An overview of advanced domain attacks, focusing on what an attacker would do after gaining an initial foothold. Includes internal enumeration, attack routing, and process injection.

1. Advanced Domain
Hacking and
Pivoting
March 28th 2018

2. Get in touch with us
Mailing List - Sign in and check “Add to Mailing List”
Website - csg.utdallas.edu
Slack - #csg on ecsutd.slack.com
Email - utdcsg@gmail.com

3. Announcements
Lab Hangouts - ECSS 4.619 - Every Thursday at 4 PM
State Farm CTF - Join competition and create team

4. Advance Techniques
1. Recon
a. Looking for information
b. What information to look for
2. Enumerating the Network
a. Finding other Computers
b. Enumerated Users and Groups
c. Enumerated Services
3. Attack Routing
a. Routing attacks
b. Pivoting to different segments
4. Process Injection
a. Migrating
b. Privilege Escalation
5. Token Impersonation
6. Defense

5. Recon

6. Looking for Information
● Look for as much data on the computer as possible
○ Find Plain text passwords
○ Maintenance Schedules
○ Browser Activity
○ Cached Browser Passwords

7. Persistence
● If you can't find something now thats not saying you wont later
○ Drop a Keylogger and wait
○ Wait for admin to login to capture data
○ Intercept Traffic for more information

8. Attack Routing

9. Routing Attack
● After breaking into a box you should route most attack through
that computer
○ Scan internally to find other computers
○ Find exploits to try and get access to other computers if no
direct path to domain controller is visible
○ Attempt PSexec to login to other boxes (may have
vulnerabilities)
● Route all future attacks through this computer

10. Possible routing
https://technet.microsoft.com/en-us/library/cc181323.cpig_007_002_big(l=en-us).gif

11. Enumeration

12. Enumerating the Network
● After Routing attacks, Scan for other computers and other
services
● Find Domain Controller and the services running
● Try to connect to controller with found passwords

13. Enumerating Domain Information
● Find List of domain users to password guess against
● Enumerate password and security policy
● Enumerate User Groups (Try to get into those groups)
● Enumerate Services that may have user accounts to exploit
○ Service accounts may have admin access with cached and
stored passwords

14. Exploitation Techniques

15. Process Injection
● If the user has a administrative process running that is
unprotected to migrate to
● Migrating to an administrative process might cause a crash so
make sure you have persistence (session passing)

16. Token Impersonation
● If a administrative token has been active or placed on the
computer you are on, and you have local admin you may be able
to impersonate tokens
● Impersonating a token allows for you to create a session as the
user using the cached token.
● You can forge the token by looking at the past token and past
session token authentication

17. Defense

18. General Defense
● Obvious Defenses is
○ Don’t leave passwords plain text
○ Clear cached admin passwords
○ Don’t leave open administrative sessions open
○ Lock down each service so it can only be used by the service itself
○ Encrypt traffic so data interception is useless
● Less Obvious
○ Segment Different Groups to be on different IP ranges so people don’t have access to what they
don’t need to
○ Disable CMD and Powershell by users that don’t need it(hard to exploit with no command line or
powershell)
○ Disable RDP on users that don’t need to rdp outbound