Exploiting Active Directory: Administrator Insecurities

Video thumbnail (Frame 0) Video thumbnail (Frame 1260) Video thumbnail (Frame 3765) Video thumbnail (Frame 5487) Video thumbnail (Frame 7611) Video thumbnail (Frame 8777) Video thumbnail (Frame 9831) Video thumbnail (Frame 12187) Video thumbnail (Frame 15154) Video thumbnail (Frame 16642) Video thumbnail (Frame 17692) Video thumbnail (Frame 18532) Video thumbnail (Frame 19424) Video thumbnail (Frame 20842) Video thumbnail (Frame 21726) Video thumbnail (Frame 23362) Video thumbnail (Frame 24504) Video thumbnail (Frame 25637) Video thumbnail (Frame 28292) Video thumbnail (Frame 30867) Video thumbnail (Frame 31787) Video thumbnail (Frame 33772) Video thumbnail (Frame 34822) Video thumbnail (Frame 37265) Video thumbnail (Frame 38242) Video thumbnail (Frame 39377) Video thumbnail (Frame 41269) Video thumbnail (Frame 42392) Video thumbnail (Frame 43729) Video thumbnail (Frame 46081) Video thumbnail (Frame 51184) Video thumbnail (Frame 54483) Video thumbnail (Frame 56967) Video thumbnail (Frame 58403) Video thumbnail (Frame 59297) Video thumbnail (Frame 61633) Video thumbnail (Frame 62522)
Video in TIB AV-Portal: Exploiting Active Directory: Administrator Insecurities

Formal Metadata

Exploiting Active Directory: Administrator Insecurities
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer? Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process. This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement. Some of the areas explored in this talk: Current methods organizations use to administer Active Directory and the weaknesses around them. Using RODCs in the environment in ways the organization didn't plan for (including persistence). Exploiting access to agents typically installed on Domain Controllers and other highly privileged systems to run/install code when that's not their typical purpose. Discovering and exploiting an AD forest that leverages an AD Admin Forest (aka Red Forest) without touching the Admin Forest. If you are wondering how to pentest/red team against organizations that are improving their defenses, this talk is for you. If you are a blue team looking for inspiration on effective defenses, this talk is also for you to gain better insight into how you can be attacked.
Slide rule Message passing System administrator Active Directory System programming Directory service Arc (geometry)
Group action Mobile app Game controller Multiplication sign View (database) Authentication Password Maxima and minima Directory service Public domain Information technology consulting Power (physics) Time domain Local Group Thermodynamisches System Forest Software testing Information Information security Computing platform Surjective function Point cloud Service (economics) Execution unit System administrator Active Directory Directory service Evolute Element (mathematics) Forest Integrated development environment Time evolution Password Computing platform Right angle Information security Resultant
Group action Public domain Graph (mathematics) Vector potential Attribute grammar Time domain Thermodynamisches System Bit rate Steady state (chemistry) Object (grammar) Forest Source code Flag Text editor Information security Addition Service (economics) Multiplication System administrator Active Directory Counting Public domain Directory service Inclusion map Process (computing) Information security
Group action Game controller Server (computing) View (database) Multiplication sign Workstation <Musikinstrument> 1 (number) Set (mathematics) Public domain Power (physics) Element (mathematics) Time domain Thermodynamisches System Forest System programming Software testing Recursion Multiplication Default (computer science) Game controller Default (computer science) Service (economics) Multiplication System administrator Computer Public domain Port scanner Right angle Object (grammar)
Slide rule Multitier architecture Game controller Enterprise architecture Structural load Workstation <Musikinstrument> Public domain Login Time domain Radio-frequency identification Source code Electronic visual display Backup Local ring Sanitary sewer Default (computer science) Supremum Service (economics) Building Server (computing) Keyboard shortcut System administrator Operator (mathematics) Usability Letterpress printing Group action Mathematics Personal digital assistant Website Force
Server (computing) Game controller Variety (linguistics) Physicalism Public domain Open set Connected space Product (business) Emulator Software Backup Right angle Video game console
Multitier architecture Game controller Multiplication sign Set (mathematics) Public domain Time domain Computer hardware Vulnerability (computing) Authentication Area Game controller Vulnerability (computing) Service (economics) Patch (Unix) Server (computing) System administrator Operator (mathematics) Physicalism Public domain Bit Letterpress printing Term (mathematics) Inclusion map Revision control Configuration space Hill differential equation Right angle Video game console Local ring Recursive descent parser
Multitier architecture Server (computing) Game controller Group action Service (economics) Multiplication sign Public domain Regular graph Login Event horizon Tracing (software) Neuroinformatik Local Group Time domain Kerberos <Kryptologie> Information security Relief Library (computing) LTI system theory Server (computing) Physical law System administrator Computer Computer network Virtual machine Graph (mathematics) Data management Integrated development environment Software Blog Configuration space Right angle Authorization Information security Recursive descent parser
Default (computer science) Group action Game controller Token ring Multiplication sign Workstation <Musikinstrument> File format System administrator Directory service Graph (mathematics) Frame problem Attribute grammar Neuroinformatik Time domain Integrated development environment Thermodynamisches System Time evolution Software testing Right angle Reading (process)
Standard deviation Game controller Trail Workstation <Musikinstrument> Server (computing) Server (computing) Workstation <Musikinstrument> System administrator Password Active Directory Public domain Time domain God Mathematics Thermodynamisches System Integrated development environment Right angle Quicksort Computer-assisted translation Local ring Local ring Recursive descent parser
Workstation <Musikinstrument> System programming Right angle Software testing Gamma function Information security
Scripting language Server (computing) Game controller Computer file Computer file Workstation <Musikinstrument> Computer program Computer Computer network Public domain Data storage device Login Graphical user interface Process (computing) Computer configuration Blog Password System programming MiniDisc Videoconferencing Window Vacuum
Scripting language Functional (mathematics) Computer file View (database) Multiplication sign Computer file Keyboard shortcut File format Computer program Menu (computing) Shift operator Repeating decimal Kontraktion <Mathematik> Information security Maß <Mathematik> Window Window
Trail System call Information Mountain pass Authentication Workstation <Musikinstrument> Keyboard shortcut Computer Code Computer configuration System programming Right angle Wahrscheinlichkeitsfunktion Recursive descent parser Row (database)
Boss Corporation Service (economics) Email Code Multiplication sign Mobile Web Attribute grammar IP address System call Attribute grammar Number Proof theory Type theory Uniform resource locator Message passing Thermodynamisches System Different (Kate Ryan album) Configuration space Condition number Address space
Email Closed set Multiplication sign Principle of maximum entropy Process (computing) System identification Information security Software bug Email Instance (computer science) Connected space Message passing Process (computing) Computer configuration Telecommunication System programming Configuration space Website Figurate number Row (database) Windows Registry Slide rule Server (computing) Link (knot theory) Authentication Password Hidden Markov model Vector potential Rule of inference Attribute grammar Product (business) Number Thermodynamisches System Internet forum Divisor Configuration space Traffic reporting Proxy server Condition number Default (computer science) Addition Server (computing) Vector potential Computer hardware Blog Password Backup Video game Local ring
Workstation <Musikinstrument> Server (computing) Context awareness Enterprise architecture Server (computing) Workstation <Musikinstrument> Exploit (computer security) Password Public domain Directory service Web browser Control flow Mereology Rule of inference Component-based software engineering Data management Computer configuration Synchronization Password Core dump Information security Window Recursive descent parser Window
Touchscreen Functional (mathematics) Randomization Server (computing) Enterprise architecture Computer file Multiplication sign File format Password Web browser 2 (number) Time domain Malware Regular graph Computer configuration MiniDisc Logic gate Formal grammar Information View (database) Computer file Keyboard shortcut Content (media) Parameter (computer programming) Control flow Integrated development environment Function (mathematics) Password Self-organization Quicksort Window
Game controller Server (computing) Enterprise architecture Service (economics) Direction (geometry) Programmable read-only memory Workstation <Musikinstrument> Password Web browser Web 2.0 System programming Extension (kinesiology) Proxy server Workstation <Musikinstrument> Server (computing) Physical law Computer network Deep Web Flow separation Web browser Connected space Computer configuration Software Password System programming Quicksort Recursive descent parser
Cybersex Group action Server (computing) Multiplication sign Electronic program guide Range (statistics) System administrator Password Exploit (computer security) Local Group Time domain Sign (mathematics) Internetworking Internetworking Password System programming
Email Game controller Server (computing) Weight Multiplication sign Authentication Password Public domain Mereology Graph (mathematics) Total S.A. Food energy Web 2.0 Revision control Data management Internetworking Object (grammar) Authorization Energy level System programming Software testing Vulnerability (computing) Data integrity Proof theory Context awareness Vulnerability (computing) Service (economics) Email Information Server (computing) Weight Token ring Active Directory Code Computer network Attribute grammar Directory service Connected space String (computer science) Password System programming Self-organization Authorization Object (grammar)
Group action Firewall (computing) Forcing (mathematics) Directory service Product (business) Forest Emulator Thermodynamisches System Software Forest Telecommunication System programming Configuration space Information security Information security
Group action Server (computing) Service (economics) Multiplication sign Data recovery Public domain Bookmark (World Wide Web) Neuroinformatik Attribute grammar Product (business) Local Group Time domain Thermodynamisches System Different (Kate Ryan album) Forest Operator (mathematics) Backup Information security Hydraulic jump Game controller Addition Server (computing) Forcing (mathematics) System administrator Operator (mathematics) Counting Directory service Line (geometry) Forest Numeral (linguistics) Integrated development environment Chief information officer Backup Hill differential equation Right angle
Group action Scripting language Code Multiplication sign 1 (number) Public domain Replication (computing) Computer configuration Forest Single-precision floating-point format Office suite System identification Local ring Scripting language Workstation <Musikinstrument> Point (geometry) System administrator Electronic mailing list Computer Attribute grammar Replication (computing) Forest Data mining Arithmetic mean Digital rights management P-group System programming Self-organization Configuration space Right angle Information security Reading (process) Server (computing) Game controller Service (economics) Password Branch (computer science) Electronic mailing list Law of large numbers Product (business) Attribute grammar Element (mathematics) Time domain Local Group Revision control Inclusion map Flow separation Thermodynamisches System Energy level System programming Integrated development environment Software testing Computer-assisted translation Metropolitan area network Default (computer science) Authentication Game controller Default (computer science) Information Key (cryptography) Server (computing) Forcing (mathematics) Lemma (mathematics) Principal ideal Active Directory Counting Public domain Directory service Integrated development environment Contrast (vision) Password Revision control Recursive descent parser
Game controller Game controller Information Quantum state System administrator Password Active Directory Operator (mathematics) Attribute grammar Public domain Group action Predictability Replication (computing) Attribute grammar Element (mathematics) Local Group Right angle Configuration space Information security Reading (process)
Meta element Group action Game controller Multiplication sign 1 (number) Password Public domain Mereology Distance Login Perspective (visual) Attribute grammar Power (physics) Time domain Revision control Cache (computing) Computer worm Surjective function Authentication Information Computer Public domain Bit Directory service Instance (computer science) Control flow Replication (computing) Cache (computing) Integrated development environment Hash function Password Right angle Figurate number Musical ensemble Reading (process)
Group action Game controller Functional (mathematics) Server (computing) Greatest element Inheritance (object-oriented programming) Service (economics) View (database) Port scanner Public domain Power (physics) Local Group Object (grammar) Data type Support vector machine Server (computing) System administrator Counting Directory service Hash function Password Right angle Information security Abelian category Flag
Point (geometry) Digital filter Group action Server (computing) Multiplication sign Graph (mathematics) Neuroinformatik Local Group Time domain Data management Uniqueness quantification Local ring Game controller Default (computer science) Server (computing) System administrator Cache (computing) Hash function Password Self-organization Configuration space Right angle Information security Abelian category Local ring
Server (computing) System call Mountain pass Kerberos <Kryptologie> Password Neuroinformatik Time domain Cache (computing) Kerberos <Kryptologie> Source code System programming Configuration space Local ring Data type Service (economics) Server (computing) State of matter Computer Public domain Client (computing) Group action Hash function Password Encryption Information security Flag
Windows Registry Game controller Group action Enterprise architecture Multiplication sign Password Control flow Public domain Graph (mathematics) Neuroinformatik Element (mathematics) Local Group Thermodynamisches System Software testing Process (computing) Default (computer science) Workstation <Musikinstrument> Slide rule Weight System administrator Public domain Directory service Type theory Digital rights management Hash function Integrated development environment Software Personal digital assistant Enumerated type Password POKE System programming Video game console Information security Asynchronous Transfer Mode
all right we're gonna start off with Sean he's got a little special message he's got to do so here he's trying morning DEFCON are we doing so happy back I got a friend here this is bunny my daughter asked me to bring bunny so can everyone say hi bunny awesome thank you all right so Bunny's gonna sit over here and get a front seat so this is exploiting it Active Directory administrator insecurities I'm Sean Metcalfe I'm really excited about this slide deck because one of the things that I've talked about before problems with Active Directory the way it's configured the way that people manage it configurations within it but rarely have I gotten to talk about the problems with how its administered and the challenges with the systems that are often connected that are secure so I'm Sean
Metcalfe founder Trimark we help companies better secure their Microsoft platform which is our the reason why I do all this fun Active Directory security stuff I'm a Microsoft Certified Master in Active Directory there's about 100 for the in the world most of whom work at Microsoft I don't so I can talk about whatever I want very happy to be back on stage at Def Con I'm security consultant researcher and I run 80 security orgs show hands have you used 80 security at org okay everyone's not raising your hand talk to one of the people that raise their hand and ask them what they think about it so so we're going to talk about the evolution of admin discovery how do we find admins in the environment the challenges with that and some of the issues with correctly discovering admins around in Active Directory how to exploit typical administration at least how I often see ad administered challenges and problems with multi-factor password vault see maybe more popular so we're going to talk about bypassing and subverting past results and then the vaulted admin forced aka the red forest and then I'm going to talk about how you can actually attack read only domain controllers to compromise ad which should be fine so the evolution of app discovery we look for domain admins we love domain admins right that's so we run a command like this getnet group member thank you will harm joy for giving us power view so we can do this easily and quickly and enumerate the members of domain admins but a lot of times pen testers and red teamers and security folks forget about administrators so if we're just looking at the main admins we're going to miss a ton of Active Directory administrators how does this look what most environments we end up with
what six domain admins but once we enumerate the administrators group we might have as many as twenty or more and so if we don't pay attention to the administrators group they have full eighty admin rights as well as full domain controller admin rights so it's very important to make sure we're capturing both of those and
if we see something like this what do you do there are no domain admins there doesn't need to be any domain admins in order to correctly manage and administer Active Directory domain admins really are not dat admins the administrators are so the other way that we've talked
about or I've talked about discovering admins is by using admin count equals one right rate we look for any account in that domain that has admin count the attribute set to one Active Directory is a process that goes through and enumerates the most privileged accounts groups in the in the domain and then Flags them put some security additional security permissions on them and Flags it without McCown equals one the issue here is that if you're just looking for this that's only in that own that's that single domain so in a multi domain forest you're gonna miss all of the others in multi forest environments you're gonna miss the others as well and if we have a tool that isn't multi
domain or multi for is capable which by the way this is microsoft's powershell commandlets it is not correctly multi forest capable because when i add a group from another forest into the administrators group in this domain it breaks at least in half of the environments i've seen and when i
run it against the administrators group recursive it doesn't give me everything so definitely use the tool wills power view works really well for correctly and numerating the membership but test your tool a lab tested to make sure that you're getting what you're suppose otherwise you might miss something so there's also what I call hidden admits many people forget about group policy the default domain controller is group policy or policy GPO contains something called user rights assignments these are the user rights assignments that you would find on workstations and servers who can log on locally who can do certain things on the system but the ones that are configured for domain controllers actually has domain rights also very privileged rights and this is often missed this is what I call hidden gold if you're a pen tester a red teamer which is my target audience today and you're not looking at group policy settings that are applied to domain controllers please start doing that because user rights assignments is going to help you find an easy even easier way in and be able to get you to meet your eject objective more quickly a lot of times why is this well it looks like
this I know you can't read that it's okay but this is the display this is what you look at so let's stick into a
couple of these allow log on locally it is what you think it is this gives you the ability to log on locally but when you apply this setting to a domain controller guess what you can log on locally to that domain controller so if you can walk up to that domain controller and physically get on that keyboard you can log on to that domain controller like it was a workstation and you might have noticed something weird on this slide that is not a typo I have actually found this in customer sites so anybody can log on to a domain controller I don't know just in case the admin left early that Friday and they need to reboot it or something who knows but the thing about log on locally it's not always local there are remote ways
to do local right when we have a VM we can use the remote console to connect into that VMs console and log on locally over the network there's also this little thing called Eylau which is a
variety year's physical servers physical domain controllers have Eylau it gives you the ability to out-of-band off another network connect into that server as if you could RDP into or connect to it and get that console access and the recommendation is to often have that Eylau connection be on a separate network an out-of-band or a backup Network not on the production network but guess what everyone does they put it on the production network guess what can happen
HP I love vulnerability from last year about a year ago some very clever researchers fuzz reverse engineered the ILO configuration and what you can do with it and they discovered that you want to see the POC yeah okay here it is
you run curl you send 29 A's and you completely bypass authentication so this vulnerability is brought to you by the letter A so this is not mine they did a great job on and I was chatting with one of the members of the team over at Mandalay that a couple of days ago and he was talking about some really cool stuff that they figured off of this because I lo is connected into the hardware so not only can you bypass the I low off and just get local console access over I lo but there's some other interesting things we'll be talking about so he he told me a little bit about it but I'll let him you know talk about that later so that's one way that you can do it so you definitely want to check this out especially when you have physical DC's by the way the physical TV theses usually don't have VM in the name just a hand but there is a way through the Microsoft settings and user rights assignments to have the ability to log on over RDP to a domain controller if there's allow log on locally and the ability to log on to Terminal Services well guess what server tr3 can do this only domain admins only administrator should ever be able to log on to the domain controllers via RDP but a lot of times we find this when we do assessments for customers and who's a
member of server two or three well it's Eddie and that's just a regular user account so whoever can control a TS account or manage Eddie's get account or compromise Eddie I don't know then they can get onto the dabangg controller if you can log on interactively on a domain controller you can do a lot of fun stuff from there
the other interesting thing is managed auditing and security logs so when you're doing an assessment for a customer you're on an engagement definitely check this out you'll typically see exchange that's can this way but this gives you the rights to actually clear the event law not advocating depending on your scope to clear event logs on DC's but certainly bring it up to your customer and say hey by the way this group lab admins can clear your event logs on your DC's you probably don't want that and we compromised one of the members of this group and we could have cleared the event logs on all your domain controllers as we were doing our engagement so you want to take care of this trusted 4ab allegation this is a really interesting thing will harm joy did a great blog article about this I talked about the dangers of unconstrained Kerberos delegation Hermosilla Gatien is impersonation so when you configure a computer or an account with the ability to delegate to impersonate a user that means they can impersonate that user for Kerberos services on the network this right that's configured and user rights assignments for domain controllers enables these accounts actually set up and configure and can set the delegation Kerberos delegation on those accounts on those computer accounts now they do need one extra right for it to actually follow up and finish but most of the time these groups will have those rights they'll have full control over those those accounts because they have controls on those OU's so it's dangerous and a lot of times if you if you enumerate the Kerberos delegation in the environment to see what accounts have Kerberos delegation configured if there's more than like 30 or 40 you definitely want to check this out because it was probably a big group that has this ability that aren't that aren't the administrators and then as we have
environments that are getting better some of you have probably seen some environments that have gotten stronger they set up better restrictions they have more controls over their admin environment things that have been around forever that people have forgotten about or log on hours so you can restrict when someone can log on Active Directory and what they can do in that time frame you can also configure what workstations or computers are actually allowed to log on interactively to so most of the tools that I've looked at that are used in pen tests and read teams don't look for this so if you find an account you're like I popped this account but I can't do anything with it why check this out you want to check these two attributes logon hours and logon restrict workstation the other thing you want to check is a of times you'll have deceptive accounts or honeypot accounts in the environment that will look like they're great they're honey tokens in the environment they're a member of the right groups you can't do anything with them check these attributes it's probably why they're locked down why you can't do anything with them so when we talk about
administration where it's been where it's going who he remembers BNC just applause yeah right some environments still have BNC right and VNC by default is not secured so that's probably a bad idea we moved on it RTP we had run as people would use MMC on their on their computer in order to perform administration so we moved forward from
that but in the beginning there are admins everywhere user accounts were domain admins every local administrator account was the same probably same now in some places please change that but some environments have as many domain admins as users this is bad so like as many admins as ostriches in this picture I like ostriches and so this was
target-rich there were a lot of opportunities any account you found has some sort of admin rights which is probably not too much different some of the environments you walk into and the
methods that were used then we're bad log on to a workstation as an admin credentials in alsace run as credentials and else ass even the RDP so this is the thing that people forget they stop doing the things on their local workstation they then already pee into a server like an admin server and then don't track how that admin server is protected how its controlled so maybe cats obviously newer
admins security methods so no more run as no more MMC on a local system should be great right we're gonna use RDP we're
going to connect to another system I'm not going to log in with my admin credentials on this workstation because someone could use bloodhound and know that I'm on this system and they could potentially get access to that and then compromised my account so I'm going to use RDP and maybe I'll use MFA maybe I'll use something like duo I pick on duo they were in the news for something I don't remember but I pick on duo duo is good but there's some interesting things that happen when you use a regular workstation to administration and it's a pen tester red teamer you
want to be aware of some of those interesting things that happen some people are using password vaults we're going to talk about those
so we have the typical administrator logs onto their workstation as a regular user then they open up the RDP window and they connect to their server their domain controller and they connect as a domain admin but something interesting happens in the background when this occurs there's a new file that shows up
on the C Drive the temp file that's kind of weird okay but Windows drops temp files everywhere because it's a crazy or less like that so who cares well we the problem is that in this situation there's actually a WMI implant that's been dropped on the system so there's a W my implant that is looking for the process MST SCO exe and one that executes it's going to run this script that I'm very helpfully named SCCM health check which is probably benign it's it's for the good of the system let's make the windows greet again yes
and so what actually happens is this is that FC CM health check PowerShell script and it actually has a function called get keystrokes well that's a little weird what is that so let's look at that file
when we open up that file it's a text file and it's a key logger so as soon as someone opens up that RDP window it's key logging whatever is typed in on that keyboard and logging into a file and it keeps doing that for a preset amount of time 20 minutes 30 minutes whatever we set and then we can use PowerShell to go
through and parse that and actually extract the information that would be useful for us so while the admin thinks they're secure because they're not using their admin credentials on that workstation they're typing them in on the keyboard so we use MFA right that'll
solve the problem we're gonna MFA the RDP so we got our already PMF a problem saw right okay so let's look at that we use RDP we MFA it we click on the button
send me a push I get the little pop-up
on my phone I go yeah that looks fine approve but a second later I get a second one I just approve the first one I'll prove this one it's probably a hiccup right sure it's okay I tell anyone about it do I deny the first one do I approve like what's a situation how do I make that decision or with a DFS same thing I get two of these or maybe I'm the admin and I log in in the morning and I log in to three different systems and I get these prompts in a row I don't keep track Mike yeah yeah yeah yeah I gotta get my coffee right what happens when I get
this popup on my phone which says log on request and there's no none that additional detail like the IP address the location the time the date here I just it just says log on request okay yeah proof oh wait a proof wait a proof oh I'm pretty sure I only logged in twice I'm sure it was just like the phone it's been acting up recently it's probably okay so if we can set up a situation where there's a race condition between the admin clicking the push and the attacker clicking the push we might be able to have a situation where the admin MFA's for us and we we've seen this before with other things like scams and and different situations where they get an email to get a text message they're like oh by the way if you see this just send that code to me it's it's okay please do that but there's actually
a way that you can serve vert and the MFA in certain environments based on what I've seen and so it has to do with a certain type of configuration which is fairly common this is the self-service portal this is the configuration where users are able to update their own attributes and there's very benign attributes like their work phone number their mobile number or their oryx pacific attributes maybe sometimes the title department whatever it looks like this so we have a user has their mobile number set that way their boss can call them or they can be called when when they're on call but the problem is that if the attacker knows that they can change this and then they do to their number 8 6 7-5 309 that works well so they change it to theirs what they can
actually do is instead of clicking the push button within duo or the MFA product they can force a text message to be sent to their phone this number that they just updated because in some environments where they have this this attribute the admin user has the attribute their mobile phone number associated with their account and that's associated with their admin account for MFA so if we can modify that phone number we can say give me a text message and the admin gets nothing no notification nothing at all and we can comply pass at MFA configuration there's other MFA's that have this as a backup duo has it as a backup method that I've seen in many environments there's a quick summary for the people who are looking at slides later about how this actually works there's another interesting thing about duo is that duo fails open so for duo to work it connects to an API a record duo security comm and that's configured with that company in that instance of duo within that company and what happens is when you connect to it and you have that prompt it's got a check obviously to figure out how to push to you how to know that you can access it who you are etc what if we block that we block that communication if we can interfere or influence that connection guess what happens no MFA at all so thanks to noopy for this because he did a blog post earlier this month and Jared Haight pointed this out to me there's another thing that's interesting here if we change this default so if we have access to the registry or something we can actually turn off MFA for local accounts so if we compromised the local account on the server we can connect into that using user and password all day long without any MFA when we're going through the RDP connection the
other interesting thing about MFA is there's an onboarding process what is this or onboarding process well a lot of times you go to a website you click on something you click your request and you get an email hmm that's interesting the email comes in they click on the link to approve it and the MFA get set up for whatever they put in that forum all right but we've if we've compromised that account that admin account we have influence over that email so we can set up a rule to filter it out or we can just delete it so they never see it so we could potentially add additional devices for MFA or even switch it over entirely because what happens when they lose their phone they're at DEFCON they're hanging out at a party and they're like I don't know where my phone is they've got to get MFA set up again a lot of times text SMS is the backup to that okay I have a new phone I got a email this person saying I have to get a temporary phone because I lost mine here's the number can you just update the MFA because you know the executive mr. Kawasaki says I need this right now so I got to do this okay fine so there's some recommendations around this put the slide up you can look at them later but yes MFA is good but there are situations and conditions where MFA could be subverted or bypass depending on how its configured you want to let your customers know about this you want to let them know you have mem FA that's great that's gonna make my life a little harder but let me take a look at what that actually is doing and we want customers to better try to think through what are the potential bypass methods because they know it better than we do we talk to customers all the time we're like let's talk about your MFA and how that works in the setup and what if this happens they're like oh yeah we know that this could be an issue okay well I'm gonna write that in my report thank you here you go but what's interesting
about this is attackers don't need to bother with MFA at all because nowadays MFA is typically something that's at its heart RTP so if we can pull and extract that ad admin account name and password we just can use that to DC sync we don't have to bother with RTP at all and that way we can pull any credential we want from Active Directory so customers are going to think well our admins have to use MFA to do things as they are DPN make sure they understand that the attackers are not bound by the same rules and there's something about
password walls so I'm seeing pasture vaults more and more I'm probably sure you are as well typically cyber our core secret server and oftentimes there's a reconciliation account which is a domain admin account which is used to ensure that certain accounts that the password vault is managing stay in compliance have the correct current password so if someone has changed the password for that account outside of that vault then it goes through and sets it back to what it should be but that means that this password vault is running under the context of domain admins or 80 administration so if we can compromise or takeover the password vault we would have access to that account and passed over all it's more and more on managing these 80 admin account and have something called a session manager which is often used password vaults are being pushed more and more into being part of the administrative workflow so let's look at one of these workflows scenario the admin logs onto their workstation as a user they connect to the password vault via HTTP using their web browser they then check out the password they copy it out of the web browser into their clipboard they paste it into RDP the RDP window and then connect to their admin server and they have a great day I'm sure you see a problem here there's a password on that workstation in the clipboard but we can use another
powersploit function called gate clipboard contents so we can do kind of the same thing as before malware has been doing this for years where they're monitoring the title windows and web browsers so if they see certain bank names they see financial they see password they see log on a screenshot they keep a log you can also do keyboard clipboard strict scraping and then from that they have the information that's going into that web browser so we can gather that the same thing sort of happens we have a second temp file here that has text file that has passwords I made up these passwords these are not from a password vault hopefully a password vault would have a much better randomizer than my Star Wars knowledge
but the issue is that we can also on top of this do get time screenshot because if we just have the password or like I'm not really sure what that's for or what server they're connecting to but we can combine these two we can say all right it was this account at this time on this server and here's the password and correlate that so we want to make sure that organizations and companies know that just because they're using a password vault they are not secure just because they have dropped it into the environment second option this hardens
it up so we use the password vault as an RDP proxy so the admin connects to the password vault via HTTPS or some sort of RDP pass passed through connection or RDP direct connection and they use the web browser just like before and then the password vault then does the RDP connection to the server on the user's behalf and the user never actually sees that account or credential which is interesting because everything's handled by the password law but there's a few issues with this approach first of all who's logging on on the workstation it's usually the admin user so it's a user account and then what account is used to connect to that password vault again an admin user who is ability to or I'm sorry that that connectivity and connection and logon is that using MFA sometimes it is sometimes it's not and then of course who has control of that password vault who's the who's the administrators of that password vault system and then ultimately can just anybody on the network connect to that password vault over h CPS or any other connection what else is running on that system so I started thinking about this
I'm like there's a lot of dependencies on this web browser right so what if we just compromised the web browser we don't to do anything else what if we installed I don't know an extension and what if we didn't put it in the toolbar and what if when all it did was it looked for the connection of the password vault system and when that happened it just set up a secondary connection to another service system that we own and that way we could interact with the password vault in a separate hidden web web tab so as the admin is doing what they're doing we can go through and copy out credentials for admin accounts but
then the other problem is a lot of times the administrators of the password vault are regular users find this too often it's very simple you just look for a secret server or cyber-ark and then you look for groups with those names and you're probably going to find something like cyber-ark admins with a space or without or some other things that are in there these are user accounts we just have to compromise this user and then I can potentially own the cyber work system that sounds bad to me and sometimes there's past revolts in
the Internet I guess against the recommendations of the the vendors people are putting their password vaults on the Internet so depending on your scoping you definitely want to do some showdown to see what other things pop up in their range and sometimes they're using a
really old version of that password and it's on the Internet I don't know what credentials they're storing but they shouldn't be on the internet so here's a summary of what I've talked about again making sure that what accounts are accessing the password vault that their admin accounts where they're protected with MFA making sure that the system is administrated ministered correctly because in a pen tester red teamer we want to make sure that we're testing out all these defenses and password vaults often times are not protected at the same level as say a domain controller I can tell you right now that they're not very rarely do I see an organization protecting their password vault and putting a lot of extra time and energy into it a lot of times they just stand it up and then the vulnerability or the problem with that could result in complete and total Active Directory compromised so while I'm talking about vulnerabilities there happened to be one a few months ago for cyber-ark this is an RC e so that's what about as bad as you can get right and this happened to have to do with serialize net object to the authorization HTTP header they were realized this pen test team realized that they could modify the information that was sent to the this API that's built in part of the web server and connect into it and what they
could do is they could use Y so serial in order to modify it and they could run ping on that system they can do something else on it it's pretty interesting so what about the admin
forest or the red forest what do we do with that this is meant to be the most
secure method of administering Active Directory and managing the system while it's high security configuration it's isolated from the production network with firewalls encrypted communication has a one-way trust where the production forest trusts this admin forest and ideally correctly all of the admin groups and the production forest are emptied except for the one group that's in this admin force well as attack emulators it's easy to discover this we
just needed enumerate the trust look for an outbound trust for something that looks kind of weird like that Prive or or in addition to that we enumerate the administrators group and what we see in this group is a group from this other domain and if we find that there's no other members of administrators this is very likely an admin for us which means that we're probably not going to find anyone that has really good privileges in this environment in this Active Directory forest as far as counts go but the other thing to look at is for this account we notice that it's in foreign security principles that means that it's in a different forest so that I'll tell you right away that that account or that group or as security principle is not something that you can find in that forest you'd have to try to connect to the other one and if you can't connect to the other one I do encounter numeration it's possible that it's an admin force so what do we go after we
look at agents we look at service counts one of my favorites in the situation is backups everyone overlooks backups it's the thing that we need so we're gonna make it work we're gonna make sure that it's configured we're gonna make sure it has the rights it needs backup operators gives that backup service count everything it needs so here we have a backup computer account and backup operators which doesn't make sense than me but there's also a backup 80 service account which is pretty interesting and sometimes these backup accounts are members of the administrators group for the domain because they do a lot of interesting things like per attribute recovery and so if we look at this backup server account at the top it's computer account it's in the servers oh you and a sub oh you of that called backup very likely in this environment first thing I think of is who manages the server oh you and nine times out of 10 is a group called server admins or something along those lines we can compromise one of those accounts we can compromise this computer and this service account which will enable us to jump up and potentially compromise the domain without ever touching the admin forest so if you run into an environment where you see it's locked down like this don't worry about it just kind of ignore it for now focus on the production 80 forest because nine times out of ten they have not fixed the issues that were inherent in that production eighty forest someone sold the CIO a lot of the times here's an admin for us we need this now there are some environments where an admin for us makes sense but that's outside the scope of this top
did you know this is interesting to me the Splunk Universal for adore it's often installed on their main controller it's effectively a mini version of lankan can run scripts that's pretty fascinating so I was trying to look up some more information about this and I found that there was this talk at one conference a couple years ago where someone's talking about how you can leverage the deployment server leverage Splunk to potentially run scripts run arbitrary commands so that means if Splunk is in the environment and it's installed on the main controllers depending on the configuration if we can compromise a Splunk account or an admin account we can potentially jump to our domain controllers pretty interesting so again this is a summary of the things that I just talked about but the key here is identifying the systems and agents that connect to the domain controllers what agents what services what serves counts have ability to install and run code on domain controllers and then answer isn't always obvious but we can do a lot of that discovery from Active Directory because most of this is in the directory and the problem stems from cross force administration a lot of organizations have multiple forests I'm out of time but a bunch of them do and so they have their production forests for stay and they have their production forests for speed because I'm really creative in my naming and there's a trust from force B to forest a this untrusted lower level of trust forest force B trusts all of the accounts enforced a to connect to it and connect to resources so what this how this is set up so the users enforce a connect and that means that we can have a domain admin enforced a actually administer and control and manage force be the problem here is that force B is an untrusted environment oftentimes it's in a DMZ it's a dev test environment it's for some external configurations of external system but since the domain admin account enforced a is connecting in via RDP to that force B environment the credentials are there so a forest B gets compromised or if your have that in scope and you can go after that forest to jump back to a you can compromise for us B to compromise the domain admin account to compromise the forest the problem is a lot of organizations are going by Microsoft guy it's Microsoft guidance from 10 years ago says it's this is okay they don't realize and they have an update at the documentation a lot of times to our new world of how many cats works how credentials are stored and managed in most organizations and that the compromise of this could lead to the other so the recommendations you can give your customer is to please just use a an external force account to manage that forest or use an unprivileged account in our production force to then manage that other forest this it's not necessary so let's talk about read-only to make controllers we don't need to make shows are very interesting you probably won't see them in a lot of environment some of the larger ones you will there's a very specific circumstance where a read-only will actually be deployed oftentimes at a branch office where it can't be trusted maybe it's just put next to the the reception desk or in a closet they can't trust that it's going to be well protected some environments put them in our TMZ's but ROTC's connect back into production that's not a good idea either so discovering read-only to make sure there's not that complicated we look for is read-only is true or or there's another option to do it we this one's a
little easier we can just use look for the primary group ID 521 or enumerate the membership of read only domain controllers and that will give us a list of our demands are read-only to make strollers so what's interesting about read-only is that oftentimes I find these three things set up maybe not all the time but I'd say half the time I find a configuration like this in an environment they catch more passwords that are actually required they're typically administered by our ODC admins which may include user accounts and the passwords for the DRM account which is the built-in administrator account for that single domain controller is often the same across all the DC's and the read-only two main shoulders and that's text for later so there's four key attributes on read only domain controllers that we want to enumerate one is the reveal on demand group which tells a tells the RDC and the domain controllers what can actually be replicated what accounts security principles can have their password data replicated to that our OD C and then never reveal means that these can never be replicated the revealed list is the list of the accounts that have ever had their passwords copied to that read-only - main controller read-only to make sure is it a man controller it has an N tedious that date just like the writable x' and you can extract the information from it just like a writer the authenticated - is a little interesting because this tells you the accounts that have ever authenticated to the read-only and if the read-only doesn't have the password data for that user it's going to chain up that authentication request so a nearby writable well you still know which which accounts are actually connecting to it and then based on password replication policy those are the ones that are allowed on they're allowed to have their passwords there or not so this allowed already C password policy is defined at the domain level a lot of times that's how its configured domain level all of these groups for all read only domain controllers the denied RDC passive replication group is very often default and then it's interesting because you can delegate rights of the read-only a regular server effectively so Microsoft's recommendation of mine is not to use domain admins to manage manage read-only but their full administrators on the rotc this is easy
they can do it during install or interesting layoffs we can use the manage by attribute to update who has admin rights of this server and so we
can enumerate that managed by once we get that information about who the admins are we can then enumerate the membership and we see there's ray and Poe here it's interesting because these have admin in the name but these are in the regular account so you so we can compromise one of these accounts once we do we're an admin on the read only domain controller so then we start poking around and figuring out what we
can find in this environment and we can use the GUI to see what the password caching is but I mean we can get all this information from the attribute itself are the attributes on the read-only but there's an interesting part of the GUI here and this is something that I haven't seen anyone write about before if you have admin rights in the Act directory environment you can interact with and control read-only capability and one of the things that read-only can do that most people aren't aware of is that you can pre-populate passwords on a read-only so let's think of this from a distance perspective let's say we have 80 admin rights for like five minutes what we can do is we can remove the curb teach account from the denied replicate we can remove the administrators group from the denied replicate and then we can click pre-populate and we can pre-populate and say these accounts I want you to put on this already see like now potentially we can replicate the curb TGT account password hash to our read-only that we control and if we can stay on the read-only even if they take care of everything else we have no one's going to notice this so how do we figure
out what password hashes are on a read-only well there's an attribute called MSDS revealed users it looks like this which what's very difficult to read so let's make it simpler basically here's Han Solo he's logged in a bunch of times every time he logs in the read only domain controller tries to authenticate him with the password that it has and if it can then it's good if it's not certain what's going on it will track each instance of that authentication so we can see that there is a password hash version and so the read-only will update the password that it has every time that user logs on if it needs to to make sure it has the current password for that user so we can use power show and break this down and identify all of the unique unique accounts that are on this read only two main controller and one of them is pretty interesting because it's account provisioning well that's what it sounds like an account that could have some rights so let's let's take a look at that so we look at it a little bit close more closely and it has an SSR vn8 or SVC name to it so we're going to use a
Power View function called invoke ACL scanner to look for anything in this domain that has permissions for this accounts SVC account to see what it can do and the first thing we find is that it has generic all rights to this group so view well generic all in Active Directory lingo just means full control okay so we have password hash to the service count that is full control on the group so you okay well what's in that group so you it's the RTC admins which okay I don't really care about that but there's a server admins group
at the bottom here server admins probably has rights to a bunch of things like maybe the password so we dig in a server admins and we find
that there's a group policy that's actually adding this server admins group to the local administrators group on all of the computers in the Soyo so at this point just because we compromised one user that had already see admin rights we were able to compromise all of these servers that are in this server oh you
but what else can we get what else can we find often RDC depending on the configuration and if you're thinking well already sees they don't cache passwords by default you're right they don't but pretty much 99% of the time in order to effectively use our OD sees you have to turn on password cache because it cannot authenticate users without their password data and computer accounts as well so in order for an RTC to authenticate a user they need that users password hash and the computer capacitor hash that the user is authenticated from so our DC's can be a goldmine because organizations ignore them a lot of time so let's look at this again what else can we find in here that's really interesting there's a computer account it says admin in the name let's look that let's look at that what is that well we do some discovery do some more digging in and we discover that this admin server or admin in the name is the admin server all of the admins use this server somehow this computer account password for the admin server ended up on this read-only and so
we just go ahead and dump the password hash for this account this computer account and then we can create a silver
ticket create a couple of silver tickets
and then we can do PowerShell remoting
once we have those Kerberos tickets on this on our system just because we were able to compromise that already see it get that password ash so once we get
onto that we can implant whatever we want we can start dumping credentials from Alsace because all of our admins are going to be logging on that admin server and then there's one other thing
that's pretty interesting is I mentioned the DRM account and I talked about this before the DRM account is that built-in default admin account on domain controllers when a domain admin is standing up a new domain controller they type in the credential or a password for this DM account and it's a it's account it's a break glass account in case you need to get on the domain chore typically you need to restart the domain controller in 2d SRM mode directory services restore mode in order to use this account and do anything with it but there's a registry key as of 2008 where you can login with this not not on by default but you can configure this registry key as of 2008 where you can log on to the domain controller without restarting it into this special mode you can log on from the console depending on the registry key if it's a it's set to 1 you can log on when the Active Directory services are stopped it's set to 2 you can log on anytime you want it set to 2 you can actually pass the hash using this password hash on the network and there are environments that have that configured so it is entirely possible that you could compromise the environment from just taking over a single rotc so some key recommendations here for you to give to your customers and and for red teamers and pen testers make sure that you're you're actively looking for all the 80 admins you can find see what you can discover correlate these user to admin accounts because if you're using a net session enumeration or group membership to see where users are or what computer they're logged on to you might not be seeing the full picture and there's a lot more that could be there look at MF a look at password vaults see what how they're configured poke the edges around them and then look at the already sees if there's any in the environment because they're rarely configured in a very secure manner that's been my time thank you so much for yours I think I've some time [Applause]