Active Directory Control Paths auditing and graphing tools

Active Directory Control Paths

Control paths in Active Directory are an aggregation of “control relations” between entities of the domain (users, computers, groups, GPO, containers, etc.) which can be visualized as graphs (such as above) and whose purpose is to answer questions like “Who can get ‘Domain Admins’ privileges ?” or “What resources can a user control ?” and even “Who can read the CEO’s emails ?”.

Download

USAGE 

Note: None of these tools need to run on a domain controller.

Generating control paths graphs for your domain takes the 4 following steps:

0. Dump data from LDAP directory, SYSVOL, and EWS and run analyzers to form control relationships.
1. Import these relations into a graph-oriented database (Neo4j).
2. Query that database to export various nodes lists, control paths, or create JSON files representing control paths graphs.
3. Visualize graphs created from those JSON files.

The 3 last steps are always performed in the same way, but the first step (data dumping) can be carried out in different contexts:

0. Live access to the domain, using a simple domain user account.
1. Live access to the domain, using a domain administrator account.
2. Offline, using a copy of a ntds.dit file and a robocopy of the SYSVOL preserving security attributes.

A simple domain user account is enough to dump a large majority of the control relations, but access to a few LDAP containers and GPO folders on the SYSVOL can be denied. If one is available, an administrator account can thus be used to ensure that no element is inaccessible.

If no access to the domain is given, control graphs can be realized from offline copies of the ntds.dit and SYSVOL:

0. A copied ntds.dit file can be re-mounted to expose its directory through LDAP with the dsamain utility (available on a Windows server machine having the AD-DS or AD-LDS role, or with the “Active Directory Domain Services Tools” installed): dsamain.exe -allowNonAdminAccess -dbpath <ntds.dit path> -ldapPort 1234
1. A robocopy of the SYSVOL share preserving security attributes can be done with the robocopy utility (the destination folder must be on an NTFS volume): robocopy.exe \\<DC ip or host>\sysvol\<domain dns name>\Policies <destination path> /W:1 /R:1 /COPY:DATSO /E /TEE /LOG:<logfile.log>

   Note: to preserve security attributes on the copied files you need the SeRestorePrivilege on the local computer you’re running the robocopy on (that is, you need to run these commands as local administrator). You then need to use the SeBackupPrivilege to process this local robocopy (dumping tools have a use backup privilege option that you must use).

Tutorial

Copyright (C) gdedrouas