2. Get in touch with us
Mailing List - Sign in and check âAdd to Mailing Listâ
Website - csg.utdallas.edu
Slack - #csg on ecsutd.slack.com
Email - utdcsg@gmail.com
4. Introduction to Domains and Hacking
1. Intro to domains (w/ focus on windows)
a. The problem: complex network, lots of
services, securing credentials on every
node
b. The solution: centralized access control
system
c. AD: LDAP, Kerberos, NTLM
d. Visualizing architecture
e. Other handy AD features
i. OUs, GPOs, other things to make
sysadmin lives easier
2. Attacking domains
a. Methods
i. Pass the hash/ticket
ii. Exploits
a. Tools
i. Mimikatz
ii. Kerberoast
3. Defending against these attacks
a. Harden privileged groups, users,
GPOs, etc
b. Patch those exploits
c. Future technologies
5. Why do domains exist?
Because we said so
For most organizations, there are too many services and users accessing those services to
manually configure everything
Necessary to have centralized control of all components
â Format user groups and system organization in a way that mimics real-life layout
Thatâs where domains come in
6. Domains and their contents
Domain controllers - where admins can control/regulate domain functionality
DNS - used to locate domain controllers and other systems within domain
User authentication - using Kerberos, NTLM
Sometimes includes managing systems like:
â Mail (Outlook through Windows AD)
â File servers (SMB)
â Printers
7. Active Directory
Windows domain solution
Essential tools/protocols:
â LDAP (Lightweight Directory Access Protocol)
â Kerberos - User/service authentication
â NTLM (NT LAN Manager) - Secondary user authentication, usually
8. LDAP
â Open application protocol for accessing and maintaining distributed directory
information services over a network
â If you are looking for a particular service or user, quick lookup through LDAP (granted that you
have correct permissions)
â Allowed operations:
â Search â search for and/or retrieve directory entries
â Compare â test if a named entry contains a given attribute value
â Add a new entry
â Delete an entry
â Modify an entry
10. OU vs Active Directory Groups
â Groups: less restrictive with regards to permissions; especially useful for regulating
access to resources
â Ex) Administrator group could include users with administrative authority from a variety of
organizations within the company (Marketing, Finance, IT, etc)
â Give Administrators the ability to access database A
â Organizational Units are typically used more for more intricate permissions
â Map group policy settings to a subset of users/groups/systems
â Possible to have OU that contains only subset of users in an Active Directory group
Ex) To allow marketing manager to be able to reset passwords for other marketing employees,
delegate administration privs for the Marketing OU to that specific user
11. Kerberos
Created by MIT in the late 1980âs
Kerberos is a network authentication protocol that uses the concepts of tickets to authenticate
users to services AND services to users
Tickets - special messages encrypted with keys generated with keys from client/ticket-granting
server, client/service server
13. NTLM
â Authenticate only with centralized Domain Controller
â Challenge-response
â Donât send cleartext credentials over the wire
â You end up with an âNTLM hashâ, which is used to authenticate with other objects
in Active Directory
â Provides single sign-on
â But⊠those hashes are stored locally on machines that use them, which leaves you
vulnerable to âPash The Hashâ attacks
â Which is fine! Just donât let your users have local admin rights, and they wonât
be able to look at them!
â âStupid usersâ canât escalate privileges, right?
15. Domain-Related Exploits
â MS14-068
â Privilege escalation from domain user to domain admin
â âHey Mr. KDC, Iâm a domain admin, trust me!â
â âHey Mr. Flight Steward, Iâm the pilot, trust me!â
â Patched with KB3011780
16. Domain-Related Exploits
â Group Policy Preferences & Decrypting
Passwords in SYSVOL
â The problem: updating local administrator passwords en
masse
â Just use that handy dandy group policy stuff, right?
â Group policy stuff is stored in âSYSVOLâ shared directory
â Readable by everyone; itâs for deploying GPOs
â Bad sysadmins may end up putting cleartext local admin
credentials
17. Domain-Related Exploits
â Well thatâs no good. Microsoftâs solution? Group Policy Preferences (GPP)
â Weâll AES-256 bit encrypt those passwords for you!
â ...With this private key!
https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
18. The Harder Stuff
â Go for the low-hanging fruit, when you can.
â Slightly more complicated attacksâŠ
â Pass the Hash (NTLM)
â Pass the Ticket (Kerberos)
19. Pass the Hash
â As mentioned before, NTLM hashes are stored locally, and are
used to authenticate with other parts of the network
â So if you have local admin privileges, you can grab the NTLM
hashes of anyone who has logged onto that machine
â Send it to other machines and you gucci
â Demo
20. Pass the Ticket
â Similar idea. Grab tickets/hashes stored locally.
â But knowing Kerberos, that doesnât get you as far
â Silver Tickets - Forged TGSs
â Requires target serviceâs hash; potential for escalation
â People give services more privileges than they ought to
â Golden Tickets - Forged TGTs
â Requires the KDCâs hash; really more of a persistence thing
â Kerberoast - cracking tickets to get credentials
â Decent option if you have a gucci password cracking rig
21. Defenses
â Patch those exploits
â Donât leave the low hanging fruit
â Harden, harden, harden.
â Users, groups, GPOs, etc
â Strong passwords!
â Future technologies
â Windows Advanced Threat Protection
â Machine learning to detect anomalous behavior
â Gee, why is my webserver logging into the DC? HmmmâŠ.
â Restricting tools (cough, powershell) that mimikatz and other tools use