We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Domain computers have accounts, too!

1
 Cite
 Share
 Related Material
 Download
 Purchase
Logo of Chaos Computer Club e.V.Chaos Computer Club e.V.
 Gocník, Jan (JaGoTu) Christensen, Lee Schroeder, Will Nelson, Matt Shamir, Elad Dirk-Jan

Formal Metadata

Title
Domain computers have accounts, too!
Subtitle
Owning machines through relaying and delegation
Title of Series
Number of Parts
102
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
In Microsoft Active Directory, computers also have their accounts. We used to consider them useless when they turned up during pentests, but recent research showed that successfully relaying a machine account can actually lead to completely owning the machine. This talk will explain the foundation of such attacks and end with a demonstration of how a non-privileged domain user can get SYSTEM privileges on remote machines. Active Directory is notorious for using long-broken protocols and preserving them for ages because backwards compatibility. In recent years, pentesters are realizing more and more how terrible these protocols can be, and security experts are finding more and more abuse scenarios. Take for example the NTLMv2 challenge-response protocol: It was first introduced back in Windows NT 4.0 SP4 and is still readily available on modern windows. Apart from not being very resistant to cracking (using just a few MD5s), it turned out it's not resistant to MITM attacks at all. An attacker in a MITM position can relay any authentication attempts to almost any target. There were some mitigitations for this over the years, but we are just now starting to see people actually starting to use them. So when relaying came to existence, security researches focused on "what can we do with this"? Obviously, if you manage to succesfully relay a Domain Administrator account, you have won; but that's not always possible. Another protocol used extensively in Active Directory is Kerberos. The Microsoft implementation has several delegation/impersonation techniques available. And now, we know how to combine all these to be able to impersonate any user to a computer, given we were able to relay that computer's authentication at least once. The talk will cover these main areas: NTLM Relaying Kerberos delegation Getting machines to authenticate to us All tools necessary to perform this attack will be released as impacket modules. This talk is mainly based on research by @tifkin_ (Lee Christensen), @harmj0y (Will Schroeder), @enigma0x3 (Matt Nelson), @elad_shamir (Elad Shamir), @_dirkjan (Dirk-jan).