SlideShare ist ein Scribd-Unternehmen logo

Understanding Active Directory Enumeration

Als PPTX, PDF herunterladen
D
Daniel López Jiménez

Yep

Technologie
1 von 89
Understanding Active Directory Enumeration ATTL4S & WINT3R
www.crummie5.club
 The purpose of this talk:  Where is the information  How to access that information  Why is valuable that information  If you want details on any attack/technique, go to the corresponding links  I might not have enough time to tell the entire talk  Anyways, hope you enjoy it and learn something new (we’ve learnt tons of things doing it )
AGENDA 1. Introduction 2. Offensive Enumeration  Local Privileges  Logons and Sessions  LDAP
INTRODUCTION
CAPSULE.CORP Domain Internal Network
We will focus on having domain creds However, a lot of information can be enumerated without them (exposed services, open shares, network traffic, unauth information…) Platinum Sponsor
Credentials  By default, authenticated accounts can access a lot of information
But Domain Credentials are not only USER accounts  NTSystem in domain-joined systems corresponds to the domain computer account in the network  Domain Service Accounts are essentially user accounts, so can also be used to enumerate e.g. Kerberoasting or BloodHound
Enumeration Approach
NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP
NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP
Simplifying it in the following topics  MS-RPC  Local Privileges  who is a local admin and where?  Logons and Sessions  where are authenticated those juicy users?  LDAP  objects and relationships
 As long as we have visibility and credentials, we can access tons of GOODIES REMEMBER
OFFENSIVE AD ENUMERATION
LOCAL PRIVILEGES (MS-RPC)
 Who is a local admin and where?  Who can access with RDP and where?  Who can access with WinRM and where? Who…. and where?
 Privileged local groups  Administrators  Remote Desktop Users  Distributed COM Users  Remote Management Users  We want to know which users are members of those local groups in each system
We mostly care about two things 1. Local privileged accounts that may share the same password on different systems (watchout UAC degrading the access token) 2. Domain users or groups being members of local privileged groups
NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP Domain ? ? ? ? ? ? ? ? GPO Enum SAM SAM SAM SAM SAM SAM SAM SAM1 2
Remote SAM Enumeration  Win32 API Functions (PowerView)  NetLocalGroupGetMembers  NetLocalGroupEnum  NetUserEnum  …  ADSI WinNT Provider (PowerView)  MS-RPC (Impacket, Rpcclient)
Restrictions – SAM Enumeration  Controlled by the following policy:  Network access: Restrict clients allowed to make remote calls to SAM  An administrator can edit the policy to enforce or relax restrictions  Manually or with SAMRi10 https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b  By default newer systems allow only Administrators (beginning with Windows 10 version 1607 and Windows Server 2016)  Older systems allow any Domain User by default
Restricted Groups (and the old GPP)*
LOGONS AND SESSIONS (MS-RPC)
NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP Domain ? ? ? ? ? ? ? ?
Logons  Querying for users logged on in a system is useful for hunting purposes (where are the Domain Admins?)  However these techniques require your user to be administrator on the target (not very practical)  Can be done using Win32 API calls or enumerating the registry remotely
Get-NetLoggedon from PowerView uses NetWkstaUserEnum
PsLoggedOn from Sysinternals uses the Registry Remotely
Is there a way to identify logons as a low priv user? YES *
Sessions  Although commonly called “sessions”, they mean to be network sessions  A network session is created – on the target – when a resource is accessed through the network (i.e a shared folder)  The Win32 API has the NetSessionEnum function which allows to query a system for network sessions
 By checking network sessions, we can correlate which users are connected and from where  Thus, the system that originated the network session should have an interactive user logon  Best locations to check sessions are servers (DCs, fileservers…) as they are highly accessed through the network e.g. querying WS04 for network sessions
Another example with Goku and Yamcha
 Controlled by the following registry key  HKLM:SYSTEMCurrentControlSetServicesLanmanServerDefaultSecuritySrvsvcSessionInfo  By default newer systems only allow Administrators (beginning with Windows 10 version 1607 and Windows Server 2016)  An administrator can edit the registry key to enforce or relax restrictions  Manually or using Net Cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b  Older systems allow any Authenticated User!
Tools on Linux  Easy impersonation (as opposed to Windows SSO)  --user USER --password PASSWD --domain DOMAIN  Multiple choices  Impacket, Rpcclient, enum4linux, nmap…
Objects and Relationships (LDAP)
LDAP  By default, any low privileged domain account can query information about almost anything through LDAP  You just need something to interact with LDAP!
General Offensive Approaches  Builtin or developed tools that leverage Win32 API (net.exe)  LDAP tools (dsquery, dsget…)  .NET (PowerView, SharpView, AD module)  .NET DirectorySearcher class [adsisearcher]  .NET DirectoryEntry class [adsi]  .NET RPC classes
Pentest approach – my recommendation  Install RSAT and feel at home  If we are already joined to the domain, we are ready to go
What if we are not part of the domain?
CAPSULE.CORP Domain LDAP Internal Network
1. take care of DNS! (hosts file also works)
2. Impersonate!
3. Enumerate!
https://serverfault.com/questions/349262/using-administrative-tools-on-non-domain-computer-to-manage-domain-servers/349266
Tools on Linux  Easy impersonation (as opposed to Windows SSO)  --user USER --password PASSWD --domain DOMAIN  As always make sure of DNS and point your actions to the targeted domain / domain controller  Multiple choices  Ldapsearch, JXExplorer, Pywerview, Bloodhound.py…
Interesting Things  Domain Users  Domain Computers  Domain Groups  OUs / GPOs  Forest / Domain Trusts  Relationships (ACLs)
Domain Users
User Account Control  Password never expires  same password for years  Account is sensitive  does not delegate credentials  Do not require Kerberos Preauthentication  can be As-Reproasted  Store password using reversible encryption  plaintext password stored in NTDS  Kerberos Delegation  TRUSTED_FOR_DELEGATION = Unconstrained  TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol Transition  …
Attributes  servicePrincipalName not null  can be Kerberoasted  adminCount = 1  member of one of the administrative groups  lastLogon / logonCount …  logon information  msDS-AllowedToActOnBehalfOfOtherIdentity / msDS-AllowedToDelegateTo  Kerberos Delegation related  userPassword / unixUserPassword / unicodePwd  sometimes plaintext passwords  …
Checks  Check out group memberships  Domain Admin? Local admin somewhere? …  Check out User Account Control settings  Kerberos Delegation? As-Reproastable? …  Check out those attributes  Passwords? Kerberoastable? …
Domain Computers
User Account Control  Trust this computer for delegation to any service  TRUSTED_FOR_DELEGATION = Unconstrained  Trust this computer for delegation to specific services only – use any authentication  TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol Transition
Attributes  servicePrincipalName  enumerate Kerberos services on the machine! (a.k.a SPN scanning)  adminCount = 1  member of one of the administrative groups  msDS-AllowedToActOnBehalfOfOtherIdentity / msDS- AllowedToDelegateTo  Kerberos Delegation related  ms-Mcs-AdmPwd  LAPS password  operatingSystem  …
Checks (same as users)  Check out group memberships  Domain Admin? Any interesting group? …  Check out User Account Control settings  Kerberos Delegation? …  Check out those attributes  Operating system? SPN Scanning? …
 Sean Metcalf - SPN Scanning – Service Discovery without Network Port Scanning  https://adsecurity.org/?p=1508  Sean Metcalf - Cracking Kerberos TGS Tickets Using Kerberoast  https://adsecurity.org/?p=2293  Will Schroeder - Kerberoasting Revisited  https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/  Will Schroeder - Roasting AS-REPs  https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/  Sean Metcalf - Active Directory Security Risk #101: Kerberos Unconstrained Delegation  https://adsecurity.org/?p=1667  Elad Shamir - Wagging the Dog: Abusing Resource-Based Constrained Delegation  http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/  Will Schroeder – Another Word on Delegation  https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
Domain Groups
 Domain Admins: full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory  Enterprise Admins: full AD rights to every domain in the AD forest  Administrators: default admin rights to Active Directory and Domain Controllers  Schema Admins: modify the Active Directory forest schema  Backup Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers (Default GPO)  Print Operators: manage printers and load/unload device drivers on Domain Controllers  Server Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers (Default GPO)  Account Operators: modify accounts and groups in the domain (Default GPO)  DNSAdmins: administrative access to Microsoft Active Directory DNS and is often granted the ability to logon to Domain Controllers  Group Policy Creator Owners: create, modify, and delete Group Policies in the domain https://adsecurity.org/?p=3700
Nested Groups
1. Group1 is a member of Domain Admins 2. Group2 is a member of Group1 3. Puar is a member of Group2 4. Puar is a Domain Admin
Checks  Find explicit privileged groups and their members  DA’s, EA’s, Schema Admins, DNSAdmins…  Find those nested groups  Group1 is member of Group2 and blablablaDOMAINADMIN!
 Will Schroeder - A Pentester’s Guide to Group Scoping  https://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/  SS64 - Understand the different types of Active Directory group  https://ss64.com/nt/syntax-groups.html
OUs & GPOs  By default any domain user can read all the GPO settings stored in the SYSVOL share  Lot of information can be enumerated  Local group memberships (Restricted Groups, GPP)  User rights assignment (SeDebugPrivilege, SeEnableDelegation…)  Local admin passwords (GPP!!)  LAPS settings  Registry entries  Scheduled tasks  Scripts  …
Checks  Check out all the GPOs and their settings  Firewall, local admin configurations…  Find where they are applied!!  Computers, users, OUs, sites…
 Andrew Robbins - A Red Teamer’s Guide to GPOs and OUs  https://wald0.com/?p=179  Rastamouse - GPO Abuse  https://rastamouse.me/2019/01/gpo-abuse-part-1/  https://rastamouse.me/2019/01/gpo-abuse-part-2/  Will Schroeder - Where My Admins At? (GPO Edition)  https://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/
Forest/Domain Trusts  Compromising one domain is just the start of the journey  One forest can have multiple domains  One root domain (Ent. Admins here)  Probably multiple child domains  One forest may have trust relationships with other forests
Map all the trust relationships between your current domain and all the trusted domains External Child/Parent Forest
Child/Parent Trusts  Domains inside a forest trust each other  Once a single domain is compromised, any domain in the forest is vulnerable to the SIDHistory technique by creating Golden Tickets  If you compromise BADABING.SOPRANO.SL, you can compromise SOPRANO.SL through that technique
Forest/External Trusts  When a domain from other forest trusts you, you can query information about it  A Forest/External trust does not imply any kind of privilege against the targeted domain (by default)  Privileges across trusts must be configured by administrators  e.g.  This user from DomainA can access this resource in DomainB  This user from DomainA is a member of this group in DomainB
 TWINDCooper from TWIN.PKS is a member of the Satriales group in SOPRANO.SL  TWINDcooper is a Foreign Security Principal  We want to identify this kind of objects that could allow us to hop between forests
Checks  Find relationships between your domain and other domains  I’m in a child domain? Root domain?  Find if there are external relationships and  Forest trusts? external trusts?  Look for accounts who can potentially jump from your forest to another  ForestAPaco has sysdb privileges on ForestBSqlserver01
 Sean Metcalf - Security Considerations for Active Directory (AD) Trusts  https://adsecurity.org/?p=282  Sean Metcalf - Kerberos Golden Tickets are Now More Golden  https://adsecurity.org/?p=1640  Will Schroeder - A Guide to Attacking Domain Trusts  http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/  Will Schroeder - The Trustpocalypse  http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/  Dirk-jan Mollema - Active Directory forest trusts part 1 - How does SID filtering work?  https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/  Will Schroeder – Not a Security Boundary: Breaking Forest Trusts  https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/  Carlos García – Pentesting Active Directory Forests  https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20- %20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0
ACLs  Access controls in Active Directory are mostly managed through the use of ACLs (Access Control Lists)  Each object has its own ACLs (Users, Groups, Computers, OUs, GPOs, Domains…)  An ACL consists in a list of rules that grant or deny rights to a user/group over the object that holds the ACL
e.g. If you check the Domain Admins’ ACL, you will see which objects have rights over the Domain Admins group
Depending on the privileges… Over Users Reset password Set ServicePrincipalName then Kerberoast Set No-Kerb Preauth then As-Reproast Over Groups Adding new members Over GPOs Link them Edit them Over Computers Set Kerberos RBCD Read/modify LAPS password Over Domains DCSync
Checks  Check the ACL’s of interesting objects  Has anyone DCSync privs on the domain? Reset password on user OU’s?
 Andrew Robbins / Will Schroeder – An ACE Up the Sleeve  https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve- Designing-Active-Directory-DACL-Backdoors-wp.pdf  Will Schroeder - Abusing Active Directory Permissions with PowerView  http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with- powerview/  Will Schroeder – The Unintended Risks of Trusting Active Directory  https://www.slideshare.net/harmj0y/the-unintended-risks-of-trusting-active-directory
MANY THANKS Any question?

Empfohlen

The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdfn00py1
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
 

Empfohlen

The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdfn00py1
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind mapdasdwwe1
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hackingnayakslideshare
 

Weitere ähnliche Inhalte

Was ist angesagt?

ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 

Was ist angesagt? (20)

ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
 

Ähnlich wie Understanding Active Directory Enumeration

Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind mapdasdwwe1
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsLDAPCon
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPALDAPCon
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Content Navigation
Content NavigationContent Navigation
Content Navigationsanjoysanyal
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 

Ähnlich wie Understanding Active Directory Enumeration (20)

Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind map
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
 
Mimikatz
MimikatzMimikatz
Mimikatz
 
Resume (6)
Resume (6)Resume (6)
Resume (6)
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 

Kürzlich hochgeladen

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Understanding Active Directory Enumeration

  • 2.
  • 3.
  • 5.  The purpose of this talk:  Where is the information  How to access that information  Why is valuable that information  If you want details on any attack/technique, go to the corresponding links  I might not have enough time to tell the entire talk  Anyways, hope you enjoy it and learn something new (we’ve learnt tons of things doing it )
  • 6. AGENDA 1. Introduction 2. Offensive Enumeration  Local Privileges  Logons and Sessions  LDAP
  • 9. We will focus on having domain creds However, a lot of information can be enumerated without them (exposed services, open shares, network traffic, unauth information…) Platinum Sponsor
  • 10. Credentials  By default, authenticated accounts can access a lot of information
  • 11. But Domain Credentials are not only USER accounts  NTSystem in domain-joined systems corresponds to the domain computer account in the network  Domain Service Accounts are essentially user accounts, so can also be used to enumerate e.g. Kerberoasting or BloodHound
  • 15. Simplifying it in the following topics  MS-RPC  Local Privileges  who is a local admin and where?  Logons and Sessions  where are authenticated those juicy users?  LDAP  objects and relationships
  • 16.  As long as we have visibility and credentials, we can access tons of GOODIES REMEMBER
  • 19.  Who is a local admin and where?  Who can access with RDP and where?  Who can access with WinRM and where? Who…. and where?
  • 20.  Privileged local groups  Administrators  Remote Desktop Users  Distributed COM Users  Remote Management Users  We want to know which users are members of those local groups in each system
  • 21. We mostly care about two things 1. Local privileged accounts that may share the same password on different systems (watchout UAC degrading the access token) 2. Domain users or groups being members of local privileged groups
  • 22. NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP Domain ? ? ? ? ? ? ? ? GPO Enum SAM SAM SAM SAM SAM SAM SAM SAM1 2
  • 23. Remote SAM Enumeration  Win32 API Functions (PowerView)  NetLocalGroupGetMembers  NetLocalGroupEnum  NetUserEnum  …  ADSI WinNT Provider (PowerView)  MS-RPC (Impacket, Rpcclient)
  • 24. Restrictions – SAM Enumeration  Controlled by the following policy:  Network access: Restrict clients allowed to make remote calls to SAM  An administrator can edit the policy to enforce or relax restrictions  Manually or with SAMRi10 https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b  By default newer systems allow only Administrators (beginning with Windows 10 version 1607 and Windows Server 2016)  Older systems allow any Domain User by default
  • 25.
  • 26. Restricted Groups (and the old GPP)*
  • 29. Logons  Querying for users logged on in a system is useful for hunting purposes (where are the Domain Admins?)  However these techniques require your user to be administrator on the target (not very practical)  Can be done using Win32 API calls or enumerating the registry remotely
  • 30. Get-NetLoggedon from PowerView uses NetWkstaUserEnum
  • 31. PsLoggedOn from Sysinternals uses the Registry Remotely
  • 32. Is there a way to identify logons as a low priv user? YES *
  • 33. Sessions  Although commonly called “sessions”, they mean to be network sessions  A network session is created – on the target – when a resource is accessed through the network (i.e a shared folder)  The Win32 API has the NetSessionEnum function which allows to query a system for network sessions
  • 34.  By checking network sessions, we can correlate which users are connected and from where  Thus, the system that originated the network session should have an interactive user logon  Best locations to check sessions are servers (DCs, fileservers…) as they are highly accessed through the network e.g. querying WS04 for network sessions
  • 35. Another example with Goku and Yamcha
  • 36.  Controlled by the following registry key  HKLM:SYSTEMCurrentControlSetServicesLanmanServerDefaultSecuritySrvsvcSessionInfo  By default newer systems only allow Administrators (beginning with Windows 10 version 1607 and Windows Server 2016)  An administrator can edit the registry key to enforce or relax restrictions  Manually or using Net Cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b  Older systems allow any Authenticated User!
  • 37. Tools on Linux  Easy impersonation (as opposed to Windows SSO)  --user USER --password PASSWD --domain DOMAIN  Multiple choices  Impacket, Rpcclient, enum4linux, nmap…
  • 39. LDAP  By default, any low privileged domain account can query information about almost anything through LDAP  You just need something to interact with LDAP!
  • 40. General Offensive Approaches  Builtin or developed tools that leverage Win32 API (net.exe)  LDAP tools (dsquery, dsget…)  .NET (PowerView, SharpView, AD module)  .NET DirectorySearcher class [adsisearcher]  .NET DirectoryEntry class [adsi]  .NET RPC classes
  • 41. Pentest approach – my recommendation  Install RSAT and feel at home  If we are already joined to the domain, we are ready to go
  • 42. What if we are not part of the domain?
  • 44. 1. take care of DNS! (hosts file also works)
  • 46.
  • 47.
  • 50. Tools on Linux  Easy impersonation (as opposed to Windows SSO)  --user USER --password PASSWD --domain DOMAIN  As always make sure of DNS and point your actions to the targeted domain / domain controller  Multiple choices  Ldapsearch, JXExplorer, Pywerview, Bloodhound.py…
  • 51. Interesting Things  Domain Users  Domain Computers  Domain Groups  OUs / GPOs  Forest / Domain Trusts  Relationships (ACLs)
  • 53. User Account Control  Password never expires  same password for years  Account is sensitive  does not delegate credentials  Do not require Kerberos Preauthentication  can be As-Reproasted  Store password using reversible encryption  plaintext password stored in NTDS  Kerberos Delegation  TRUSTED_FOR_DELEGATION = Unconstrained  TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol Transition  …
  • 54. Attributes  servicePrincipalName not null  can be Kerberoasted  adminCount = 1  member of one of the administrative groups  lastLogon / logonCount …  logon information  msDS-AllowedToActOnBehalfOfOtherIdentity / msDS-AllowedToDelegateTo  Kerberos Delegation related  userPassword / unixUserPassword / unicodePwd  sometimes plaintext passwords  …
  • 55. Checks  Check out group memberships  Domain Admin? Local admin somewhere? …  Check out User Account Control settings  Kerberos Delegation? As-Reproastable? …  Check out those attributes  Passwords? Kerberoastable? …
  • 57. User Account Control  Trust this computer for delegation to any service  TRUSTED_FOR_DELEGATION = Unconstrained  Trust this computer for delegation to specific services only – use any authentication  TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol Transition
  • 58. Attributes  servicePrincipalName  enumerate Kerberos services on the machine! (a.k.a SPN scanning)  adminCount = 1  member of one of the administrative groups  msDS-AllowedToActOnBehalfOfOtherIdentity / msDS- AllowedToDelegateTo  Kerberos Delegation related  ms-Mcs-AdmPwd  LAPS password  operatingSystem  …
  • 59.
  • 60. Checks (same as users)  Check out group memberships  Domain Admin? Any interesting group? …  Check out User Account Control settings  Kerberos Delegation? …  Check out those attributes  Operating system? SPN Scanning? …
  • 61.  Sean Metcalf - SPN Scanning – Service Discovery without Network Port Scanning  https://adsecurity.org/?p=1508  Sean Metcalf - Cracking Kerberos TGS Tickets Using Kerberoast  https://adsecurity.org/?p=2293  Will Schroeder - Kerberoasting Revisited  https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/  Will Schroeder - Roasting AS-REPs  https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/  Sean Metcalf - Active Directory Security Risk #101: Kerberos Unconstrained Delegation  https://adsecurity.org/?p=1667  Elad Shamir - Wagging the Dog: Abusing Resource-Based Constrained Delegation  http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/  Will Schroeder – Another Word on Delegation  https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
  • 63.  Domain Admins: full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory  Enterprise Admins: full AD rights to every domain in the AD forest  Administrators: default admin rights to Active Directory and Domain Controllers  Schema Admins: modify the Active Directory forest schema  Backup Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers (Default GPO)  Print Operators: manage printers and load/unload device drivers on Domain Controllers  Server Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers (Default GPO)  Account Operators: modify accounts and groups in the domain (Default GPO)  DNSAdmins: administrative access to Microsoft Active Directory DNS and is often granted the ability to logon to Domain Controllers  Group Policy Creator Owners: create, modify, and delete Group Policies in the domain https://adsecurity.org/?p=3700
  • 65. 1. Group1 is a member of Domain Admins 2. Group2 is a member of Group1 3. Puar is a member of Group2 4. Puar is a Domain Admin
  • 66. Checks  Find explicit privileged groups and their members  DA’s, EA’s, Schema Admins, DNSAdmins…  Find those nested groups  Group1 is member of Group2 and blablablaDOMAINADMIN!
  • 67.  Will Schroeder - A Pentester’s Guide to Group Scoping  https://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/  SS64 - Understand the different types of Active Directory group  https://ss64.com/nt/syntax-groups.html
  • 68. OUs & GPOs  By default any domain user can read all the GPO settings stored in the SYSVOL share  Lot of information can be enumerated  Local group memberships (Restricted Groups, GPP)  User rights assignment (SeDebugPrivilege, SeEnableDelegation…)  Local admin passwords (GPP!!)  LAPS settings  Registry entries  Scheduled tasks  Scripts  …
  • 69.
  • 70. Checks  Check out all the GPOs and their settings  Firewall, local admin configurations…  Find where they are applied!!  Computers, users, OUs, sites…
  • 71.  Andrew Robbins - A Red Teamer’s Guide to GPOs and OUs  https://wald0.com/?p=179  Rastamouse - GPO Abuse  https://rastamouse.me/2019/01/gpo-abuse-part-1/  https://rastamouse.me/2019/01/gpo-abuse-part-2/  Will Schroeder - Where My Admins At? (GPO Edition)  https://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/
  • 72. Forest/Domain Trusts  Compromising one domain is just the start of the journey  One forest can have multiple domains  One root domain (Ent. Admins here)  Probably multiple child domains  One forest may have trust relationships with other forests
  • 73. Map all the trust relationships between your current domain and all the trusted domains External Child/Parent Forest
  • 74.
  • 75.
  • 76. Child/Parent Trusts  Domains inside a forest trust each other  Once a single domain is compromised, any domain in the forest is vulnerable to the SIDHistory technique by creating Golden Tickets  If you compromise BADABING.SOPRANO.SL, you can compromise SOPRANO.SL through that technique
  • 77.
  • 78.
  • 79. Forest/External Trusts  When a domain from other forest trusts you, you can query information about it  A Forest/External trust does not imply any kind of privilege against the targeted domain (by default)  Privileges across trusts must be configured by administrators  e.g.  This user from DomainA can access this resource in DomainB  This user from DomainA is a member of this group in DomainB
  • 80.  TWINDCooper from TWIN.PKS is a member of the Satriales group in SOPRANO.SL  TWINDcooper is a Foreign Security Principal  We want to identify this kind of objects that could allow us to hop between forests
  • 81. Checks  Find relationships between your domain and other domains  I’m in a child domain? Root domain?  Find if there are external relationships and  Forest trusts? external trusts?  Look for accounts who can potentially jump from your forest to another  ForestAPaco has sysdb privileges on ForestBSqlserver01
  • 82.  Sean Metcalf - Security Considerations for Active Directory (AD) Trusts  https://adsecurity.org/?p=282  Sean Metcalf - Kerberos Golden Tickets are Now More Golden  https://adsecurity.org/?p=1640  Will Schroeder - A Guide to Attacking Domain Trusts  http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/  Will Schroeder - The Trustpocalypse  http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/  Dirk-jan Mollema - Active Directory forest trusts part 1 - How does SID filtering work?  https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/  Will Schroeder – Not a Security Boundary: Breaking Forest Trusts  https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/  Carlos García – Pentesting Active Directory Forests  https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20- %20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0
  • 83. ACLs  Access controls in Active Directory are mostly managed through the use of ACLs (Access Control Lists)  Each object has its own ACLs (Users, Groups, Computers, OUs, GPOs, Domains…)  An ACL consists in a list of rules that grant or deny rights to a user/group over the object that holds the ACL
  • 84. e.g. If you check the Domain Admins’ ACL, you will see which objects have rights over the Domain Admins group
  • 85. Depending on the privileges… Over Users Reset password Set ServicePrincipalName then Kerberoast Set No-Kerb Preauth then As-Reproast Over Groups Adding new members Over GPOs Link them Edit them Over Computers Set Kerberos RBCD Read/modify LAPS password Over Domains DCSync
  • 86.
  • 87. Checks  Check the ACL’s of interesting objects  Has anyone DCSync privs on the domain? Reset password on user OU’s?
  • 88.  Andrew Robbins / Will Schroeder – An ACE Up the Sleeve  https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve- Designing-Active-Directory-DACL-Backdoors-wp.pdf  Will Schroeder - Abusing Active Directory Permissions with PowerView  http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with- powerview/  Will Schroeder – The Unintended Risks of Trusting Active Directory  https://www.slideshare.net/harmj0y/the-unintended-risks-of-trusting-active-directory