[Attack]tive Directory: Compromising a Network in 20 Minutes Through Active Directory

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you everybody for coming out to my talk attack of directory um my name is ryan house connect and we'll get into introductions and stuff in just a moment i'd like to start everybody off with just a really brief story so prior to my current role i did vulnerability management and penetration testing and one of my customers that i did vulnerability management for for well over a year called me one day and said hey ryan we're we're ready to do a penetration test i said okay well i tried to get you guys to do this last year what's changed and they were also a vulnerability management customer so i know that i worked with them over the past year so doing vulnerability management they were in a really good spot in their vulnerability scans so they said we're ready for a pen test because our vulnerability scan shows no criticals okay well their network got out in like 20 minutes just because i compromise things via active directory um really brief about me my name is ryan housenecht that's how you pronounce my last name i'm a security consultant at ops where we primarily focus on adversary simulation red teaming so that's primarily what i do is red teaming occasionally i'll do some threat hunting stuff from purple team but i'm also the instructor at unc charlotte for cyber security for the past five years now i've been the instructor and organizer at the fbi infragard cyber camp in charlotte i was an instructor at black hat this year for our red team operations course i have a couple certifications if that matters to you and then you can follow me on twitter at housek the three this is a real picture of me not photoshopped at all popping my first root shell circa 1995. um so what what is this whole thing about well the whole purpose is red team's existence is to help blue team and what i realized over the course of doing penetration testing and now red teaming for a couple years that there is a massive difference in maturity between small medium businesses and enterprises and when i would look at a company's vulnerability management and vulnerability scans and even if they were pretty clean vulnerability scans miss a lot of the big details in active directory and active directories like super common 95 percent of the engagements that we're on are in some way dealing with active directory so with vulnerability scans missing all these exploits in ad you can't just rely on your vulnerability scan to say i am secure also in this presentation is super high quality microsoft paint edits i am too cheap for photoshop so you get amazing quality photoshop or microsoft paint edits so um a little disclosure first i am not dropping any zero days here these attacks have been well documented they are not new but with that being said they are still applicable today i basically took the most common attacks that i still use against enterprises against small medium businesses and i kind of put them all together in this presentation so the takeaway from this is to recognize what these are because these can all be fixed via group policy or within active directory so at no point am i ever going to pitch a sales product or anything like that everything that i do here is with open source tools 100 free or um you can get them off github so brief history of active directory it's a directory services for windows introduced in server 2000 and it's used to manage the domain so if you've ever had a windows laptop given to you by an employer most likely that is connected via to active directory um it utilizes things called objects and the best way to know what an object is an active directory is everything is an object from the domain itself to users computers policies so whenever i say object it can be any one of those things and the way it administrates things is through these objects called group policies group policies are things that control your password length they control password complexity they control what you can and can't access it controls a lot of things and we're going to get into that more in detail you can group objects into things called organizational units ou's ou's think of it this way if you have a uh if you're in an enterprise and you have your finance department you want your finance users to be in the finance organizational unit where you want hr users to be in the hr organizational unit it's a way of organizing people and you can apply policies to these organizational units so you don't want you know finance being able to access hr's data and vice versa so default group policy favors convenience over security so whenever you install windows server and you install a directory and get everything going the default group policy is not secure by any means and as we all know security is the complete opposite of convenience if your password is super hard and long to remember it's going to be a lot more secure but it's also a lot less convenient frankly group policy the default group policy that comes in windows is crap it's full of holes that i'm going to get into and all these attacks so if you're still using default group policy in your domain hopefully this is a little bit of an eye fresh eye opener so i'm going back to my original story um on this penetration test i knew again i did vulnerability management for this customer for a while so i know i wasn't going to be able to exploit any missing microsoft patches or anything like that so i was on site i found a little side room with an ip phone went in there closed the door unplugged the ip phone and plugged it into my computer and i was on the network vulnerability one anybody get on their network by just plugging in the next one the next attack that i did was i had to gather credentials because i was on their network but i wasn't an authenticated user i just had access to uh some of the ips and devices on that network so i had to get credentials and the first attack that i looked at and i usually uh first thing i try is something called llm r and mbtns spoofing has anybody here heard of ll mnr before okay a couple of people good um llmr stands for local link multicast name resolution it's a mouthful netbios our mbtns stands for netbios naming service it is a protocol in an api with netbios being the api these are quote unquote backups to dns not alternatives but backups so if dns were to fail it could resolve names via netbios or llmr it is natively an insecure protocol because it trusts any response as authentic and i'm going to show you what that looks like for example if you have a workstation and you go to windows explorer and you type in whack why hack file shray01 where you're trying to really get to fio sharer1 but you made a typo so it goes to the dns server and asks do you know where file tray or when it's dns server says no so what it does next is it shouts to the entire domain via broadcast with the llmr protocol saying does anybody know where file tray one is and what an attacker would do is they would listen for this and they would accept this uh accept the request and respond with yes i know where this is however from in order for me to tell you this you have to encode this challenge with your password hash and then they get the password hash back and they can decrypt it that way so a common question is okay how many times are people actually mistyping file share names on windows explorer the answer is not not often however what we do see more often than not is if there is a logon script that executes when you log into your machine that tries to mount a file share on the network and that file share was decommissioned at one point it's trying to mount that and it's trying to then reach that therefore it's not there and it reaches out via llmr once the attacker gets that hash the attacker just says you know air and the victim knows no different they just get they cannot access so like i said this isn't very common so there's another way to do this and it's with wpad so wpad stands for web proxy auto discovery protocol and there's a little misconception if you like google lists on the internet of what it really is wpad is the way a computer is going to search for something called the proxy auto connection file pac file and the pac file is just um the the settings the configuration file for your proxy settings so if you're using a proxy in your network you would set up a proxy a pac file and that way you know browsers can go through the proxy to get to the internet so wpad specifies how to find this pac file for your browser for your computer first thing it does is it goes to the dhcp server and it says do you know where the pac file is the http server says no then goes to the dns server dns server goes no don't know where it is finally it falls back to old ll m and r asks the entire network does anybody know where the pac file is and the attacker can do two things they can do one the same thing with the previous uh method which is just give a challenge and have them encode that challenge with their password hash or they can actually just prop for credentials you can actually have a pop-up box show in the browser asking for them to input their credentials in order to access the internet a little less stealthy however you do get clear text credentials in that case so what does this actually look like i apologize for the font size i thought it was bigger but in this environment these are all this isn't a virtual network i'm not this isn't a client side or anything i'm using virtual machines for this so i have my kali linux machine here and i am attacking a windows 7 machine in this case so first thing i do is i start up a tool called responder so responder is just looking for these protocols llm and r come across the network so you can see it stands up a couple different servers http wpad so i go to my lab windows 7 machine and i fire up internet explorer and as i explained it now i was looking for that wpad file or for the pac file via llmr so then i get poison answer and i get the password hash for the actual machine account the reason why i get a machine account i do later on get a user account but you get a machine account sometimes with this because windows updates is constantly trying to reach out to the internet and it's doing that with the machine account so again even though it's not opening internet explorer or anything like that your machine is still trying to get to the internet constantly so what do i do with this um as i said before you can just crack the hash so with user accounts you can if they have a poor password policy you can crack that pretty quickly we'll get into hash relaying in just a moment so what are the mitigations for this well you can turn it off via group policy because the whole thing about this attack is that both of these methods lmr and wpad pad are enabled by default in group policy to turn off llmr you can here's the the path there mbtns mbtns is the fallback from lmr so you can disable that as well people ask me okay what happens if i turn llmr off in my network isn't going to break anything if your devices are relying on llr to communicate they're already broken so this is kind of a test to see what is actually broken on your network the thing about disabling mbtns is if you are using fully qualified domain names for accessing something that will break it uh turning off wpad so you can just turn it off again via group policy you can create a dns entry for wpad as well so when it searches for that file it just goes to the dns file and you can just redirect it to localhost or whatever alternatively microsoft did patches eventually and it's called ms16077 and it states the location of the wpad file is no longer requested via broadca broadcast protocols but only via dns so no more llmr or mbtns for trying to find the pac file and in windows 10 if you just type in proxy you can see it opens this box and that is that is how you turn it off in windows 10. so that goes to the next attack which is ipv6 spoofing so ipv6 is the quote unquote replacement for ipv4 however it's not widely used for internal networks so these are examples of ipv6 or ipv4 and ipv6 addresses ipv4 having a limited number already used all the amount of ipv4 addresses in the internet so ipv6 is the replacement where we will never run out of ip addresses on the internet there's a problem with this though in windows and it's a protocol dh dhcp version 6. and there's a bigger problem is that windows prefers ipv6 by default and dhcp v6 is constantly broadcasted to the entire network so this happens all the time i forget what the interval is five minutes or something like that for your computer broadcast does anybody have an ipv6 address for me via dhcp dhcp version 6 to the entire network and what an attacker can do is they can listen for this request to come across and respond with a response saying yes i am uh here's your ipv6 address and by the way i am also a dns server for ipv6 and it can the attacker can register themselves as an actual dns server so that's what this looks like so i'm on a windows 10 machine right now ipv6 is disabled at the moment and i'll show you what happens when i enable it so in powershell if i just do ipconfig there is no ipv6 address and there is one dns server and it's an ipv4 address so in wireshark i'm listening for dhcp version 6 requests back on my calling machine i use a tool called minim 6 mana the middle 6 i just tell it to listen on my current adapter internet adapter and it's listening now for dhcp version 6 request so what i do is i turn ipv6 on in windows and you immediately see this product this protocol be broadcast to the entire network and my attacking machine responds to those those requests and i the attacker assigns an ipv6 address for that windows machine as well as registers itself as a dns server so if i do ipconfig again you'll see that there is now a dns server with an ipv6 address which is me the attacker so if we go back and we see that this patch ms16077 says wpad file is no longer searched for via dns or via broadcast protocols but only via dns and we now control dns well we just bypass this whole patch so we control dns what do we do now so how many people here have heard of past the hash okay if you haven't heard of pass the hash with ntlm hashes in windows you can take that actual hass and pass it over via smb and actually log into machines you never have to crack the hash when you do capturing of credentials via llmr spoofing wpad spoofing you get them in a different format called ntlm net v2 and these hashes cannot be passed so we can do something else with these hashes though which is called relaying so if we look at regular ntlm authentication it's a challenge response protocol so the server sends in a challenge back to the to the user the user authenticates with that signed challenge and if the domain controller sam can decrypt that challenge successfully it logs you in and you are who you say you are well with hash relaying what the attacker does is they sit in the middle of this whole exchange and they watch it go back and forth until the very last part where the ha the attacker instead of relaying the authentication success back to the actual user they take that for themselves and then that way the server thinks the attacker is the one who is actually authenticated so then the attacker can then send commands as the authenticated user so i'll show you what that looks like so back in my windows 10 machine again the attacker computer is registered as a dns server i remember ipv6 is preferred in windows so it's going to search for that first over ipv4 um so what i do now is i set up my relay on my attacker machine so ntlm relay i'm telling it to work over ipv6 and we immediately see stuff come across so again what's happening now is if you remember windows machines are constantly trying to reach the internet windows updates and when it does this i do wpad spoofing i take those credentials that i find and i relay them to the actual domain controller and when i reload them to the domain controller assuming that user has access it then immediately dumps the local hashes password hashes on that domain controller you can see i authenticated as the computer account and there's the administrator password for that domain controller so back to my story is this is how i actually got in i didn't have to do ipv6 spoofing i actually just did regular wpad uh spoofing and they had a couple windows machines that weren't patched and i was able to actually get credentials so i was authenticated to the domain um oh sorry mitigations first these are the mitigations for it so you can add a registry key to disable ipv6 alternatively you can just turn it off in the adapter settings dnssec as well to make sure that you're not just getting anybody registered as a dns server and then smb signing is what's used to prevent hash relaying so anyways i have credentials to the network now i was able to crack them uh after i did wpad spoofing and i started enumerating some file shares and stuff like that i didn't find anything too interesting um so i needed to escalate my privileges on the network somehow so i would then resulted to looking at kerberos how many people here know what kerberos is a lot of people how many people here actually understand kerberos you're lying kerberos is one of these things that is extremely difficult to understand um if you're not familiar with kerberos and you just google what is kerberos you start to get these images that are like what the hell um there's no way you can decipher these just looking at them so if you follow swift on security one time i tried to explain kerberos to someone then we both didn't understand it so if you haven't gotten it kerberos is difficult to understand so this is my shot at explaining it to you within 20 minutes and you all will be kerberos experts at the end of this and there will be a quiz so kerberos overview it is the protocol that is preferred in a windows domain for authentication it's the alternative um or the ntlm is the alternative to this in a domain it is very complex the easiest way to think of this is a single think of it as like single sign-on but for windows kerberos isn't new it's actually pretty old i think it was made in the 70s by mit um and now we're on kerberos version 5 i believe but before i get into how kubrows works and all that there's a few key terms that i want to cover first and if you don't memorize these that's fine i cover them again first thing is kdc key distribution center kdc is i've never not seen it on a domain controller so if i say domain controller dc and kdc interchangeably that's why uh the key distribution center is just the thing that does the authentication in kerberos and i'll explain what that actually looks like in a second a service principal name spn it is a unique name for a service account so if you have multiple let's say my sequel services across their network you need to be able to identify those services uniquely therefore spns are set for that as an example for a domain controller if you want to access the file sharing on a domain controller you'll use sifs and this is done through a program called setspn.exe this is an actual executable on the domain controller and i'm going to walk you through what that actually looks like ticket grinding ticket tgt this is used to authenticate to the kdc i'm going to show you how you get a tgt uh this is just something that proves you are who you say you are think of it as almost like your driver's license and then finally ticket granting server um we're just going to call this a service ticket uh and service tickets are used to access services such as file shares sql and i'm going to show you what that is too so first things first is we need to get a ticket granny ticket so how does that work let's say you have your windows machine it's connected to the domain and you input your credentials to log in what is actually happening you are contacting the kdc which again always in my case always the domain controller it sends a request to the domain controller saying i am trying to get a ticket granny ticket here is a timestamp encrypted with my password hash and if the domain controller which has your password hash is able to decrypt that timestamp and then knows that your password is correct and then it issues you your ticket granting ticket again think of this is almost like your driver's license it is a proof of authentication you are who you say you are now you may think okay well why can't i just like take my tgt and just change the name in or anything like that well aj actually encrypted with a very complex password for an account called the krb tgt this is a default account installed on the domain controllers or kdc's and it has a super long password that you are not cracking in the next century so that's what it's encrypted with so you can't just crack it open and do whatever you want so you have your tgt now you are who you say you are great you're logged into windows well next you need to um let's say you want to access an email you want to access a file share in order to access a service on a remote host the user needs a service ticket you can't just access any service you want to that'd be pretty insecure right so in order to access something you need your your service ticket your tgs services are identified based on spns as i explained before the authentication actually occurs or authorization occurs on the target host and service not the demand controller or the kdc so what are examples of service principle names spns so if i want to access a file share on a computer the service is going to be sifs if i want to query the domain for info i'm going to do that via ldap if i want to authenticate over our to a web server it's going to do http my sql it's going to be my sql service what does that actually look like though so just as a really small proof of concept if you go to windows explorer and you type in any file share and you're able to access it like that you actually just requested a service ticket in the background and it looks like this so you the user actually first contact the kdc saying i need to access a in this case a file server i need to access sifs on this file server can i get a service ticket here's my ticket granting ticket to prove it's me you always have to show your ticket granny ticket before you ask for a service ticket you have to prove you're authenticated to the domain the kdc then goes you got it one service ticket coming right up it never checks if you actually have access to that service or not it doesn't care that's not his job it will always issue you a service ticket for any service you request it for so it does something interesting then it then issues you that service ticket but it encrypts the service ticket with the target services password hash why does it do that well it does that because the only thing in common with the target service and the domain controller is that password hash so it needs to prove that it it can decrypt it some way so that's that's why it's there so this leads to an interesting attack called kerber where you request a service ticket which has the password hash of that target service and then you crack it offline you don't have to forward it or if you do you aren't necessarily going to have access to it but you still have that accounts password hash so you can crack that offline and remember these can be requested by any user so any privileges on the domain can request a service ticket by default so that's what this looks like so i'm on a domain controller right now now i'm going to do setspn.exe i'm going to set a service principal name for an account and it's just going to be sift so file share on the ms sql server and ms sql service is just the name of the principle and then the actual machine name which is ms sql service so there's an spn set for that i'm going to use a tool called rubios to do kerberos and it's just ruby's kerberos and just like that i have the password hash of that targeted service so what i do now take this offline crack it offline and as i'm sure we all know service accounts are never over permission right so what are the mitigations for this this is kerberos working as it is supposed to it's working as intended there are no quote-unquote fixes for kerberos sting the mitigations for this r2a have a very long password set for your service principal names um you honestly should probably not even know them i always suggest password manager something super long password and then make sure no users have spns if you're having users actually have sps to access services and stuff like that um that's bad news that you're you're making shortcuts somewhere so um back to my story i was able to successfully kerberost a service account on the network um again low privilege credentials now escalated to a service account i had more access a lot more access actually still didn't have access to the domain controllers or anything like that which is where my golden objective was so i needed to still escalate privileges somehow to be able to access a domain controller so the next part i'm talking about is delegation tax so there's three types of delegation in uh windows or active directory unconstrained constrained and resource based constraint there's a text for each of these however i'm only going to focus on unconstrained for time purposes so unconstrained delegation user authenticates to a service or server via a service ticket the service then extracts that tgt from the service ticket to use it for other tgs requests very very old method of delegation if you're unfamiliar with delegation let's say you authenticate to a web server right the web server is going to impersonate its privileges as you you don't want it running as just any you know administrative privileges constantly so it's actually delegating privileges to act on your behalf with your privileges so you can control permissions that way so with unconstrained delegation it's actually keeping a copy of the user's ticket granted ticket in memory which is really bad right because if we are able to then compromise a system that supports unconstrained delegation we can then just pull tgts straight out of memory and remember tgts are the are the authentication in kerberos so i don't ever have to crack passwords i don't have to do any of that if i pull a tgt for somebody i am i am um and in group policy what that are not group policy but uh if you look at the properties on a computer object and you click on the delegation tab down here and it says trust this computer for delegation to any service this is windows way of saying unconstrained delegation so if you have this enabled in any of your domains bad news and when i say this is old i mean like this is like the first implementation of delegation in active directory so it's like windows server 2000 um so what does this actually look like so if a user says hey i need to access the ms sql database on you web server here's a service ticket and the web server goes okay you're allowed to authenticate i'm just going to take your tgt and hold on to it for future use that way if you need to authenticate later or for any other services i have that tgt and we can just do it that way and if for example it does try to authenticate to something else the unconstrained delegation server is just going to say hey user one is delegating me to request a service ticket but i am a sql service here's your tgt and that is the kdc that issues that service ticket back and it looks like actually the user original user requested it so the thing about this is you need to be on an unconstrained delegation server and have actually somebody authenticated to it or on it already so if we find unconstrained delegation and people remote desktop into it easy win however that's not always the case unconstrained delegation whenever we see this in a network it's usually on old legacy systems and people aren't consistently on that machine so we need to be able to somehow course authentication to an unconstrained delegation server and there's a very interesting attack that came out a couple of years ago by a co-worker of mine called the printer bug so printer bug is taken advantage of the printer spooling service on modern windows hosts when triggered it will actually authenticate back to whoever triggered it if you're interested in the full write up my co-workers handle there on twitter uh lee christensen or tiffkin i wrote a tool for this and if you trigger this protocol it's going to authenticate back to you so if we can execute printerbug while we're on an unconstrained allegation host and trigger say the printer spool the print spooler on a domain controller and have it authenticate back to us we then have its ticket granted ticket in memory and we can extract that straight up the tool name that he chose for this was called spool sample i had a co-worker who had issues with his dog and he took it to the vet and the vet asked for stool samples and he kept calling it spool sample because we use this so much anyways so again the whole purpose of this is to course a domain controller to authenticate to a host that has unconstrained delegation and this is how printerbug works and again if we are the attacker host on the top left we trigger spool sample on the domain controller and the domain controller will authenticate to whatever host we choose we can we can specify that in the actual tool what are the mitigations for printerbug well one you can ensure sensitive accounts cannot be delegated so this is definitely recommended for computer accounts on domain controllers etc domain admins enterprise admins you can also just disable the principal or service domain controllers probably should not be sprinting much but this also leads to another attack and again i'm going to group these all up into one so i'm not skipping over demos or anything but there's a historically when we were penetration testing uh you know five six years ago we would get onto a domain controller we would make a copy a shadow copy of the c drive or whatever the primary drive is and extract the ntds.dit file out and extract all the password hashes out of that that was problematic because a was extremely noisy you had to be on a domain controller and b um if when you're making shadow copies of stuff and say drive runs out of space whatever you're messing with domain controllers and you're you're going to be caught eventually it's big red flags and yeah red teaming perspective is terrible so luckily there's an attack that came out a couple years ago called dc sync dc sync actually takes advantage of a feature with domain controllers that is replication if you have multiple domain controllers in your network they're consistently replicating with each other for redundancy purposes when controller a fails you can then users can just authenticate to the domain controller b so of course in this replication password hashes and password accounts and all that our accounts are all synchronized back and forth so there's a tool called miami cats that historically always tampered with passwords and password storage and windows actually implemented this functionality so what an attacker would do now in modern day is they would do dc sync from whatever host they're on to a domain controller and have them just sync back the password hashes and accounts and if you need a diagram for this it's just consistently again domain controllers always replicating back and forth if you compromise the demand if you compromise any server and they have replication rights you can then dc sync the domain controller so who has replication rights domain controllers um so that the actual computer accounts on domain controllers domain admins also have this enterprise admins which goes into the mitigation stuff which i'll talk about in a second but let's see all of these attacks strung together now so again the whole thing here is via kerberos i had access to a service account the service account had access to a computer with unconstrained delegation with unconstrained delegation i'm going to use printerbug to course a domain controller's computer account to authenticate to me where i can then pull its ticket granted ticket out of memory impersonate that that account and then do dc sync so on the left i'm doing mimi cats i'm just going to do dc sync just as a proof of concept to show you that i cannot do it right now with my current privileges and we get an air back i just don't have the privileges and if we do who am i i'm a low-privileged user lab alice and i am on though uh unconstrained delegation um server so with rubios i'm just monitoring now for incoming ticket granny tickets i'm just listening to see if there's any uh anything authenticated to this current computer i'm on so i use full sample and i tell it to authenticate or trigger authentication from the domain controller lab 2012 dc01 and connect back to my current host that i'm on lab 110. you can see i immediately once i trigger this i get the ticket granted ticket back for the machine account on the domain controller i then copy its tgt i use rubius to implement that tgt into my current session on this computer so i then i then am essentially that machine account i am the domain controller at this point i then do i check my tickets i should i proof right here that that ticket is now in my current login session so i am lab 2012 dc01 i do me me cats again dc sync and there's everybody's credentials this is extremely common to find um if we ever find a machine in a network with unconstrained delegation that is our number one target every single time because we know we can easily do printer bug and we can eventually do dc sync onto a domain controller mitigations for printer bug as well there was it was quote unquote patched by microsoft it still works we don't know what the patch did it still works so this is still a current attack um so what we end up doing is something called the credential shuffle so we compromise a machine we escalate our privileges on that machine we dump the passwords on that machine whether it's local kerberos whatever and then with the new credentials that we find we see what we can log into eventually hunting for you know an unconstrained delegation server there's other delegations attacks again that i'm not going to go into but we can escalate as well that way eventually you know being able to dc sync get the access that we need to whatever our objective is objective's not always domain admins or always you know compromise the domain controller usually isn't an objective but often times our objectives will be like try to find pi or phi or something like that so uh with privileges you know to the entire network we can easily do that so now we're going to introduce a tool that we've developed my two brilliant co-workers developed they actually presented at hip conference in new york last year on this tool it's called bloodhound and this isn't just a defensive tool it's also definitely an attacking tool bloodhound graphs the entire domain to reveal relationships between objects with an active directory so again what is an object in active directory policies users computers etc it is extremely useful for an attacker because it's actually going to map out attack pass for you which in turn is also useful for a defender right if you know the attack pass an attacker can take you can set up your defenses accordingly so what does this look like so in order to gather data via bloodhound you run the data collector which can be an executable it can be a powershell script on the domain and um it uses ldap to gather all the data for so for relationships and objects so it's going to gather you know it's going to touch objects to see together info like when is the password last set who's logged onto this computer etc permissions are irrelevant for the most part if you're trying to see who's logged into what you do need administrator permissions otherwise you can run this as a low privileged user and get a ton of information back so this is the bloodhound interface and let's say i compromise in a account called backup ldap i'm going to set this as my starting point and i want to see how do i get to the domain admins group and it maps out my my path for me so the account that i compromised backup ldap if i click on it you can see when the password is last changed we can see you know if it can be delegated all that stuff we can see it can log into a machine called diamond and we see that it supports unconstrained delegation where a domain administrator is logged into and as we just learned that ticket granted ticket's done in memory and clear tax on that machine that we have access to because of monetary delegation so if i log into that machine dump the tgts i then can just straight up impersonate the domain administrator and i'm part of the of course the domain admins group so very very useful um from an attacker perspective as well as the defensive perspective yeah okay um so what this ends up being most of the time is like a wild goose hunt for either a unconstrained delegation servers seeing where the domain admins are logged into all that stuff it can get pretty crazy and this is actually like if this looks complicated it can get absolutely crazy um that's it so credits um one of my co-workers so will trader andy and rohan shawn metcalf for answering a lot of questions on kerberos lee for printerbug tim medin who discovered kerberos a couple years ago spider labs from packet they did all the responder and stuff like that can i just get the too long didn't read version please default group policy is bad uh disable lmnr disable wpad disable ipv6 stop sending sps for users don't use unconstrained delegation bloodhound is great uh patch anybody have questions any questions at all yeah weren't they using your printer um yeah we so historically exchange servers are always over permissioned so if you don't want to trigger authentication from a domain controller because you think they might have like a defense set up on the main controller um you can do it via an exchange server and that's usually a good way in as well there was another attack called priv exchange that came out last year around very similar triggering authentication via api with the exchange servers and having it authenticate back and getting its credentials but yeah any other questions yeah so you focused a lot on the windows side have you looked at the non-windows like the mix are there some more vulnerabilities yeah so they're my co-workers are definitely way better at that than i am uh there's a couple blog posts that we actually just released one uh two days ago on doing it in mac os environments and then there is an actual implementation of active directory in linux called free ipa and it actually solves a couple of these vulnerabilities it's implementation of kerberos um so yeah it's out there if you just you know look on our blog it's there's numerous articles on that any other questions okay cool well thank you

Info

Channel: SpecterOps

Views: 4,000

Rating: 4.970149 out of 5

Keywords:

Id: MIt-tIjMr08

Channel Id: undefined

Length: 46min 0sec (2760 seconds)

Published: Tue Nov 10 2020