We will see in this post some steps of a pentest against an ADDS domain. This pentest focuses only on the Microsoft System and does not take into account Antivirus, Firewall, IDS and IPS protections. The parts we describe in detail are scanning, exploitation and maintaining access. The pentest is performed with BackTrack 5 R3, you can download it here. The tools we use are Nmap, Nessus, Metasploit (the hacker’s framework, exploits are written in ruby), John the Ripper and Powershell. The pentest’s goal is to retrieve domain administrator credentials and maintain the access on the ADDS domain discretly.
Read more »

We will describe in this post how to indentify an application that causes a CPU time overconsumption on your Domain Controllers. We will use two tools for this: Server Performance Advisor and Wireshark. The first is used if you have a Windows 2003 DC, if OS is Windows 2008 the tool is already included, you access it with MMC snap-in perfmon.msc, its new name is Windows Reliability and Performance Monitor. Both versions have performance counters dedicated to Active Directory, in this post we will use SPA, because the DC having trouble is running Windows 2003. If you want more details on using Windows RPM for AD you can read this article.
Read more »

If lsass process consumes too much CPU time on your domain controller the cause might be clients infected by Conficker. The link to the KB article discusses how to prevent its propagation and how to remove the worm. The purpose of this post is to identify infected clients which cause this lsass.exe overconsumption easily.

This topic was already discussed in a post of AskDS, I’ll add a few comments and scripts which will help you to eradicate the virus on your workstations.
Read more »