3. What is my canonical username?
What local groups am I a member of?
What domain groups am I a member of?
4. User and Group Names Used
Instead of SIDs
Used Net* Functions to
Enumerate Local Groups
Tried to Use LDAP to Enumerate
Domain Groups
Failed to Support Nested Groups
Failed to Resolve Domain Trusts
… and much more that few people know about AD
8. // a user handle
HANDLEByReference phUser = new HANDLEByReference();
Advapi32.INSTANCE.LogonUser(
"Administrator", "ENTERPRISE", "password",
WinBase.LOGON32_LOGON_NETWORK,
WinBase.LOGON32_PROVIDER_DEFAULT,
phUser);
9. // user group memberships
WinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...);
Advapi32.INSTANCE.GetTokenInformation(
phUser,
WinNT.TOKEN_INFORMATION_CLASS.TokenGroups,
groups,
tokenInformationLength,
tokenInformationLength));
for (SID_AND_ATTRIBUTES sid : groups) {
}
10. // current user name
Secur32.INSTANCE.GetUserNameEx(format, ...)
Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser);
// impersonated user
Secur32.INSTANCE.GetUserNameEx(format, ...)
Advapi32.INSTANCE.RevertToSelf();
11. Current User Security Identifier
Group Memberships (a list of SIDs)
Privileges
Current
Process
Current
Thread
13. Since Windows 2000
Multi-Master Directory
Service w/ Trusts
Storage
Domain Data
User Data
User Group Data
Security Data
Etc.
Active Directory Service
Interface (ADSI)
14. SSP = Security Support
Provider
Kerberos, Microsoft Windows NT LAN
Manager (NTLM), Negotiate
SSPI
Proprietary Implementation of
GSSAPI (IETF Standard)
Integrated Distributed Security
Services
15. 1. Insert a Smart Card into a
Reader
2. Logon to a Server Joined
to an AD Domain
3. Navigate to a Website,
No Prompts
4. Check Permissions w/
Application
5. Logged on as a Domain
User on the Server
6. $$$
19. Waffle Provides Windows
Authentication and
Authorization Functions
Filters and Providers for
Application Servers
Tomcat, Jetty, WebSphere, etc.
Open-Source
http://waffle.codeplex.com