So You Think Your Domain Controller is Secure
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 112 | |
Author | ||
License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/38942 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
HypermediaSoftwareMusical ensembleServer (computing)Public domainSoftwareIntegrated development environmentDigital rights managementInstance (computer science)Self-organizationWindowVulnerability (computing)Physical systemTask (computing)Hash functionLevel (video gaming)Virtual machineMedical imagingFirewall (computing)Service (economics)VirtualizationFunctional (mathematics)Scripting languageMobile appSystem administratorQuicksortAuthorizationCartesian coordinate systemLocal ringPublic domainDirectory serviceOrder (biology)CuboidInternetworkingInformation securityMusical ensembleProper mapElectronic program guide
04:10
Interior (topology)Digital rights managementGastropod shellVideo game consoleRootComputerLibrary (computing)Open setComputer networkRoutingOperator (mathematics)Video game consoleComputer architectureDefault (computer science)Digital rights managementVirtual machineServer (computing)Scripting languagePhysical systemLibrary (computing)Root
04:43
Physical systemDefault (computer science)Physical systemTouchscreenInternetworkingMultiplication sign
05:03
GodMultiplication signSharewareComputer animation
06:10
TouchscreenRight angleSystem administratorOperator (mathematics)Digital rights managementComputer animationLecture/Conference
06:31
System administratorVideo game consoleServer (computing)Task (computing)Gastropod shellScripting languageSystem administratorAutomatic differentiationElectronic mailing listVideo game consoleVirtual machineReverse engineeringPower (physics)Public domainGastropod shellTask (computing)Scripting languageHard disk driveComputer animationLecture/Conference
07:08
Task (computing)WindowTask (computing)AuthorizationComputerProcess (computing)Software testingAuditory maskingComputer animation
07:39
System administratorVirtual machineTask (computing)Public domainPhysical systemDefault (computer science)Gastropod shellHash functionLocal ringProcess (computing)Computer animation
09:05
Reverse engineeringInstance (computer science)WritingGastropod shellScripting languageComputer animation
09:23
System administratorMobile appSoftware development kitComputer animation
09:50
Virtual machineComputer animation
10:12
Hash functionVirtual machineInstance (computer science)Computer animation
10:36
Digital rights managementSoftware development kitOperator (mathematics)Library (computing)Mobile appObject-oriented programmingComputer animationLecture/Conference
11:41
Server (computing)Electronic program guideAuthorizationOperator (mathematics)System administratorPhysical systemInstance (computer science)Information securityReading (process)Task (computing)
12:48
Task (computing)Digital rights managementDefault (computer science)Operator (mathematics)Tracing (software)LoginAuthorizationEvent horizonLecture/Conference
13:33
Meta elementPatch (Unix)TouchscreenDefault (computer science)Software maintenanceDigital rights managementMedical imagingSpacetimeMultiplication signPasswordRootOffice suiteSelf-organizationSystem administratorInterface (computing)Virtual machineComputer hardwareMusical ensembleHard disk driveAuthorizationLecture/Conference
14:54
Virtual machineFunction (mathematics)Computer animation
15:13
Game controllerRemote Access ServiceRootSystem administratorDigital rights managementModule (mathematics)String (computer science)PasswordRandom numberElectronic mailing listVirtual machine2 (number)SharewareComputer animationLecture/Conference
15:32
Computer animationLecture/Conference
15:51
Computer animation
16:20
Computer animation
16:39
Key (cryptography)Computer animation
16:58
Object-oriented programmingRight angleRemote procedure callInterface (computing)System administratorVirtual machineComputer animation
17:16
Virtual machineComputer animation
17:33
Key (cryptography)Set (mathematics)CuboidComputer animation
18:31
CuboidShift operatorMultiplication signHash functionPhysical systemKey (cryptography)Gastropod shellComputer animation
19:22
Digital rights managementDefault (computer science)Configuration spaceSystem administratorDigital rights managementIntegrated development environmentSoftwareVirtual machineRight anglePasswordComputer filePatch (Unix)AuthorizationStructural loadDivisorRegular graphLoginComputer animationLecture/Conference
20:23
LoginHash functionDirectory serviceVirtual machineComputer animation
20:46
Virtual realityDirectory serviceGame controllerPublic domainVulnerability (computing)Digital rights managementCuboidInformationPublic domainRight angleSystem administratorSoftwareComputer fileBelegleserInteractive televisionSelf-organizationLecture/Conference
Transcript: English(auto-generated)
00:00
I'm Justin and I'm going to be going over AD and how you can own it using management software. So introduction, it's going to ‑‑ pretty much it's going to go over isolation and how you need to isolate AD from everything else and the management that ‑‑ the management environment of AD and how it's handled.
00:23
And so I'm specifically going to be looking at SCOM, HPILO and Hyper-V and how they can be used to own AD, essentially. And there's no vulnerabilities, we're just going to look at how it's abused if they're not managed right and not configured properly.
00:42
So the software used to manage the domain controllers is often overlooked and as you go, it handles all the windows off and it handles all the hashes, which if you're after an environment, you want to get all the hashes because once you get all the hashes, you can own any box in the domain and so, yeah.
01:02
It's the crown jewels of the environments and recommendations usually look at ID seg and so they only look at active directory and the OS level ID seg and they don't look at everything that interacts with active directory. And so background, I'm going to go over SCOM, which is used for monitoring and of course
01:25
if it's a high‑valued asset, you want to monitor it, right, and so you're going to use some sort of monitoring and in this instance, we're going to look at SCOM. There's a SCOM security guide that is available on the Internet, it's really long, nobody probably read it, they probably just hit next, next, next and there's also out of band
01:43
management devices, so which is network level network devices that allow out of band management, so if the machine is off, then you can restart it up, it's used for imaging, et cetera and so we're going to look at HPILO in this instance and then Hyper‑V as well,
02:04
so if you host which Hyper‑V is a virtualization and so if you host AD on a Hyper‑V host, then you also need to look at the Hyper‑V host and there's warnings online about it, but it's often overlooked and everybody ignores the host and only looks at the OS
02:22
level, you know, ID seg, right? And so first we'll look at SCOM and it's used for monitoring and alerting of health and the SCOM SDK service is what it uses to interact with the agents and everything and it's opened up on 5723 and 5724 is what it uses and these are required ‑‑ these need to be open if you want to access the
02:46
SCOM management, like if you actually want to look at the alerts and everything, these have to be open and so oftentimes organizations have these open in the firewall in order to look at alerts and everything out of the environment because they want to act upon them, right? And then Nmap, for instance, won't scan for these, so if
03:03
you use Nmap, then you'll need to add these to the list and you'll see why in a minute. And the SCOM agent as well, which runs on every managed ‑‑ every monitored machine, it runs as local system and so it's great because, you know, it's admin access.
03:21
So if you ‑‑ you'll see in a minute. So abusing the functionality of SCOM. So SCOM has this beautiful feature called task and they let you run arbitrary VB script on every monitored machine and so obviously if you can own the SCOM app or the machine, then you can run arbitrary script as local system on every managed machine.
03:46
And see ‑‑ and then you have to be a member of the SCOM administrator's or author's role, which is application level roles within SCOM and you're able to then run these, obviously. And so if you have a SCOM instance, then you
04:02
need to have another instance that only monitors AD and then one instance that monitors everything else, so obviously they need to be isolated. That's the whole goal here. So here's an overview of the architecture, which was on MSDN or one ‑‑ but anyway, so it uses the SDK, which then executes on the root management server and then that
04:24
runs the script on the agent‑managed machines and it usually runs as whatever the agent is running as and by default it runs as local system, which I already mentioned. And so they have an operations manager console as well and that uses the SDK as well.
04:41
But you can also use their libraries that they have as well. And so here's just a screen shot of the installation and as you can see, by default it runs as local system. And there's many warnings out there on the Internet that it can be very dangerous and it's bad, but nobody reads them, of course, so we're going to abuse it. So demo time. Hopefully this is showing here.
05:12
So we've got a few demos ‑‑ okay, not demo time. The demo gods are not with
06:10
me today. All right. There we go. We have something. It's only on that screen, so I've got to look down. All right. Well ‑‑ okay. Cool.
06:27
All right. So pretty much here's the SCOM operations manager, so we're going to use it to auth using a low privileged account and that's in the SCOM administrator's role because that's the way it was added and that's usually how it's added.
06:40
And so the SCOM console lists all monitored machines. In this example, one machine is a domain controller. Our new SCOM ‑‑ what we're going to execute is going to execute a reverse HTTPS shell and the VB script is written out to hard disk and then executed in the SCOM task. So as you can see there, we're just running arbitrary PowerShell and
07:04
then running the script that's going to start our reverse shell. So we'll copy that, create a new SCOM task under the authoring. And so next we'll just call it meterpreter and you can hide the name if you're, you know, going to be sneaky. And then we want
07:22
to run it on all Windows computers and so increase the timeout value to half an hour, that way we have plenty to migrate into another process and then ‑‑ so we ran this SCOM SD, so the actual user who's executing that has access into this, it only
07:45
has access on the SCOM machine and so obviously it's not an admin on an AD. And then so we're going to run the task. So we ran them against each of the machines. One's a domain controller and you see we got the shells back. And so it runs as local system and
08:07
so we're just going to open a session on the domain controller. We get the ‑‑ yeah, we migrate, yeah. We're not migrating yet. So yeah, it runs as local system by default
08:27
and then we're just going to list the processes, migrate it into spooler because after half an hour it will end because that's what we have our execution as. So you want to hurry up and migrate and then ‑‑ and migrate processes, empty the hashes,
08:51
end of story. There we go. There you go. There's the hashes and now we've owned that
09:01
domain. And then you can also do it ‑‑ you can also write arbitrary Xs. You can also write a reverse shell in VB script as well which works. There's ‑‑ and
09:24
so I'll skip ahead to ‑‑ well, I also mentioned here so here's the SCOM administrators and as you see there's the SCOM SDK users that is admins in the SCOM app and not in AD obviously. And so if you're an admin in the SCOM app then you're essentially an
09:46
admin on the DC. So we just create another one here and it's pretty much the same thing. I'll skip through it. Except it's writing out an arbitrary XE and then executing
10:05
it and it runs it. And you can run this across however many machines there are. So it will spin up an instance on every agent or in every agent. And then it just runs
10:29
and empties the hashes out. And one last example here that I had was the SCOM ‑‑ so port 5724 is used by the SCOM SDK and the operations manager uses
10:54
5723 and so if that's not open but 5724 is open then you can still use the SDK
11:01
libraries that they have and you can execute everything using that as well. You just have to implement it on your own. And so in this example we're going to import a new management pack and it's just going to run arbitrary commands and this is just a little app that I wrote that uses the SDK. Really shitty app but it works. And so it imports the management
11:27
and then you'll just see you kind of have a interactive ‑‑ you know, you can execute whatever you want against it. And so just another example.
11:46
So recommendations ‑‑ let me switch this back. Okay. I'll just move on. So recommendations
12:02
is that the SCOM servers used to monitor AD need to be isolated and not to allow SCOM SDK ports open. So if they are, they need to be closed off. SCOM administrators and authors should be limited to only the admins obviously. So you'll need another instance that only monitors AD. Move engineers and everybody else into the read‑only or operator
12:24
roles and that won't allow them to execute new agent ‑‑ and also to reduce the agent as well. So it doesn't need to run as local system. And there's an official security guide too that you can read. My bad. All right. So for evasion, so SCOM tasks
13:04
all need to be audited obviously. That way if there's any hidden task in there, they need to be audited. So it also has the execution logs in SCOM and by default it's one week, but you can edit that, which is really good if you want to increase it
13:22
or if you're the bad guy and you want to remove the execution logs, you can also edit it. And then it also logs every auth in the operations manager event log. And so here's just a screen shot of the history. And so you can obviously edit it to be zero days and then nobody will know what ran or you can edit it for one month if you want
13:43
to. All right. So next we're going to go over out of band management devices. And every machine usually has out of band management hardware used for monitoring and maintenance and so it's used for imaging, for restarting, if you run out of hard disk space, et cetera, et cetera. It's for emergencies essentially.
14:02
And so the admin interface is usually accessed over ‑‑ or it's over SSH or IPMI, HTTPS as well and it's equivalent to actually having the actual box like in your office in your hands, right? So ‑‑ and many of them that will all except for HP have really
14:23
shitty default passwords and so most of the time organizations might not update those and so you can use that as access. And there's also about a month ago Rapid7 released some really nice remote root exploits that allow ‑‑ that allow admin access
14:40
without auth and so that's really useful now as well. So ‑‑ and they're often hard to update because you have to ‑‑ it's usually very manual and so organizations might not update. And there's ‑‑ here's an example of HPILO, they have an override switch that is actually on the actual machine and if
15:04
it's ‑‑ if it's enabled, then it ‑‑ then you don't have to auth at all. So it's, you know, it's awesome if you're after that machine. So here's a list of common user names and ILO is the only one that's actually updated and all the rest of.
15:27
So one more demo of ‑‑ the mouse isn't coming over. Give me one second. It's
16:46
HPILO here and what's going to happen is we're going to mount an ISO and we're going to start into NOPIX and then do sticky keys and that's pretty much it. So you mount
17:03
the ISO in the HPILO integrated remote. Oops. Let me skip back here. All right. So we mount the ISO here within the admin interface. We start the machine up and rather
17:26
than making you watch it start up, I'll skip ahead here. So it starts into NOPIX and we sticky key the box, that way we can get access. So we're just going to replace the
17:45
set C.exe with CMD.exe and that's just one way of ‑‑ easy way to get access if you actually have access to the box. So we'll rename it CMD.exe. Then override it.
18:34
Restart the box. So we unmount the ISO, restart it back up, hit the shift key five
18:44
times and there you go. So obviously you guys know how it works. Do we hit the shift key five times and then we got a shell. I assist them. Sorry. It's nothing new. And
19:02
then here you can just add another user or whatever you want, right? Empty the hashes, et cetera, et cetera. So we just add a user and then we get access to the box. Sticky keys all ‑‑ no. All right. We'll move on here and run out of time.
19:33
Okay. So recommendations, update the default password. It should always be updated obviously. Have regular patching for the out‑of‑band devices. Monitor audit logs for unauthorized
19:44
access. Configure two factor auth if you're able to. And you should also have another management environment for all these out‑of‑band devices. And there's an article online as
20:01
well that you can read that helps with that. And so next we'll go over Hyper‑V and it's just virtualization software that hosts virtual machines. Administrator on the host has admin rights on all the VMs that it hosts obviously. So here's another example where you can also start into a live disk and steal the VHD file or either‑or, I guess.
20:24
And so here's just how you mount an ISO and then once you're in it, you can steal the NTDS and so ‑‑ and then you have all of Active Directory and you can extract the hashes offline essentially. And so alls will know that is the machine unexpectedly
20:43
restarted obviously unless they look at the host audit logs, but ‑‑ so recommendations, the Hyper‑V host, they need to be isolated with AD exactly like everything else and the admins on it should only be admins. So it's easy principle. And also you need
21:04
to protect the ‑‑ protect the VHD files as well. And so ‑‑ so, yeah, only admin should have access to those. And it should also be another management network if available and there's another article. And then lastly vulnerability scanners
21:23
as well. Organizations usually do auth scanning and so those are ‑‑ and those usually have admin rights on every box and so if you're scanning your domain controller with a domain admin creds, the NESTIS box or the Qols box or whatever you're using should be treated as a domain controller. I mean, it's ‑‑ and so, yeah, you can obviously
21:48
if you own one of those, then you own AD as well if there isn't isolation. So conclusion is everything that interacts with AD needs to be looked at. So management
22:02
stuff also has to be properly secured. And so that's about it. And here's my ‑‑ here's my information and I'll have everything up online next week.