joeware - never stop exploring... :)

I am getting masses of emails about people having issues downloading from the site. Primarily AdFind is the one people are having issues with but Chrome has been blocking ALL downloads from the site.

I have been trying to work with Google to get Chrome sorted out but they seem to be really confused over there in Googleland. They mark my site dangerous with no evidence of anything specific being wrong, I will then raise a request for review, they will then clear it and say it is fine but then I still can’t download. The next time I go look, they are saying the site is dangerous again, so I request review and they clear it again, over and over again. In the meanwhile you can turn off Safe Browsing in the settings to download the tools. I don’t really recommend running that way normally, but you can easily turn it on and off when you go to download the tools.

Brave is allowing downloads of everything but AdFind by default. AdFind can be downloaded if you go into the settings and select No Protection under Safe Browsing. Again, I do not recommend running that way normally but if you need to use it to download AdFind, this is the way. Just turn safe browsing back on afterwards.

FireFox, like Chrome, is alerting on all downloads, however you can easily bypass that while downloading by selecting Allow Download under download details.

Opera has zero issues downloading things.

Microsoft Edge will also download it but Defender may pop up and say it is killing it, you can tell Defender to go stand in the corner and ignore it. In fact you will need to do this regardless of which browser you use to download it because Defender will try to kill it.

Obviously, besides the browsers if you have antivirus or anti-malware software that could be attacking AdFind as well. You will need to tell that software to back off as well, likely if you are using this at work you will have to have your End Point Security people call off the dogs.

For any End Point Security people reading this, the Anti-virus/malware software vendors suck[1]. Instead of looking for specific questionable actions, they just slap labels on binaries and say “bad”. The reason AdFind is being labeled as “bad” is because hacker collectives have been using it to do recon work against AD because it is one of the fastest most powerful tools for doing so, which means it is also exceptionally powerful and useful for good Active Directory Admins that do their work from the command line. It does the same things that tools like dsquery, LDP, powershell, vbscript/jscript with ADSI can do but it does it so much faster and easier. I have literally had people come to me with things they were doing in PowerShell that took days to run that AdFind could do in hours. There are ways to speed up PowerShell but most of the AD folks out there aren’t good enough to figure out what those are because they are not the most basic way of doing things. I have worked with hundreds of companies and in no case have I run into admins who were more efficient working with AD with PowerShell than people who know what they are doing using AdFind/AdMod. I have had several people over the years say that they would convert me but in the end, with no pushing from me, they convert to using AdFind/AdMod. And let’s face it, if PowerShell was so good, the Hacker Collectives wouldn’t be using AdFind. But to be perfectly clear, AdFind is not a threat to any Active Directory, it is ENTIRELY READ ONLY. The danger is that it can be used to query AD quickly and efficiently and possibly arm someone with data about your environment. The worst rating it should ever have is PUP (Possibly Unwanted Program) or PUA (Possibly Unwanted Application) or LOLBIN (Live Off the Land BINary). The End Point people should be more scared of PowerShell Scripts than AdFind and if they want to get picky about AdFind they should be looking at the actual queries, not that it is being run at all. The Hacker Collectives are using specific queries that are very widely casted nets that normally aren’t needed unless someone is specifically scanning the Active Directory.

There have additionally been some questions on whether or not AdFind is still being developed. It is, in fact I just fixed a bug earlier today. Release times are slower because I work a lot in my real job and I have also been trying to do more non-computer things in my off time but part of the process of keeping my sanity is writing code and I still do a lot with AD at work so I will keep updating AdFind/AdMod until that changes.

//* V01.59.00  2022.0605      o 06/05  Fixed -nirs* sort ordering           *
//*                                    Added hacked -[q]list for -nirs for  *
//*                                      listing attributes only            *
//*                                    BUGFIX: -gco port change message     *
//*                                    BUGFIX: Error usage for metafilterattr*
//*                           o 06/06  Added GT IPA handling (Z vs .0Z)     *
//*                                    Added LOCALGTIPA for binenc          *
//*                                    Added CURRENTGTIPA for binenc        *
//*                           o 07/11  Updated expiration and header        *
//*                           o 07/12  Added regex to _OBJECT_OWNER         *
//*                           o 08/05  Added -vmeta+ alias for -vmetaplus   *
//*                           o 08/07  Added check for preceding space on att*
//*                                    Added check for admod params         *
//*                           o 08/20  Added -c2                            *
//*            2023.0118      o 01/18  Updated expiration and header        *
//*                           o 02/02  Updating usage                       *
//*                           o 02/04  Updated some decodes                 *
//*                           o 02/21  BUGFIX: / in arbitrary CSV insert fix*

Finally, possibly unexpectedly, I do not intend to fight with the AV/AM/Browser companies on this. I tried this in the past with tools like NETSESS which is another tool that the hackers really liked along with Windows Admins who knew what they were doing. It just isn’t worth my time to fight with the companies as they don’t understand. I have always shared my tools freely to try and help out admins as they can and I know it has saved companies a ton of money and time but it isn’t a money making thing for me and quite frankly to get me to care enough to fight with those companies it would have to be bringing in millions of $$$ a year and then I would hire someone to deal with it.

Finally, dear browser companies. If I want to download something, warn me if you think something isn’t right, but I should be able to easily override your warning without turning off your security measures completely which is quite stupid and makes things even less secure. You don’t own my machines and what I put on them. Firefox and Opera are the only browsers that have properly figured that out. 

    joe

[1] In my 30 years in the industry there was one AV tools worth using, it was called ThunderBytes and it used intelligent heuristics to determine if apps were doing bad things and didn’t rely on signatures for specific binaries.

So I was alerted that Chrome is blocking downloads of AdFind but then also heard it is other tools as well. I am digging into it to see what can be done, I registered the site with google and told it to give me a security report and it showed me:

I responded with

Note you can work around the restriction on Chrome by turning off some of the security but I hate to recommend doing that because a lot of people really need that help. I have not spent any real time trying to sort out how to bypass Brave.

Of course Windows Defender is also having a shit fit because of AdFind because again, the AV companies, including Microsoft are stupid about actual security in the real world. If they want to point out some shit that is dangerous to companies they should be pointing at PowerShell. There is a hell of a lot more damage being done with PowerShell than AdFind since the amount of damaged caused by AdFind is ZERO because it can’t change anything in Active Directory. If AdFind is suitable for banning, so is every other LDAP client.

Anyway, we will see if this gets sorted out. If not I will see if there is anything else I care to do to work around all of this stupid in the world of Cyber Security. This stuff makes me embarrassed for the whole Security industry and its inability to do security properly.

You may recall I previously ranted on twitter (https://twitter.com/joewaredotnet/status/1432548671527264258?s=20&t=LMw3UZ9dddXhxVPs8dKa7A) that MSFT added TLS 1.3 for HTTPS for Windows Server 2022 but neglected to add it for AD.

Well someone listened.

You are welcome.  

[Sat 07/09/2022 20:54:17.43]
C:\temp>adfind -h k22-ese.k22-ese-dom.test.loc -sslinfo

AdFind V01.59.00cppBETA Joe Richards (support@joeware.net) June 2022

dn:CN=Certificate Info,CN=k22-ese.k22-ese-dom.test.loc
> ciEncodingType: X509_ASN_ENCODING (0x01)
> ciVersion: CERT_V3 (0x02)
>ciNotBefore: 2022/04/16-20:37:48 Eastern Daylight Time
> ciNotAfter: 2023/04/16-20:57:48 Eastern Daylight Time
> ciSignatureAlgorithm: 1.2.840.113549.1.1.11
> ciIssuer: CN=K22-ESE.k22-ese-dom.test.loc
> ciSubject: CN=K22-ESE.k22-ese-dom.test.loc
> ciAltNameDNSName: K22-ESE.k22-ese-dom.test.loc

dn:CN=SSL Connection Information,CN=k22-ese.k22-ese-dom.test.loc
> ciProtocol: Transport Layer Security 1.3 client-side (SP_PROT_TLS1_3_CLIENT)
>ciCipherAlgorithm: AES 256-bit encryption algorithm (CALG_AES_256)
> ciCipherStrength: 256 bits
> ciHashAlgorithm: 384 bit SHA hashing algorithm (CALG_SHA_384)
> ciHashStrength: 0 bits
>ciKeyExchAlgorithm: Unknown(0x00)
> ciKeyExchStrength: 0 bits

The command completed successfully

[Sat 07/09/2022 20:55:16.00]
E:\>openssl s_client -connect k22-ese.k22-ese-dom.test.loc:636 < nul | grep -i tls
depth=0 CN = K22-ESE.k22-ese-dom.test.loc
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = K22-ESE.k22-ese-dom.test.loc
verify return:1
File STDIN:
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
DONE
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    TLS session ticket lifetime hint: 36000 (seconds)
    TLS session ticket:

I have uploaded the new versions of AdFind and AdMod to www.joeware.net for download.

Note that I know that a lot of anti-malware has been reporting AdFind.exe as malware now, usually some form of LOLBIN or PUA. The reason for this is because the hacker collectives are using the tool for scanning Active Directory environments as part of ransomware attacks. There is nothing inherently dangerous with AdFind, it is just fast and useful so hackers are like we should use this because it is so good.

I have seen an article that said AdFind is deploying malware. That is absolutely incorrect, AdFind has no capability to deploy or change anything. It is purely an LDAP query tool. It submits LDAP queries and outputs the responses from LDAP Servers.

    joe

EDIT: Updated malware to be anti-malware. I had a Freudian slip because I consider AV and anti-malware software to be some of the most evil malware.

I was about to add some code to AdFind to export Security Descriptors in binary export/import format and found out I already had written that code.

I apparently used a bad switch name for it though because I didn’t intuitively know what it was and find it by accident. That or my brain was in a much more computer sciencey mode when I named the switch before versus now.

So instead of adding the code to make AdFind be able to do that functionality, I added a new switch -sdbinout which is an alias for -sdblob.

Oh I also set it up so that if you are outputting CSV format it will automatically remove the [BLOB] label on the hex export string.

And AdMod can already import that format just fine btw with BIN##ntsecuritydescriptor::<blob hex string> or if using CSV input you can do BIN##ntsecuritydescriptor::{{SD fieldname}} so probably something like BIN##ntsecuritydescriptor::{{ntsecuritydescriptor}} or in shortcut form… BIN##ntsecuritydescriptor::{{.}}