SlideShare ist ein Scribd-Unternehmen logo

Introduction to Domains and Hacking

‱
‱
UTD Computer Security Group
UTD Computer Security Group

An introduction to Windows domains and their attack surface.

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
Introduction to Domains and Hacking March 7th, 2018
Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - csg.utdallas.edu Slack - #csg on ecsutd.slack.com Email - utdcsg@gmail.com
Announcements Lab Hangouts - ECSS 4.619 - Every Thursday at 4 PM State Farm CTF Sign Up - March 5th - 12th
Introduction to Domains and Hacking 1. Intro to domains (w/ focus on windows) a. The problem: complex network, lots of services, securing credentials on every node b. The solution: centralized access control system c. AD: LDAP, Kerberos, NTLM d. Visualizing architecture e. Other handy AD features i. OUs, GPOs, other things to make sysadmin lives easier 2. Attacking domains a. Methods i. Pass the hash/ticket ii. Exploits a. Tools i. Mimikatz ii. Kerberoast 3. Defending against these attacks a. Harden privileged groups, users, GPOs, etc b. Patch those exploits c. Future technologies
Why do domains exist? Because we said so For most organizations, there are too many services and users accessing those services to manually configure everything Necessary to have centralized control of all components ● Format user groups and system organization in a way that mimics real-life layout That’s where domains come in
Domains and their contents Domain controllers - where admins can control/regulate domain functionality DNS - used to locate domain controllers and other systems within domain User authentication - using Kerberos, NTLM Sometimes includes managing systems like: ● Mail (Outlook through Windows AD) ● File servers (SMB) ● Printers
Active Directory Windows domain solution Essential tools/protocols: ● LDAP (Lightweight Directory Access Protocol) ● Kerberos - User/service authentication ● NTLM (NT LAN Manager) - Secondary user authentication, usually
LDAP ● Open application protocol for accessing and maintaining distributed directory information services over a network ○ If you are looking for a particular service or user, quick lookup through LDAP (granted that you have correct permissions) ● Allowed operations: ○ Search — search for and/or retrieve directory entries ○ Compare — test if a named entry contains a given attribute value ○ Add a new entry ○ Delete an entry ○ Modify an entry
LDAP - Add dn: uid=johnnyboy,ou=Hackers,dc=example,dc=local changetype: add objectClass: top objectClass: person objectClass: orgPerson objectClass : inetOrgPerson uid: johnnyboy cn: leetHacker
OU vs Active Directory Groups ● Groups: less restrictive with regards to permissions; especially useful for regulating access to resources ○ Ex) Administrator group could include users with administrative authority from a variety of organizations within the company (Marketing, Finance, IT, etc) ○ Give Administrators the ability to access database A ● Organizational Units are typically used more for more intricate permissions ○ Map group policy settings to a subset of users/groups/systems ○ Possible to have OU that contains only subset of users in an Active Directory group Ex) To allow marketing manager to be able to reset passwords for other marketing employees, delegate administration privs for the Marketing OU to that specific user
Kerberos Created by MIT in the late 1980’s Kerberos is a network authentication protocol that uses the concepts of tickets to authenticate users to services AND services to users Tickets - special messages encrypted with keys generated with keys from client/ticket-granting server, client/service server
Kerberos Source: Oracle Help Center
NTLM ● Authenticate only with centralized Domain Controller ● Challenge-response ○ Don’t send cleartext credentials over the wire ● You end up with an “NTLM hash”, which is used to authenticate with other objects in Active Directory ● Provides single sign-on ● But
 those hashes are stored locally on machines that use them, which leaves you vulnerable to “Pash The Hash” attacks ○ Which is fine! Just don’t let your users have local admin rights, and they won’t be able to look at them! ○ “Stupid users” can’t escalate privileges, right?
Attacking Domains
Domain-Related Exploits ● MS14-068 ○ Privilege escalation from domain user to domain admin ○ “Hey Mr. KDC, I’m a domain admin, trust me!” ○ “Hey Mr. Flight Steward, I’m the pilot, trust me!” ○ Patched with KB3011780
Domain-Related Exploits ● Group Policy Preferences & Decrypting Passwords in SYSVOL ○ The problem: updating local administrator passwords en masse ○ Just use that handy dandy group policy stuff, right? ○ Group policy stuff is stored in “SYSVOL” shared directory ■ Readable by everyone; it’s for deploying GPOs ■ Bad sysadmins may end up putting cleartext local admin credentials
Domain-Related Exploits ● Well that’s no good. Microsoft’s solution? Group Policy Preferences (GPP) ○ We’ll AES-256 bit encrypt those passwords for you! ○ ...With this private key! https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
The Harder Stuff ● Go for the low-hanging fruit, when you can. ● Slightly more complicated attacks
 ○ Pass the Hash (NTLM) ○ Pass the Ticket (Kerberos)
Pass the Hash ● As mentioned before, NTLM hashes are stored locally, and are used to authenticate with other parts of the network ● So if you have local admin privileges, you can grab the NTLM hashes of anyone who has logged onto that machine ● Send it to other machines and you gucci ● Demo
Pass the Ticket ● Similar idea. Grab tickets/hashes stored locally. ○ But knowing Kerberos, that doesn’t get you as far ● Silver Tickets - Forged TGSs ○ Requires target service’s hash; potential for escalation ■ People give services more privileges than they ought to ● Golden Tickets - Forged TGTs ○ Requires the KDC’s hash; really more of a persistence thing ● Kerberoast - cracking tickets to get credentials ○ Decent option if you have a gucci password cracking rig
Defenses ● Patch those exploits ○ Don’t leave the low hanging fruit ● Harden, harden, harden. ○ Users, groups, GPOs, etc ○ Strong passwords! ● Future technologies ○ Windows Advanced Threat Protection ■ Machine learning to detect anomalous behavior ■ Gee, why is my webserver logging into the DC? Hmmm
. ■ Restricting tools (cough, powershell) that mimikatz and other tools use

Empfohlen

Blockchain Ethereum Iota
Blockchain Ethereum IotaBlockchain Ethereum Iota
Blockchain Ethereum Iotajwausle
 
Blockchain Session 1
Blockchain Session 1Blockchain Session 1
Blockchain Session 1DSCPICT
 
Introduction to Ethereum
Introduction to EthereumIntroduction to Ethereum
Introduction to EthereumArnold Pham
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Blockchain - definition, benefits, issues
Blockchain - definition, benefits, issuesBlockchain - definition, benefits, issues
Blockchain - definition, benefits, issuesMetataxis
 
Blockchain @ Descon 2016
Blockchain @ Descon 2016Blockchain @ Descon 2016
Blockchain @ Descon 2016P-e-t-a-r
 
Blockchain 101
Blockchain 101Blockchain 101
Blockchain 101Paul O'Hagan
 
Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Meghaj Mallick
 

Empfohlen

Blockchain Ethereum Iota
Blockchain Ethereum IotaBlockchain Ethereum Iota
Blockchain Ethereum Iotajwausle
 
Blockchain Session 1
Blockchain Session 1Blockchain Session 1
Blockchain Session 1DSCPICT
 
Introduction to Ethereum
Introduction to EthereumIntroduction to Ethereum
Introduction to EthereumArnold Pham
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Blockchain - definition, benefits, issues
Blockchain - definition, benefits, issuesBlockchain - definition, benefits, issues
Blockchain - definition, benefits, issuesMetataxis
 
Blockchain @ Descon 2016
Blockchain @ Descon 2016Blockchain @ Descon 2016
Blockchain @ Descon 2016P-e-t-a-r
 
Blockchain 101
Blockchain 101Blockchain 101
Blockchain 101Paul O'Hagan
 
Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Meghaj Mallick
 
Encode x Tezos: Intro to Blockchain
Encode x Tezos: Intro to BlockchainEncode x Tezos: Intro to Blockchain
Encode x Tezos: Intro to BlockchainTinaBregovi
 
Ethereum overview
Ethereum overviewEthereum overview
Ethereum overviewAlexander (Alex) Komyagin
 
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Svetlin Nakov
 
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019SURFevents
 
On Private Blockchains, Technically
On Private Blockchains, TechnicallyOn Private Blockchains, Technically
On Private Blockchains, TechnicallyAlex Chepurnoy
 
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018Consensus Algorithms - Nakov @ jProfessionals - Jan 2018
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018Svetlin Nakov
 
Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Saravanan T.M
 
Blockchain
BlockchainBlockchain
BlockchainSoichiro Takagi
 
Encode: Intro to Tezos
Encode: Intro to TezosEncode: Intro to Tezos
Encode: Intro to TezosTinaBregovi
 
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)Svetlin Nakov
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
The Ethereum Geth Client
The Ethereum Geth ClientThe Ethereum Geth Client
The Ethereum Geth ClientArnold Pham
 
Meta X Blockchain Bootcamp
Meta X Blockchain BootcampMeta X Blockchain Bootcamp
Meta X Blockchain BootcampMetaX
 
Windows Server2008 Overview
Windows Server2008 OverviewWindows Server2008 Overview
Windows Server2008 OverviewZernike College
 
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)Svetlin Nakov
 
Log Management: AtlSecCon2015
Log Management: AtlSecCon2015Log Management: AtlSecCon2015
Log Management: AtlSecCon2015cameronevans
 
What is tezos
What is tezos What is tezos
What is tezos zaarahary
 
Programming Decentralized Application
Programming Decentralized ApplicationProgramming Decentralized Application
Programming Decentralized ApplicationBambang Purnomosidi D. P.
 
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)Svetlin Nakov
 
Windows Domains Part 2
Windows Domains Part 2Windows Domains Part 2
Windows Domains Part 2UTD Computer Security Group
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Encode x Tezos: Intro to Blockchain
Encode x Tezos: Intro to BlockchainEncode x Tezos: Intro to Blockchain
Encode x Tezos: Intro to BlockchainTinaBregovi
 
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Svetlin Nakov
 
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019SURFevents
 
On Private Blockchains, Technically
On Private Blockchains, TechnicallyOn Private Blockchains, Technically
On Private Blockchains, TechnicallyAlex Chepurnoy
 
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018Consensus Algorithms - Nakov @ jProfessionals - Jan 2018
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018Svetlin Nakov
 
Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Saravanan T.M
 
Encode: Intro to Tezos
Encode: Intro to TezosEncode: Intro to Tezos
Encode: Intro to TezosTinaBregovi
 
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)Svetlin Nakov
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
The Ethereum Geth Client
The Ethereum Geth ClientThe Ethereum Geth Client
The Ethereum Geth ClientArnold Pham
 
Meta X Blockchain Bootcamp
Meta X Blockchain BootcampMeta X Blockchain Bootcamp
Meta X Blockchain BootcampMetaX
 
Windows Server2008 Overview
Windows Server2008 OverviewWindows Server2008 Overview
Windows Server2008 OverviewZernike College
 
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)Svetlin Nakov
 
Log Management: AtlSecCon2015
Log Management: AtlSecCon2015Log Management: AtlSecCon2015
Log Management: AtlSecCon2015cameronevans
 
What is tezos
What is tezos What is tezos
What is tezos zaarahary
 
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)Svetlin Nakov
 

Was ist angesagt? (19)

Encode x Tezos: Intro to Blockchain
Encode x Tezos: Intro to BlockchainEncode x Tezos: Intro to Blockchain
Encode x Tezos: Intro to Blockchain
 
Ethereum overview
Ethereum overviewEthereum overview
Ethereum overview
 
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
 
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019
Valuable transfer nodes for research - Joseph Hill (UvA) - Netwerkdag 2019
 
On Private Blockchains, Technically
On Private Blockchains, TechnicallyOn Private Blockchains, Technically
On Private Blockchains, Technically
 
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018Consensus Algorithms - Nakov @ jProfessionals - Jan 2018
Consensus Algorithms - Nakov @ jProfessionals - Jan 2018
 
Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)
 
Blockchain
BlockchainBlockchain
Blockchain
 
Encode: Intro to Tezos
Encode: Intro to TezosEncode: Intro to Tezos
Encode: Intro to Tezos
 
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)
Client-Side Wallets in DApps - Nakov @ BlockWorld 2018 (San Jose)
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
The Ethereum Geth Client
The Ethereum Geth ClientThe Ethereum Geth Client
The Ethereum Geth Client
 
Meta X Blockchain Bootcamp
Meta X Blockchain BootcampMeta X Blockchain Bootcamp
Meta X Blockchain Bootcamp
 
Windows Server2008 Overview
Windows Server2008 OverviewWindows Server2008 Overview
Windows Server2008 Overview
 
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)
Crypto Wallets: A Technical Perspective (Nakov at OpenFest 2018)
 
Log Management: AtlSecCon2015
Log Management: AtlSecCon2015Log Management: AtlSecCon2015
Log Management: AtlSecCon2015
 
What is tezos
What is tezos What is tezos
What is tezos
 
Programming Decentralized Application
Programming Decentralized ApplicationProgramming Decentralized Application
Programming Decentralized Application
 
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)
Consensus Algorithms - Nakov at CryptoBlockCon - Las Vegas (2018)
 

Ähnlich wie Introduction to Domains and Hacking

UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloYossi Sassi
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
 
Cyber security workshop talk.pptx
Cyber security workshop talk.pptxCyber security workshop talk.pptx
Cyber security workshop talk.pptxkamalakantas
 
Carlos GarcĂ­a - Pentesting Active Directory [rooted2018]
Carlos GarcĂ­a - Pentesting Active Directory [rooted2018]Carlos GarcĂ­a - Pentesting Active Directory [rooted2018]
Carlos GarcĂ­a - Pentesting Active Directory [rooted2018]RootedCON
 
Null talk
Null talkNull talk
Null talkAgam Jain
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Lotus Admin Training Part I
Lotus Admin Training Part ILotus Admin Training Part I
Lotus Admin Training Part ISanjaya K Saxena
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...David Timothy Strauss
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 

Ähnlich wie Introduction to Domains and Hacking (20)

Windows Domains Part 2
Windows Domains Part 2Windows Domains Part 2
Windows Domains Part 2
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Cyber security workshop talk.pptx
Cyber security workshop talk.pptxCyber security workshop talk.pptx
Cyber security workshop talk.pptx
 
Carlos GarcĂ­a - Pentesting Active Directory [rooted2018]
Carlos GarcĂ­a - Pentesting Active Directory [rooted2018]Carlos GarcĂ­a - Pentesting Active Directory [rooted2018]
Carlos GarcĂ­a - Pentesting Active Directory [rooted2018]
 
Null talk
Null talkNull talk
Null talk
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Lotus Admin Training Part I
Lotus Admin Training Part ILotus Admin Training Part I
Lotus Admin Training Part I
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
Cryptography
CryptographyCryptography
Cryptography
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 

Mehr von UTD Computer Security Group

22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)UTD Computer Security Group
 

Mehr von UTD Computer Security Group (20)

Py jail talk
Py jail talkPy jail talk
Py jail talk
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
 
Cloud talk
Cloud talkCloud talk
Cloud talk
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and video
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network security
 
Intro to python
Intro to pythonIntro to python
Intro to python
 
Powershell crash course
Powershell crash coursePowershell crash course
Powershell crash course
 
Intro to cybersecurity
Intro to cybersecurityIntro to cybersecurity
Intro to cybersecurity
 
Intro to Bash
Intro to BashIntro to Bash
Intro to Bash
 
Web Exploitation
Web ExploitationWeb Exploitation
Web Exploitation
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network Exploitation
 
Penetration Testing: Celestial
Penetration Testing: CelestialPenetration Testing: Celestial
Penetration Testing: Celestial
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Cryptography Crash Course
Cryptography Crash CourseCryptography Crash Course
Cryptography Crash Course
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programming
 

KĂŒrzlich hochgeladen

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

KĂŒrzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Introduction to Domains and Hacking

  • 2. Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - csg.utdallas.edu Slack - #csg on ecsutd.slack.com Email - utdcsg@gmail.com
  • 3. Announcements Lab Hangouts - ECSS 4.619 - Every Thursday at 4 PM State Farm CTF Sign Up - March 5th - 12th
  • 4. Introduction to Domains and Hacking 1. Intro to domains (w/ focus on windows) a. The problem: complex network, lots of services, securing credentials on every node b. The solution: centralized access control system c. AD: LDAP, Kerberos, NTLM d. Visualizing architecture e. Other handy AD features i. OUs, GPOs, other things to make sysadmin lives easier 2. Attacking domains a. Methods i. Pass the hash/ticket ii. Exploits a. Tools i. Mimikatz ii. Kerberoast 3. Defending against these attacks a. Harden privileged groups, users, GPOs, etc b. Patch those exploits c. Future technologies
  • 5. Why do domains exist? Because we said so For most organizations, there are too many services and users accessing those services to manually configure everything Necessary to have centralized control of all components ● Format user groups and system organization in a way that mimics real-life layout That’s where domains come in
  • 6. Domains and their contents Domain controllers - where admins can control/regulate domain functionality DNS - used to locate domain controllers and other systems within domain User authentication - using Kerberos, NTLM Sometimes includes managing systems like: ● Mail (Outlook through Windows AD) ● File servers (SMB) ● Printers
  • 7. Active Directory Windows domain solution Essential tools/protocols: ● LDAP (Lightweight Directory Access Protocol) ● Kerberos - User/service authentication ● NTLM (NT LAN Manager) - Secondary user authentication, usually
  • 8. LDAP ● Open application protocol for accessing and maintaining distributed directory information services over a network ○ If you are looking for a particular service or user, quick lookup through LDAP (granted that you have correct permissions) ● Allowed operations: ○ Search — search for and/or retrieve directory entries ○ Compare — test if a named entry contains a given attribute value ○ Add a new entry ○ Delete an entry ○ Modify an entry
  • 9. LDAP - Add dn: uid=johnnyboy,ou=Hackers,dc=example,dc=local changetype: add objectClass: top objectClass: person objectClass: orgPerson objectClass : inetOrgPerson uid: johnnyboy cn: leetHacker
  • 10. OU vs Active Directory Groups ● Groups: less restrictive with regards to permissions; especially useful for regulating access to resources ○ Ex) Administrator group could include users with administrative authority from a variety of organizations within the company (Marketing, Finance, IT, etc) ○ Give Administrators the ability to access database A ● Organizational Units are typically used more for more intricate permissions ○ Map group policy settings to a subset of users/groups/systems ○ Possible to have OU that contains only subset of users in an Active Directory group Ex) To allow marketing manager to be able to reset passwords for other marketing employees, delegate administration privs for the Marketing OU to that specific user
  • 11. Kerberos Created by MIT in the late 1980’s Kerberos is a network authentication protocol that uses the concepts of tickets to authenticate users to services AND services to users Tickets - special messages encrypted with keys generated with keys from client/ticket-granting server, client/service server
  • 13. NTLM ● Authenticate only with centralized Domain Controller ● Challenge-response ○ Don’t send cleartext credentials over the wire ● You end up with an “NTLM hash”, which is used to authenticate with other objects in Active Directory ● Provides single sign-on ● But
 those hashes are stored locally on machines that use them, which leaves you vulnerable to “Pash The Hash” attacks ○ Which is fine! Just don’t let your users have local admin rights, and they won’t be able to look at them! ○ “Stupid users” can’t escalate privileges, right?
  • 15. Domain-Related Exploits ● MS14-068 ○ Privilege escalation from domain user to domain admin ○ “Hey Mr. KDC, I’m a domain admin, trust me!” ○ “Hey Mr. Flight Steward, I’m the pilot, trust me!” ○ Patched with KB3011780
  • 16. Domain-Related Exploits ● Group Policy Preferences & Decrypting Passwords in SYSVOL ○ The problem: updating local administrator passwords en masse ○ Just use that handy dandy group policy stuff, right? ○ Group policy stuff is stored in “SYSVOL” shared directory ■ Readable by everyone; it’s for deploying GPOs ■ Bad sysadmins may end up putting cleartext local admin credentials
  • 17. Domain-Related Exploits ● Well that’s no good. Microsoft’s solution? Group Policy Preferences (GPP) ○ We’ll AES-256 bit encrypt those passwords for you! ○ ...With this private key! https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
  • 18. The Harder Stuff ● Go for the low-hanging fruit, when you can. ● Slightly more complicated attacks
 ○ Pass the Hash (NTLM) ○ Pass the Ticket (Kerberos)
  • 19. Pass the Hash ● As mentioned before, NTLM hashes are stored locally, and are used to authenticate with other parts of the network ● So if you have local admin privileges, you can grab the NTLM hashes of anyone who has logged onto that machine ● Send it to other machines and you gucci ● Demo
  • 20. Pass the Ticket ● Similar idea. Grab tickets/hashes stored locally. ○ But knowing Kerberos, that doesn’t get you as far ● Silver Tickets - Forged TGSs ○ Requires target service’s hash; potential for escalation ■ People give services more privileges than they ought to ● Golden Tickets - Forged TGTs ○ Requires the KDC’s hash; really more of a persistence thing ● Kerberoast - cracking tickets to get credentials ○ Decent option if you have a gucci password cracking rig
  • 21. Defenses ● Patch those exploits ○ Don’t leave the low hanging fruit ● Harden, harden, harden. ○ Users, groups, GPOs, etc ○ Strong passwords! ● Future technologies ○ Windows Advanced Threat Protection ■ Machine learning to detect anomalous behavior ■ Gee, why is my webserver logging into the DC? Hmmm
. ■ Restricting tools (cough, powershell) that mimikatz and other tools use