We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Domain computers have accounts, too!

Logo von Chaos Computer Club e.V.Chaos Computer Club e.V.
 Gocník, Jan (JaGoTu) Christensen, Lee Schroeder, Will Nelson, Matt Shamir, Elad Dirk-Jan

Formale Metadaten

Titel
Domain computers have accounts, too!
Untertitel
Owning machines through relaying and delegation
Serientitel
Anzahl der Teile
102
Autor
Lizenz
CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
In Microsoft Active Directory, computers also have their accounts. We used to consider them useless when they turned up during pentests, but recent research showed that successfully relaying a machine account can actually lead to completely owning the machine. This talk will explain the foundation of such attacks and end with a demonstration of how a non-privileged domain user can get SYSTEM privileges on remote machines. Active Directory is notorious for using long-broken protocols and preserving them for ages because backwards compatibility. In recent years, pentesters are realizing more and more how terrible these protocols can be, and security experts are finding more and more abuse scenarios. Take for example the NTLMv2 challenge-response protocol: It was first introduced back in Windows NT 4.0 SP4 and is still readily available on modern windows. Apart from not being very resistant to cracking (using just a few MD5s), it turned out it's not resistant to MITM attacks at all. An attacker in a MITM position can relay any authentication attempts to almost any target. There were some mitigitations for this over the years, but we are just now starting to see people actually starting to use them. So when relaying came to existence, security researches focused on "what can we do with this"? Obviously, if you manage to succesfully relay a Domain Administrator account, you have won; but that's not always possible. Another protocol used extensively in Active Directory is Kerberos. The Microsoft implementation has several delegation/impersonation techniques available. And now, we know how to combine all these to be able to impersonate any user to a computer, given we were able to relay that computer's authentication at least once. The talk will cover these main areas: NTLM Relaying Kerberos delegation Getting machines to authenticate to us All tools necessary to perform this attack will be released as impacket modules. This talk is mainly based on research by @tifkin_ (Lee Christensen), @harmj0y (Will Schroeder), @enigma0x3 (Matt Nelson), @elad_shamir (Elad Shamir), @_dirkjan (Dirk-jan).