We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

So You Think Your Domain Controller is Secure

00:00

Formal Metadata

Title
So You Think Your Domain Controller is Secure
Title of Series
Number of Parts
112
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Domain Controllers are the crown jewels of an organization. Once they fall, everything in the domain falls . Organizations go to great lengths to secure their domain controllers, however they often fail to properly secure the software used to manage these servers. This presentation will cover unconventional methods for gaining domain admin by abusing commonly used management software that organizations deploy and use. Justin Hendricks works on the Office 365 security team where he is involved in red teaming, penetration testing, security research, code review and tool development.
HypermediaSoftwareMusical ensembleServer (computing)Public domainSoftwareIntegrated development environmentDigital rights managementInstance (computer science)Self-organizationWindowVulnerability (computing)Physical systemTask (computing)Hash functionLevel (video gaming)Virtual machineMedical imagingFirewall (computing)Service (economics)VirtualizationFunctional (mathematics)Scripting languageMobile appSystem administratorQuicksortAuthorizationCartesian coordinate systemLocal ringPublic domainDirectory serviceOrder (biology)CuboidInternetworkingInformation securityMusical ensembleProper mapElectronic program guide
Interior (topology)Digital rights managementGastropod shellVideo game consoleRootComputerLibrary (computing)Open setComputer networkRoutingOperator (mathematics)Video game consoleComputer architectureDefault (computer science)Digital rights managementVirtual machineServer (computing)Scripting languagePhysical systemLibrary (computing)Root
Physical systemDefault (computer science)Physical systemTouchscreenInternetworkingMultiplication sign
GodMultiplication signSharewareComputer animation
TouchscreenRight angleSystem administratorOperator (mathematics)Digital rights managementComputer animationLecture/Conference
System administratorVideo game consoleServer (computing)Task (computing)Gastropod shellScripting languageSystem administratorAutomatic differentiationElectronic mailing listVideo game consoleVirtual machineReverse engineeringPower (physics)Public domainGastropod shellTask (computing)Scripting languageHard disk driveComputer animationLecture/Conference
Task (computing)WindowTask (computing)AuthorizationComputerProcess (computing)Software testingAuditory maskingComputer animation
System administratorVirtual machineTask (computing)Public domainPhysical systemDefault (computer science)Gastropod shellHash functionLocal ringProcess (computing)Computer animation
Reverse engineeringInstance (computer science)WritingGastropod shellScripting languageComputer animation
System administratorMobile appSoftware development kitComputer animation
Virtual machineComputer animation
Hash functionVirtual machineInstance (computer science)Computer animation
Digital rights managementSoftware development kitOperator (mathematics)Library (computing)Mobile appObject-oriented programmingComputer animationLecture/Conference
Server (computing)Electronic program guideAuthorizationOperator (mathematics)System administratorPhysical systemInstance (computer science)Information securityReading (process)Task (computing)
Task (computing)Digital rights managementDefault (computer science)Operator (mathematics)Tracing (software)LoginAuthorizationEvent horizonLecture/Conference
Meta elementPatch (Unix)TouchscreenDefault (computer science)Software maintenanceDigital rights managementMedical imagingSpacetimeMultiplication signPasswordRootOffice suiteSelf-organizationSystem administratorInterface (computing)Virtual machineComputer hardwareMusical ensembleHard disk driveAuthorizationLecture/Conference
Virtual machineFunction (mathematics)Computer animation
Game controllerRemote Access ServiceRootSystem administratorDigital rights managementModule (mathematics)String (computer science)PasswordRandom numberElectronic mailing listVirtual machine2 (number)SharewareComputer animationLecture/Conference
Computer animationLecture/Conference
Computer animation
Computer animation
Key (cryptography)Computer animation
Object-oriented programmingRight angleRemote procedure callInterface (computing)System administratorVirtual machineComputer animation
Virtual machineComputer animation
Key (cryptography)Set (mathematics)CuboidComputer animation
CuboidShift operatorMultiplication signHash functionPhysical systemKey (cryptography)Gastropod shellComputer animation
Digital rights managementDefault (computer science)Configuration spaceSystem administratorDigital rights managementIntegrated development environmentSoftwareVirtual machineRight anglePasswordComputer filePatch (Unix)AuthorizationStructural loadDivisorRegular graphLoginComputer animationLecture/Conference
LoginHash functionDirectory serviceVirtual machineComputer animation
Virtual realityDirectory serviceGame controllerPublic domainVulnerability (computing)Digital rights managementCuboidInformationPublic domainRight angleSystem administratorSoftwareComputer fileBelegleserInteractive televisionSelf-organizationLecture/Conference
Transcript: English(auto-generated)
I'm Justin and I'm going to be going over AD and how you can own it using management software. So introduction, it's going to ‑‑ pretty much it's going to go over isolation and how you need to isolate AD from everything else and the management that ‑‑ the management environment of AD and how it's handled.
And so I'm specifically going to be looking at SCOM, HPILO and Hyper-V and how they can be used to own AD, essentially. And there's no vulnerabilities, we're just going to look at how it's abused if they're not managed right and not configured properly.
So the software used to manage the domain controllers is often overlooked and as you go, it handles all the windows off and it handles all the hashes, which if you're after an environment, you want to get all the hashes because once you get all the hashes, you can own any box in the domain and so, yeah.
It's the crown jewels of the environments and recommendations usually look at ID seg and so they only look at active directory and the OS level ID seg and they don't look at everything that interacts with active directory. And so background, I'm going to go over SCOM, which is used for monitoring and of course
if it's a high‑valued asset, you want to monitor it, right, and so you're going to use some sort of monitoring and in this instance, we're going to look at SCOM. There's a SCOM security guide that is available on the Internet, it's really long, nobody probably read it, they probably just hit next, next, next and there's also out of band
management devices, so which is network level network devices that allow out of band management, so if the machine is off, then you can restart it up, it's used for imaging, et cetera and so we're going to look at HPILO in this instance and then Hyper‑V as well,
so if you host which Hyper‑V is a virtualization and so if you host AD on a Hyper‑V host, then you also need to look at the Hyper‑V host and there's warnings online about it, but it's often overlooked and everybody ignores the host and only looks at the OS
level, you know, ID seg, right? And so first we'll look at SCOM and it's used for monitoring and alerting of health and the SCOM SDK service is what it uses to interact with the agents and everything and it's opened up on 5723 and 5724 is what it uses and these are required ‑‑ these need to be open if you want to access the
SCOM management, like if you actually want to look at the alerts and everything, these have to be open and so oftentimes organizations have these open in the firewall in order to look at alerts and everything out of the environment because they want to act upon them, right? And then Nmap, for instance, won't scan for these, so if
you use Nmap, then you'll need to add these to the list and you'll see why in a minute. And the SCOM agent as well, which runs on every managed ‑‑ every monitored machine, it runs as local system and so it's great because, you know, it's admin access.
So if you ‑‑ you'll see in a minute. So abusing the functionality of SCOM. So SCOM has this beautiful feature called task and they let you run arbitrary VB script on every monitored machine and so obviously if you can own the SCOM app or the machine, then you can run arbitrary script as local system on every managed machine.
And see ‑‑ and then you have to be a member of the SCOM administrator's or author's role, which is application level roles within SCOM and you're able to then run these, obviously. And so if you have a SCOM instance, then you
need to have another instance that only monitors AD and then one instance that monitors everything else, so obviously they need to be isolated. That's the whole goal here. So here's an overview of the architecture, which was on MSDN or one ‑‑ but anyway, so it uses the SDK, which then executes on the root management server and then that
runs the script on the agent‑managed machines and it usually runs as whatever the agent is running as and by default it runs as local system, which I already mentioned. And so they have an operations manager console as well and that uses the SDK as well.
But you can also use their libraries that they have as well. And so here's just a screen shot of the installation and as you can see, by default it runs as local system. And there's many warnings out there on the Internet that it can be very dangerous and it's bad, but nobody reads them, of course, so we're going to abuse it. So demo time. Hopefully this is showing here.
So we've got a few demos ‑‑ okay, not demo time. The demo gods are not with
me today. All right. There we go. We have something. It's only on that screen, so I've got to look down. All right. Well ‑‑ okay. Cool.
All right. So pretty much here's the SCOM operations manager, so we're going to use it to auth using a low privileged account and that's in the SCOM administrator's role because that's the way it was added and that's usually how it's added.
And so the SCOM console lists all monitored machines. In this example, one machine is a domain controller. Our new SCOM ‑‑ what we're going to execute is going to execute a reverse HTTPS shell and the VB script is written out to hard disk and then executed in the SCOM task. So as you can see there, we're just running arbitrary PowerShell and
then running the script that's going to start our reverse shell. So we'll copy that, create a new SCOM task under the authoring. And so next we'll just call it meterpreter and you can hide the name if you're, you know, going to be sneaky. And then we want
to run it on all Windows computers and so increase the timeout value to half an hour, that way we have plenty to migrate into another process and then ‑‑ so we ran this SCOM SD, so the actual user who's executing that has access into this, it only
has access on the SCOM machine and so obviously it's not an admin on an AD. And then so we're going to run the task. So we ran them against each of the machines. One's a domain controller and you see we got the shells back. And so it runs as local system and
so we're just going to open a session on the domain controller. We get the ‑‑ yeah, we migrate, yeah. We're not migrating yet. So yeah, it runs as local system by default
and then we're just going to list the processes, migrate it into spooler because after half an hour it will end because that's what we have our execution as. So you want to hurry up and migrate and then ‑‑ and migrate processes, empty the hashes,
end of story. There we go. There you go. There's the hashes and now we've owned that
domain. And then you can also do it ‑‑ you can also write arbitrary Xs. You can also write a reverse shell in VB script as well which works. There's ‑‑ and
so I'll skip ahead to ‑‑ well, I also mentioned here so here's the SCOM administrators and as you see there's the SCOM SDK users that is admins in the SCOM app and not in AD obviously. And so if you're an admin in the SCOM app then you're essentially an
admin on the DC. So we just create another one here and it's pretty much the same thing. I'll skip through it. Except it's writing out an arbitrary XE and then executing
it and it runs it. And you can run this across however many machines there are. So it will spin up an instance on every agent or in every agent. And then it just runs
and empties the hashes out. And one last example here that I had was the SCOM ‑‑ so port 5724 is used by the SCOM SDK and the operations manager uses
5723 and so if that's not open but 5724 is open then you can still use the SDK
libraries that they have and you can execute everything using that as well. You just have to implement it on your own. And so in this example we're going to import a new management pack and it's just going to run arbitrary commands and this is just a little app that I wrote that uses the SDK. Really shitty app but it works. And so it imports the management
and then you'll just see you kind of have a interactive ‑‑ you know, you can execute whatever you want against it. And so just another example.
So recommendations ‑‑ let me switch this back. Okay. I'll just move on. So recommendations
is that the SCOM servers used to monitor AD need to be isolated and not to allow SCOM SDK ports open. So if they are, they need to be closed off. SCOM administrators and authors should be limited to only the admins obviously. So you'll need another instance that only monitors AD. Move engineers and everybody else into the read‑only or operator
roles and that won't allow them to execute new agent ‑‑ and also to reduce the agent as well. So it doesn't need to run as local system. And there's an official security guide too that you can read. My bad. All right. So for evasion, so SCOM tasks
all need to be audited obviously. That way if there's any hidden task in there, they need to be audited. So it also has the execution logs in SCOM and by default it's one week, but you can edit that, which is really good if you want to increase it
or if you're the bad guy and you want to remove the execution logs, you can also edit it. And then it also logs every auth in the operations manager event log. And so here's just a screen shot of the history. And so you can obviously edit it to be zero days and then nobody will know what ran or you can edit it for one month if you want
to. All right. So next we're going to go over out of band management devices. And every machine usually has out of band management hardware used for monitoring and maintenance and so it's used for imaging, for restarting, if you run out of hard disk space, et cetera, et cetera. It's for emergencies essentially.
And so the admin interface is usually accessed over ‑‑ or it's over SSH or IPMI, HTTPS as well and it's equivalent to actually having the actual box like in your office in your hands, right? So ‑‑ and many of them that will all except for HP have really
shitty default passwords and so most of the time organizations might not update those and so you can use that as access. And there's also about a month ago Rapid7 released some really nice remote root exploits that allow ‑‑ that allow admin access
without auth and so that's really useful now as well. So ‑‑ and they're often hard to update because you have to ‑‑ it's usually very manual and so organizations might not update. And there's ‑‑ here's an example of HPILO, they have an override switch that is actually on the actual machine and if
it's ‑‑ if it's enabled, then it ‑‑ then you don't have to auth at all. So it's, you know, it's awesome if you're after that machine. So here's a list of common user names and ILO is the only one that's actually updated and all the rest of.
So one more demo of ‑‑ the mouse isn't coming over. Give me one second. It's
HPILO here and what's going to happen is we're going to mount an ISO and we're going to start into NOPIX and then do sticky keys and that's pretty much it. So you mount
the ISO in the HPILO integrated remote. Oops. Let me skip back here. All right. So we mount the ISO here within the admin interface. We start the machine up and rather
than making you watch it start up, I'll skip ahead here. So it starts into NOPIX and we sticky key the box, that way we can get access. So we're just going to replace the
set C.exe with CMD.exe and that's just one way of ‑‑ easy way to get access if you actually have access to the box. So we'll rename it CMD.exe. Then override it.
Restart the box. So we unmount the ISO, restart it back up, hit the shift key five
times and there you go. So obviously you guys know how it works. Do we hit the shift key five times and then we got a shell. I assist them. Sorry. It's nothing new. And
then here you can just add another user or whatever you want, right? Empty the hashes, et cetera, et cetera. So we just add a user and then we get access to the box. Sticky keys all ‑‑ no. All right. We'll move on here and run out of time.
Okay. So recommendations, update the default password. It should always be updated obviously. Have regular patching for the out‑of‑band devices. Monitor audit logs for unauthorized
access. Configure two factor auth if you're able to. And you should also have another management environment for all these out‑of‑band devices. And there's an article online as
well that you can read that helps with that. And so next we'll go over Hyper‑V and it's just virtualization software that hosts virtual machines. Administrator on the host has admin rights on all the VMs that it hosts obviously. So here's another example where you can also start into a live disk and steal the VHD file or either‑or, I guess.
And so here's just how you mount an ISO and then once you're in it, you can steal the NTDS and so ‑‑ and then you have all of Active Directory and you can extract the hashes offline essentially. And so alls will know that is the machine unexpectedly
restarted obviously unless they look at the host audit logs, but ‑‑ so recommendations, the Hyper‑V host, they need to be isolated with AD exactly like everything else and the admins on it should only be admins. So it's easy principle. And also you need
to protect the ‑‑ protect the VHD files as well. And so ‑‑ so, yeah, only admin should have access to those. And it should also be another management network if available and there's another article. And then lastly vulnerability scanners
as well. Organizations usually do auth scanning and so those are ‑‑ and those usually have admin rights on every box and so if you're scanning your domain controller with a domain admin creds, the NESTIS box or the Qols box or whatever you're using should be treated as a domain controller. I mean, it's ‑‑ and so, yeah, you can obviously
if you own one of those, then you own AD as well if there isn't isolation. So conclusion is everything that interacts with AD needs to be looked at. So management
stuff also has to be properly secured. And so that's about it. And here's my ‑‑ here's my information and I'll have everything up online next week.