Active Directory Hacks

1
Active Directory Hacks

• Robbie Allen
• Cisco Systems
• rallen_at_cisco.com
• www.rallenhome.com

2
What is a hack?

• Using the OReilly definition
• O'Reilly reclaims the term "hacking" for the good
  guys--innovators who explore and experiment,
  unearth shortcuts, create useful tools, and come
  up with fun things to try on their own.
• - http//hacks.oreilly.com/

3
The Active Directory Investigator

• Stats control
• Great for debugging and optimizing queries
• The explain plan for LDAP
• Query logging
• Good for spying on queries
• Trace Logs
• Useful for digging under the covers

4
Active Directory Command Line Shell

• MSH aka Monad
• Navigate AD via command-line like you do the
  filesystem
• Supports basic AD modifications
• Demo

5
Why am I authenticating against the Bangalore DC?

• Because you are missing subnets in the AD site
  topology
• Or maybe you havent enabled DNS scavenging
• Authentication Topology whitepaper
  http//www.netpro.com/forum/files/authentication_t
  opology.pdf

6
Event 5778

• Event Type Information
• Event Source NETLOGON
• Event Category None
• Event ID 5778
• Date 9/25/2004
• Time 115759 AM
• User N/A
• Computer DC-BANGALORE1
• Description
• 'RALLEN-W2K' tried to determine its site by
  looking up its IP address ('10.77.140.215') in
  the Configuration\Sites\Subnets container in the
  DS. No subnet matched the IP address. Consider
  adding a subnet object for this IP address.

7
One of the longest command-lines youve ever seen

• D\ for /f "usebackq tokens8 delims," i in
  (eventquery.vbs /l system /s dc-sj1 /fi "id eq
  5778" /fi "Datetime eq 09/20/04,031500AM-09/25/0
  4,031500AM" /u "AD-VM1\administrator" /v /fo
  csv /p AD1sGr8) do for /f "tokens1,3 delims'"
  j in (i) do echo k,j miss_subs.txt
• Produces a list of IPs that dont have a matching
  AD subnet
• Could be made even longer by dynamically querying
  all DCs using netdom query dc
• Youd be better off creating a batch file with
  input params

8
The Active Directory Undead

• Active Directory object deletion model
• cnDeleted Objects
• Tombstones
• Tombstone expiration period

9
Back from the Dead

• Searching for deleted objects
• Enable the Return deleted objects control
• Browse cnDeleted Objects
• Or search using isDeletedTRUE

10
Life beyond Death

• Restoring deleted objects
• adrestore from Sysinternals
• Or the old fashioned way with LDP

11
The Un-delegation of Control Wizard

• Dsrevoke
• Microsoft download http//tinyurl.com/vdyp
• /report
• /remove

12
Having fun with Joeware

• Joe Richards - http//www.joeware.net/
• Variety of Windows, Active Directory, and
  Exchange tools
• adfind - Query Active Directory
• admod - Generic Active Directory modification
  tool
• oldcmp - Locate old (inactive) computer accounts
• Others GetUserInfo, ExchMbx, CPAU, Unlock

13
adfind

• Supports all the standard LDAP query options
  (even bit-wise queries)
• View Stats control
• Find deleted objects

14
admod

• Supports all the standard LDAP modification
  operations (not to mention undelete)
• modify
• -move
• -rename
• -del and -treedelete
• Combining adfind and admod with -dsq

15
oldcmp

• -report
• -disable
• -delete
• oldcmp -report -file inactive.html -disable -b
  "cncomputers,dcrallencorp,dccom
• blat inactive.html -to rallen_at_cisco.com -html

16
Want more hacks?
17
Q/A

• Thank you for your time!
• Email rallen_at_cisco.com
• Preso http//www.rallenhome.com/