introduction to penetration testing and its legal implications for VARs and consultants Penetration testing reconnaissance -- Footprinting, scanning and enumerating Network penetration testing: Ethical hacking tools and techniques Platform Security Channel Checklist: Windows Vista security An introduction to penetration testing and its legal implications for VARs and consultants Penetration testing reconnaissance -- Footprinting, scanning and enumerating Penetration testing -- Big bad bugs Penetration testing -- Securing wireless access points Network penetration testing: Ethical hacking tools and techniques Penetration testing -- Social engineering, IDS and honey pots Windows security administration using command-line tools Windows Vista BitLocker basics and advanced techniques Microsoft Windows Vista firewall enhancements

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ht about in other security testing scenarios. The vulnerabilities you'll find may be unique as well because, after all, domain controllers are slightly different beasts given the services they typically run. Depending on your domain controller location and configuration, the possibilities for security flaws are endless.

What to use when

Much of your security testing success depends on the quality of the tools you use. I've outlined some of my favorites in a tip about first-rate security testing tools. Here's a sampling of tools I've used in the past that worked really well for testing Windows domain controllers along with specific vulnerabilities you should test for:

Reconnaissance

• Ping your systems from the outside, look up DNS and IP address information available via the ARIN and WHOIS databases and perform various email tests to see what you can glean from Exchange or other SMB email servers you're running using the tools at DNSstuff.com.
  
  
• If you're running IIS, Apache or another Web server that's publicly accessible, you may be surprised when you find out what you're serving up. So check things out with Google. I've outlined how to get started doing this in my tip How to Google hack Windows servers.

Enumeration

• Determine which TCP ports are open, glean banner and software version information from running applications and establish null session connections using a tool such as SuperScan or LanSpy. Depending on your Windows version, you can download security policy information, user IDs and more. My tip about null session security threats has specific information on the null session weakness.

Vulnerability discovery

• Discover vulnerabilities brought on by misconfigurations and missing patches with a tool such as Sunbelt Network Security Inspector or QualysGuard. You can also search for Web server-specific vulnerabilities using tools like N-Stealth Security Scanner and Acunetix Web Vulnerability Scanner.
  
  
• With physical network access, you can monitor network conversations to and from the domain controller and capture cleartext traffic that may contain user IDs and passwords or other sensitive information that could lead to account compromise using Cain and Abel (via its built-in ARP spoofing) or EtherPeek (via a mirror/span port on your switch).

Vulnerability exploitation

• Capture and crack network passwords using a combination of pwdump3 (remote password hash grabber) and Proactive Password Auditor (a password security testing tool) or by using Ophcrack to glean hashes and crack passwords using rainbow tables. Domain controllers, after all, are where the authentication crown jewels are located.
  
  
• Exploit DNS zone transfer vulnerabilities on your domain controllers discovered via QualysGuard or another vulnerability scanner using a Sam Spade for Windows network-query tool.
  
  
• Exploit vulnerabilities due to missing patches using Metasploit or Core Impact, a penetration testing product for assessing specific security threats. Common domain controller-related issues I see in this area are backup software that hasn't been patched and Exchange, IIS and even SQL Server flaws that haven't been addressed.
  
  
• Find file and share permissions once you're able to find a weak account (or directly acting as a malicious user with an authorized account) using DumpSec or LANguard Network Security Scanner.
  
  
• Search for sensitive information stored in PDF, XLS, DOC, TXT, RTF, DBF and other file formats on your domain controller shares using a tool such as Effective File Search or FileLocator Pro.

If you don't find any security issues with your Windows domain controllers using these methods and tools, you may feel lucky. The likely truth is you haven't looked hard enough. There's almost always something to exploit either as an external hacker or malicious insider. That said, don't feel like you've got to perform every possible test using every possible tool to start with. Penetration testing can be very complex, so build your skills, techniques and toolbox over time.

About the author:
Kevin Beaver, CISSP, is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

This tip originally appeared on SearchWindowsSecurity.com.