DC-Sonar - Analyzing AD Domains For Security Risks Related To User Accounts

Repositories

The project consists of repositories:

dc-sonar-frontend dc-sonar-user-layer dc-sonar-workers-layer ntlm-scrutinizer

Disclaimer

It's only for education purposes.

Avoid using it on the production Active Directory (AD) domain.

Neither contributor incur any responsibility for any using it.

Social media

Check out our Red Team community Telegram channel

Description

Architecture

For the visual descriptions, open the diagram files using the diagrams.net tool.

The app consists of:

The dc-sonar-frontend is the fronted part of the user web interface bases on: Angular Angular Material The dc-sonar-user-layer is the backend part of the web app bases on: Python 3.10 Django Django ORM Django REST framework Celery RabbitMQ PostgreSQL The dc-sonar-workers-layer is the logic layer that performs and runs analyzing processes which base on: Python 3.10 SQLAlchemy Alembic APScheduler RabbitMQ PostgreSQL The ntlm-scrutinizer is the NTLM hashes performer with REST API based on: Python 3.10 FastAPI hashcat impacket

Functionallity

The DC Sonar Community provides functionality for analyzing AD domains for security risks related to accounts:

Register analyzing AD domain in the app

See the statuses of domain analyzing processes

Dump and brute NTLM hashes from set AD domains to list accounts with weak and vulnerable passwords

Analyze AD domain accounts to list ones with never expire passwords

Analyze AD domain accounts by their NTLM password hashes to determine accounts and domains where passwords repeat

Installation

Docker

In progress ...

Manually using dpkg

It is assumed that you have a clean Ubuntu Server 22.04 and account with the username "user".

The app will install to /home/user/dc-sonar.

The next releases maybe will have a more flexible installation.

Download dc_sonar_NNNN.N.NN-N_amd64.tar.gz from the last distributive to the server.

Create a folder for extracting files:

Extract the downloaded archive:

Go to the folder with the extracted files:

Install PostgreSQL:

Install RabbitMQ:

Install dependencies:

It will ask for confirmation of adding the ppa:deadsnakes/ppa repository. Press Enter.

Install dc-sonar itself:

It will ask for information for creating a Django admin user. Provide username, mail and password.

It will ask for information for creating a self-signed SSL certificate twice. Provide required information.

Open: https://localhost

Enter Django admin user credentials set during the installation process before.

Style guide

See the information in STYLE_GUIDE.md

Deployment for development

Docker

In progress ...

Manually using Windows host and Ubuntu Server guest

In this case, we will set up the environment for editing code on the Windows host while running Python code on the Ubuntu guest.

Set up the virtual machine

Create a virtual machine with 2 CPU, 2048 MB RAM, 10GB SSD using Ubuntu Server 22.04 iso in VirtualBox.

If Ubuntu installer asks for updating ubuntu installer before VM's installation - agree.

Choose to install OpenSSH Server.

VirtualBox Port Forwarding Rules:

Name Protocol Host IP Host Port Guest IP Guest Port

SSH	TCP	127.0.0.1	2222	10.0.2.15	22
RabbitMQ management console	TCP	127.0.0.1	15672	10.0.2.15	15672
Django Server	TCP	127.0.0.1	8000	10.0.2.15	8000
NTLM Scrutinizer	TCP	127.0.0.1	5000	10.0.2.15	5000
PostgreSQL	TCP	127.0.0.1	25432	10.0.2.15	5432

Config Window

Download and install Python 3.10.5.

Create a folder for the DC Sonar project.

Go to the project folder using Git for Windows:

Make Windows installation steps for dc-sonar-user-layer.

Make Windows installation steps for dc-sonar-workers-layer.

Make Windows installation steps for ntlm-scrutinizer.

Make Windows installation steps for dc-sonar-frontend.

Set shared folders

Make steps from "Open VirtualBox" to "Reboot VM", but add shared folders to VM VirtualBox with "Auto-mount", like in the picture below:

After reboot, run command:

Perform logout and login for the using user account.

In /home/user directory, you can use mounted folders:

Config Ubuntu Server

Config PostgreSQL

Install PostgreSQL on Ubuntu 20.04:

Create the admin database account:

Create the dc_sonar_workers_layer database account:

Create the dc_sonar_user_layer database account:

Create the back_workers_db database:

Create the web_app_db database:

Run the psql:

Set a password for the admin account:

Set a password for the dc_sonar_workers_layer account:

Set a password for the dc_sonar_user_layer account:

Grant CRUD permissions for the dc_sonar_workers_layer account on the back_workers_db database:

Grant CRUD permissions for the dc_sonar_user_layer account on the web_app_db database:

Exit of the psql:

Open the pg_hba.conf file:

Add the line for the connection to allow the connection from the host machine to PostgreSQL, save changes and close the file:

Open the postgresql.conf file:

Change specified below params, save changes and close the file:

Restart the PostgreSQL service:

Check the PostgreSQL service status:

Check the log file if it is needed:

Now you can connect to created databases using admin account and client such as DBeaver from Windows.

Config RabbitMQ

Install RabbitMQ using the script.

Enable the management plugin:

Create the RabbitMQ admin account:

Tag the created user for full management UI and HTTP API access:

Open management UI on http://localhost:15672/.

Install Python3.10

Ensure that your system is updated and the required packages installed:

Install the required dependency for adding custom PPAs:

Then proceed and add the deadsnakes PPA to the APT package manager sources list as below:

Download Python 3.10:

Install the dependencies:

Install the venv module:

Check the version of installed python:

Hosts

Add IP addresses of Domain Controllers to /etc/hosts

Layers

Set venv

We have to create venv on a level above as VM VirtualBox doesn't allow us to make it in shared folders.

Go to the home directory where shared folders located:

Make deploy steps for dc-sonar-user-layer on Ubuntu.

Make deploy steps for dc-sonar-workers-layer on Ubuntu.

Make deploy steps for ntlm-scrutinizer on Ubuntu.

Config modules

Make config steps for dc-sonar-user-layer on Ubuntu.

Make config steps for dc-sonar-workers-layer on Ubuntu.

Make config steps for ntlm-scrutinizer on Ubuntu.

Run

Make run steps for ntlm-scrutinizer on Ubuntu.

Make run steps for dc-sonar-user-layer on Ubuntu.

Make run steps for dc-sonar-workers-layer on Ubuntu.

Make run steps for dc-sonar-frontend on Windows.

Open https://localhost:8000/admin/ in a browser on the Windows host and agree with the self-signed certificate.

Open https://localhost:4200/ in the browser on the Windows host and login as created Django user.