Welcome back.
Today I will continue my analysis of the workstation logon process. Please take a read through Part 1 if you haven’t already. We left off with the workstation obtaining a Kerberos service ticket in order to authenticate to the domain controller to access the SMB share.
Ready? Let’s go!
-
Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation requests a new authenticated SMB session with the domain controller and provides its Kerberos service ticket as proof of authentication.
Links: -
Source: Domain-joined machine
Destination: Primary DNS Server
Connection: UDP
Port: 53
Protocol: DNS
Purpose: DsGetDcName API issues a DNS query for an SRV record to the domain-joined machine’s primary DNS server for a domain controller offering the Kerberos service within its site using the SRV record of _ldap._tcp.FAKESITE._sites.dc._msdcs.contoso.local. The primary DNS server returns the results of the SRV query. -
Source: Domain-joined machine
Destination: Domain Controller resolved from IP returned from previous step
Connection: UDP
Port: 389
Protocol: LDAP
Purpose: DsGetDcName API on domain-joined machine issues a specially crafted LDAP query (referred to by Microsoft as an LDAP Ping) to the domain controller it receives back from the query and then queries the RootDSE for the NetLogon attribute. The detail query is as follows:- Filter: (&(DnsDomain=)(Host=HOSTNAME)(DomainGUID=)(NtVer=)(DnsHostName=))
- Attributes: NetLogon
The domain controller passes the query to the NetLogon service running on the domain controller which evaluates the query to determine which site the server belongs in. The domain controller returns information about its state and provides the information detailed below (https://msdn.microsoft.com/en-us/library/cc223807.aspx):
- Flags:
- DSPDCFLAG – DC is PDC of the domain
- DSGCFLAG – DC is a GC of the forest
- DSLDAPFLAG – Server supports an LDAP server
- DSDSFlag- DC supports a DS and is a domain controller
- DSKDCFlag DC is running KDC service
- DSTimeServFlag – DC is running time service
- DSClosestFlag – DC is in the closest site to the client
- DSWritableFLag – DC has a writable DS
- DSGoodTimeServFlag (0) – DC is running time service
- DSNDNCFlag – DomainName is a non-domain NC serviced by the LDAP server
- DSSelectSecretDomain6Flag – the server is a not an RODC
- DSFullSecretDomain6Flag – The server is a writable DC
- DSWSFlag – The Active Directory Web Service is present on the server
- DSDNSControllerFlag – DomainControllerName is not a DNS name
- DSDNSDomainFlag – DomainName is not a DNS name
- DSDNSForestFlag – DnsForestName is not a DNS name
- DomainGuid:
- DnsForestName: contoso.local
- DnsDomainName: contoso.local
- DnsHostName: dc2.contoso.local
- NetbiosDomainName: CONTOSO
- NetbiosComputerName: DC2
- Username:
- DcSiteName: FAKESITE
- ClientSiteName: FAKESITE
- NextClosestSIteName: Default-First-Site-Name
-
Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation sends an SMB TREE CONNECT Request to the domain controller for the IPC$ share accessed by \IPC$. The IPC$ share is used to setup a named pipe for further RPC calls to the service such as allowing the workstation to enumerate the shares available on the server. The domain controller responds with an SMB TREE CONNECT Response providing information about the capabilities of the IPC$ share.
Links: -
Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control FSCTL_VALIDATE_NEGOTIATE_INFO (0x00140204). This control is used to verify that the domain controller hasn’t changed the authentication mechanism originally negotiated. The domain controller responds with an SMB IOCTL Response confirming the authentication mechanism has not changed. This helps to prevent man in the middle attacks.
Links: -
Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control FSCTL_QUERY_NETWORK_INTERFACE_INFO (0x001401FC). This control is used to determine whether or not the server has multiple IPs and a new channel should be established. The domain controller responds with an SMB IOCTL Response providing an answer.
Links: -
Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control SCTL_DFS_GET_REFERRALS (0x00060194). This control requests the DFS referral for the domain-based DNS root. The domain controller responds with an SMB IOCTL Response providing an answer with an entry for the FQDN and NetBios entries.
Links: -
Source: Domain-joined machine
Destination: Primary DNS Server
Connection: UDP
Port: 389
Protocol: LDAP
Purpose: The domain-joined workstation sends a DNS query for the A record for the second domain controller record it received back in the initial queries for the various SRV records. The domain controller responds with the answer to the DNS query. -
Source: Domain-joined machine
Destination: Domain Controller resolved from IP returned from previous step
Connection: UDP
Port: 389
Protocol: LDAP
Purpose: DsGetDcName API on domain-joined machine issues a specially crafted LDAP query (referred to by Microsoft as an LDAP Ping) to the domain controller it receives back from the query and then queries the RootDSE for the NetLogon attribute. The detail query is as follows:- Filter: (&(DnsDomain=)(Host=HOSTNAME)(DomainGUID=)(NtVer=)(DnsHostName=))
- Attributes: NetLogon
The domain controller passes the query to the NetLogon service running on the domain controller which evaluates the query to determine which site the server belongs in. The domain controller returns information about its state and provides the information detailed below (https://msdn.microsoft.com/en-us/library/cc223807.aspx):
- Flags:
- DSPDCFLAG – DC is PDC of the domain
- DSGCFLAG – DC is a GC of the forest
- DSLDAPFLAG – Server supports an LDAP server
- DSDSFlag- DC supports a DS and is a domain controller
- DSKDCFlag DC is running KDC service
- DSTimeServFlag – DC is running time service
- DSClosestFlag – DC is in the closest site to the client
- DSWritableFLag – DC has a writable DS
- DSGoodTimeServFlag (0) – DC is running time service
- DSNDNCFlag – DomainName is a non-domain NC serviced by the LDAP server
- DSSelectSecretDomain6Flag – the server is a not an RODC
- DSFullSecretDomain6Flag – The server is a writable DC
- DSWSFlag – The Active Directory Web Service is present on the server
- DSDNSControllerFlag – DomainControllerName is not a DNS name
- DSDNSDomainFlag – DomainName is not a DNS name
- DSDNSForestFlag – DnsForestName is not a DNS name
- DomainGuid:
- DnsForestName: contoso.local
- DnsDomainName: contoso.local
- DnsHostName: DCSERVER.contoso.local
- NetbiosDomainName: CONTOSO
- NetbiosComputerName: DCSERVER
- Username:
- DcSiteName: Default-First-Site-Name
- ClientSiteName: FAKESITE
- NextClosestSIteName: Default-First-Site-Name
The client caches this information to its DCLocator cache.
The client caches this information to its DCLocator cache.
All right folks, we’re going to break here. My next post will continue with the NetLogon process.
Thanks and see you then!
Journey Of The Geek 