DC-Sonar – Analyzing AD Domains For Security Risks Related To User Accounts
Discription

[![](https://blogger.googleusercontent.com/img/a/AVvXsEh4T_TaJ_WITYbBqoWyvHgSUq1IW13NIF2MOl8t3_g3AYj44B1G_tS0PsJ6EHo9flgZui2dSIwMo4neB9Yw-CYFF4tjSyIiM_QMS8CNUqMqEKZFYSJmFevxnYASeRjNI4XGVJNjRxe6xR7LQnWXBqCwJFmlYKW0wS3wcbSALpKIRivwH4bRmRj5_I2fVA=w640-h314)]()

# DC Sonar Community

## Repositories

The project consists of repositories:

* [dc-sonar-frontend]( “dc-sonar-frontend” )
* [dc-sonar-user-layer]( “dc-sonar-user-layer” )
* [dc-sonar-workers-layer]( “dc-sonar-workers-layer” )
* [ntlm-scrutinizer]( “ntlm-scrutinizer” )

## Disclaimer

It’s only for education purposes.

Avoid using it on the production [Active Directory]( “Active Directory” ) (AD) domain.

Neither contributor incur any responsibility for any using it.

## Social media

Check out our Red Team community [Telegram channel]( “Telegram channel” )

## Description

### Architecture

For the visual descriptions, open the [diagram files]( “diagram files” ) using the [diagrams.net]( “diagrams.net” ) tool.

The app consists of:

* The [dc-sonar-frontend]( “dc-sonar-frontend” ) is the fronted part of the user web interface bases on:
* [Angular]( “Angular” )
* [Angular Material]( “Angular Material” )
* The [dc-sonar-user-layer]( “dc-sonar-user-layer” ) is the backend part of the web app bases on:
* [Python 3.10]( “Python 3.10” )
* [Django]( “Django” )
* [Django ORM]( “Django ORM” )
* [Django REST framework]( “Django REST framework” )
* [Celery]( “Celery” )
* [RabbitMQ]( “RabbitMQ” )
* [PostgreSQL]( “PostgreSQL” )
* The [dc-sonar-workers-layer]( “dc-sonar-workers-layer” ) is the logic layer that performs and runs analyzing processes which base on:
* [Python 3.10]( “Python 3.10” )
* [SQLAlchemy]( “SQLAlchemy” )
* [Alembic]( “Alembic” )
* [APScheduler]( “APScheduler” )
* [RabbitMQ]( “RabbitMQ” )
* [PostgreSQL]( “PostgreSQL” )
* The [ntlm-scrutinizer]( “ntlm-scrutinizer” ) is the NTLM hashes performer with REST API based on:
* [Python 3.10]( “Python 3.10” )
* [FastAPI]( “FastAPI” )
* [hashcat]( “hashcat” )
* [impacket]( “impacket” )

### Functionallity

The DC Sonar Community provides functionality for analyzing AD domains for security risks related to accounts:

* Register analyzing AD domain in the app

[]( “Analyzing AD domains for security risks related to user accounts (47)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEhXzvzknvxOkjETMZb5CVQKjcW4rRvucd6rZuyZFWprOZdSJ_avODLB6cUrzJuz09rEkjSyPnMvvR6Ou4LGGHfoGfrFFnJL_naOZdvxQOff5-JauGFhJW7G1SEA7QX8pFGfPWNUcVKI-MXYto7ZXGiIoXRSXdy4fP-KGqotD5L7cS0TodpFdDF-OyLhiA=w640-h312)]()

* See the statuses of domain analyzing processes

[]( “Analyzing AD domains for security risks related to user accounts (48)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEgP4NXGAyhO8DpjhUUZUlnk6j0gNt6TWWY-gmzHEFN7PNS8ODXNyY4z8fQAlcHqxPq8Gflbhp8VJ2jDfKHr9Fv3NAqLBIUsHNTC_Xu11245GCZRj7i9U5Uy6ysbWwgpK-sSv_ebv5KMP4bfTzbgJORVsdWPpggIM5LK9Rw5K2XrWGP1IxykswZa6E4HBw=w640-h314)]()

* Dump and brute NTLM hashes from set AD domains to list accounts with weak and vulnerable passwords

[]( “Analyzing AD domains for security risks related to user accounts (49)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEjRcvrxN-Vi3hTAI4YMwnhvgR9Rvewfdn0xMERYM06l6pCA8lBWE4R_yRxnGETx4ArwjKiJNn-U9w4HXxRhYCda2ole6tzkJG5eYnxuqpOcgLpU9dCsAHpIkmhrILe2ZwN2MaCEI0vCwbwXoOblxahJ8o35uo7s9NUydA0iB1EJueJ-bSACts8Q5c8exw=w640-h312)]()

* Analyze AD domain accounts to list ones with never expire passwords

[]( “Analyzing AD domains for security risks related to user accounts (50)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEi6Ko0k4HFPyBSElT6uuhTAWDxAweR-xGQUyK_IZwvNVeDVihweI_ypx-e7mTktyhD255M9w6LIIVk2EoZU8dByL8Sg9j9KJTNvbnywxajA-ri0NWYxHdaUN8iJum-xzUb3fSGqiolM8ueHZtm5ko-DBGfcbZpvXjZiNDgnnzCpFHOnDstQA9ru-VPaPA=w640-h314)]()

* Analyze AD domain accounts by their NTLM password hashes to determine accounts and domains where passwords repeat

[]( “Analyzing AD domains for security risks related to user accounts (51)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEh4T_TaJ_WITYbBqoWyvHgSUq1IW13NIF2MOl8t3_g3AYj44B1G_tS0PsJ6EHo9flgZui2dSIwMo4neB9Yw-CYFF4tjSyIiM_QMS8CNUqMqEKZFYSJmFevxnYASeRjNI4XGVJNjRxe6xR7LQnWXBqCwJFmlYKW0wS3wcbSALpKIRivwH4bRmRj5_I2fVA=w640-h314)]()

## Installation

### Docker

In progress …

### Manually using dpkg

It is assumed that you have a clean [Ubuntu Server 22.04]( “Ubuntu Server 22.04” ) and account with the username “user”.

The app will install to `/home/user/dc-sonar`.

The next releases maybe will have a more flexible installation.

Download dc_sonar_NNNN.N.NN-N_amd64.tar.gz from the [last distributive]( “last distributive” ) to the server.

Create a folder for extracting files:

mkdir dc_sonar_NNNN.N.NN-N_amd64

Extract the downloaded archive:

tar -xvf dc_sonar_NNNN.N.NN-N_amd64.tar.gz -C dc_sonar_NNNN.N.NN-N_amd64

Go to the folder with the extracted files:

cd dc_sonar_NNNN.N.NN-N_amd64/

Install PostgreSQL:

sudo bash install_postgresql.sh

Install RabbitMQ:

sudo bash install_rabbitmq.sh

Install dependencies:

sudo bash install_dependencies.sh

It will ask for confirmation of adding the ppa:deadsnakes/ppa repository. Press `Enter`.

Install dc-sonar itself:

sudo dpkg -i dc_sonar_NNNN.N.NN-N_amd64.deb

It will ask for information for creating a Django admin user. Provide username, mail and password.

It will ask for information for creating a self-signed SSL certificate twice. Provide required information.

Open:

Enter Django admin user [credentials]( “credentials” ) set during the installation process before.

## Style guide

See the information in [STYLE_GUIDE.md]( “STYLE_GUIDE.md” )

## Deployment for development

### Docker

In progress …

### Manually using Windows host and Ubuntu Server guest

In this case, we will set up the environment for editing code on the Windows host while running Python code on the Ubuntu guest.

#### Set up the virtual machine

[Create]( “Create” ) a [virtual machine]( “virtual machine” ) with 2 CPU, 2048 MB RAM, 10GB SSD using [Ubuntu Server 22.04]( “Ubuntu Server 22.04” ) iso in [VirtualBox]( “VirtualBox” ).

If Ubuntu installer asks for updating ubuntu installer before VM’s installation – agree.

Choose to install OpenSSH Server.

VirtualBox [Port Forwarding]( “Port Forwarding” ) Rules:

Name | Protocol | Host IP | Host Port | Guest IP | Guest Port
—|—|—|—|—|—
SSH | TCP | 127.0.0.1 | 2222 | 10.0.2.15 | 22
RabbitMQ management console | TCP | 127.0.0.1 | 15672 | 10.0.2.15 | 15672
Django Server | TCP | 127.0.0.1 | 8000 | 10.0.2.15 | 8000
NTLM Scrutinizer | TCP | 127.0.0.1 | 5000 | 10.0.2.15 | 5000
PostgreSQL | TCP | 127.0.0.1 | 25432 | 10.0.2.15 | 5432

#### Config Window

[Download]( “Download” ) and install Python 3.10.5.

Create a folder for the DC Sonar project.

Go to the project folder using [Git for Windows]( “Git for Windows” ):

cd ‘{PATH_TO_FOLDER}’

Make Windows installation steps for [dc-sonar-user-layer]( “dc-sonar-user-layer” ).

Make Windows installation steps for [dc-sonar-workers-layer]( “dc-sonar-workers-layer” ).

Make Windows installation steps for [ntlm-scrutinizer]( “ntlm-scrutinizer” ).

Make Windows installation steps for [dc-sonar-frontend]( “dc-sonar-frontend” ).

#### Set shared folders

Make [steps]( “steps” ) from “Open VirtualBox” to “Reboot VM”, but add shared folders to VM VirtualBox with “Auto-mount”, like in the picture below:

[]( “Analyzing AD domains for security risks related to user accounts (69)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEirblFtnaHjt5ZXZjcs9oCFlhEwlH7Z9JSLgHKZ45ET_6jTaJ2wryiWWzuU5doP7fUQV5Gkv2WM_lvuZFEhpYZdtclk2sk6RDzursbllMlH-8ljsGL5akhzku4CIRddFhO4CaTnnsMTOq3WxkYW0oHJfYrIef7uGal0BKU4I1YJ85XkEskgGnThLXPyGw=w640-h256)]()

After reboot, run command:

sudo adduser $USER vboxsf

Perform logout and login for the using user account.

In `/home/user` directory, you can use mounted folders:

ls -l

Output:
total 12
drwxrwx— 1 root vboxsf 4096 Jul 19 13:53 dc-sonar-user-layer
drwxrwx— 1 root vboxsf 4096 Jul 19 10:11 dc-sonar-workers-layer
drwxrwx— 1 root vboxsf 4096 Jul 19 14:25 ntlm-scrutinizer

#### Config Ubuntu Server

##### Config PostgreSQL

[Install]( “Install” ) PostgreSQL on Ubuntu 20.04:

sudo apt update
sudo apt install postgresql postgresql-contrib
sudo systemctl start postgresql.service

Create the admin database account:

sudo -u postgres createuser –interactive

Output:
Enter name of role to add: admin
Shall the new role be a superuser? (y/n) y

Create the dc_sonar_workers_layer database account:

sudo -u postgres createuser –interactive

Output:
Enter name of role to add: dc_sonar_workers_layer
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

Create the dc_sonar_user_layer database account:

sudo -u postgres createuser –interactive

Output:
Enter name of role to add: dc_sonar_user_layer
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

Create the back_workers_db database:

sudo -u postgres createdb back_workers_db

Create the web_app_db database:

sudo -u postgres createdb web_app_db

Run the psql:

sudo -u postgres psql

Set a password for the admin account:

ALTER USER admin WITH PASSWORD ‘{YOUR_PASSWORD}’;

Set a password for the dc_sonar_workers_layer account:

ALTER USER dc_sonar_workers_layer WITH PASSWORD ‘{YOUR_PASSWORD}’;

Set a password for the dc_sonar_user_layer account:

ALTER USER dc_sonar_user_layer WITH PASSWORD ‘{YOUR_PASSWORD}’;

Grant CRUD permissions for the dc_sonar_workers_layer account on the back_workers_db database:

c back_workers_db
GRANT CONNECT ON DATABASE back_workers_db to dc_sonar_workers_layer;
GRANT USAGE ON SCHEMA public to dc_sonar_workers_layer;
GRANT ALL ON ALL TABLES IN SCHEMA public TO dc_sonar_workers_layer;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO dc_sonar_workers_layer;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO dc_sonar_workers_layer;

Grant CRUD permissions for the dc_sonar_user_layer account on the web_app_db database:

c web_app_db
GRANT CONNECT ON DATABASE web_app_db to dc_sonar_user_layer;
GRANT USAGE ON SCHEMA public to dc_sonar_user_layer;
GRANT ALL ON ALL TABLES IN SCHEMA public TO dc_sonar_user_layer;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO dc_sonar_user_layer;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO dc_sonar_user_layer;

Exit of the psql:

q

Open the pg_hba.conf file:

sudo nano /etc/postgresql/12/main/pg_hba.conf

Add the line for the connection to allow the connection from the host machine to PostgreSQL, save changes and close the file:

# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all admin 0.0.0.0/0 md5

Open the postgresql.conf file:

sudo nano /etc/postgresql/12/main/postgresql.conf

Change specified below params, save changes and close the file:

listen_addresses = ‘localhost,10.0.2.15’
shared_buffers = 512MB
work_mem = 5MB
maintenance_work_mem = 100MB
effective_cache_size = 1GB

Restart the PostgreSQL service:

sudo service postgresql restart

Check the PostgreSQL service status:

service postgresql status

Check the log file if it is needed:

tail -f /var/log/postgresql/postgresql-12-main.log

Now you can connect to created databases using admin account and client such as [DBeaver]( “DBeaver” ) from Windows.

##### Config RabbitMQ

Install RabbitMQ using the [script]( “script” ).

Enable the management plugin:

sudo rabbitmq-plugins enable rabbitmq_management

Create the RabbitMQ admin account:

sudo rabbitmqctl add_user admin {YOUR_PASSWORD}

Tag the created user for full management UI and HTTP API access:

sudo rabbitmqctl set_user_tags admin administrator

Open management UI on .

##### Install Python3.10

Ensure that your system is updated and the required packages installed:

sudo apt update && sudo apt upgrade -y

Install the required dependency for adding custom PPAs:

sudo apt install software-properties-common -y

Then proceed and add the deadsnakes PPA to the APT package manager sources list as below:

sudo add-apt-repository ppa:deadsnakes/ppa

Download Python 3.10:

sudo apt install python3.10=3.10.5-1+focal1

Install the dependencies:

sudo apt install python3.10-dev=3.10.5-1+focal1 libpq-dev=12.11-0ubuntu0.20.04.1 libsasl2-dev libldap2-dev libssl-dev

Install the venv module:

sudo apt-get install python3.10-venv

Check the version of installed python:

python3.10 –version

Output:
Python 3.10.5

##### Hosts

Add IP addresses of Domain Controllers to `/etc/hosts`

sudo nano /etc/hosts

#### Layers

##### Set venv

We have to create venv on a level above as VM VirtualBox doesn’t allow us to make it in shared folders.

Go to the home directory where shared folders located:

cd /home/user

Make deploy [steps]( “steps” ) for dc-sonar-user-layer on Ubuntu.

Make deploy [steps]( “steps” ) for dc-sonar-workers-layer on Ubuntu.

Make deploy [steps]( “steps” ) for ntlm-scrutinizer on Ubuntu.

##### Config modules

Make config [steps]( “steps” ) for dc-sonar-user-layer on Ubuntu.

Make config [steps]( “steps” ) for dc-sonar-workers-layer on Ubuntu.

Make config [steps]( “steps” ) for ntlm-scrutinizer on Ubuntu.

##### Run

Make run [steps]( “steps” ) for ntlm-scrutinizer on Ubuntu.

Make run [steps]( “steps” ) for dc-sonar-user-layer on Ubuntu.

Make run [steps]( “steps” ) for dc-sonar-workers-layer on Ubuntu.

Make run [steps]( “steps” ) for dc-sonar-frontend on Windows.

Open in a browser on the Windows host and agree with the self-signed certificate.

Open in the browser on the Windows host and login as created Django user.

**[Download Dc-Sonar]( “Download Dc-Sonar” )**Read More

Back to Main

Subscribe for the latest news: