Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Kugler

Zielgruppe: Admins, CIO
Schwerpunkt: technisch
Sprache: Deutsch

Abstract
**********
In Unternehmen werden Vertrauensbeziehungen zwischen Active Directory Forests angelegt. Ist damit die eigene Domäne in Gefahr? Der Talk zeigt exotischere Angriffe innerhalb von Active Directory und über Forest-Grenzen hinweg. Und warum wir durch Drucker dem Untergang geweiht sind.

About the Speaker:
*********************
Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

  • Be the first to comment

  • Be the first to like this

SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Kugler

  1. 1. Klassifikation: Public Willkommen zur SBA Live Academy #bleibdaheim # remotelearning Heute: The Forest has Eyes by Reinhard Kugler This talk will be recorded as soon as the presentation starts! Please be sure to turn off your video in your control panel.
  2. 2. Klassifikation: Public 2 The Forest has Eyes by Bev Doolittle
  3. 3. Klassifikation: Public 5 (Net-)NTLM-Relay PC Kali Domain Controller NTLM- SSP Metasploit :445 Metasploit :4444 SAMBAExplorer Meterpreter SBA Research gGmbH, 2020
  4. 4. Klassifikation: Public 6 Mitigation: Samba Signing • the protocol feature samba signing would mitigate man-in-the- middle attacks on SMB • SMB Signing is only enabled on Domain Controllers (by default) • also back-ported to NT 4.0 and 98 ;-) HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkStationParameters RequireSecuritySignature = 1 (Required) HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanServerParameters. RequireSecuritySignature = 1 (Required) https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/
  5. 5. Klassifikation: Public 7SBA Research gGmbH, 2020 https://www.bishopfox.com/blog/2014/06/week-life-pen-tester/ The Life of a Penetration Tester
  6. 6. Klassifikation: Public 8SBA Research gGmbH, 2020
  7. 7. Klassifikation: Public 9SBA Research gGmbH, 2020 https://docs.microsoft.com/de-de/windows- server/networking/windows-time- service/how-the-windows-time-service-works
  8. 8. Klassifikation: Public 10SBA Research gGmbH, 2020 Virtual Environment Production Headquarter Tschibutti Uganda
  9. 9. Klassifikation: Public 11SBA Research gGmbH, 2020 https://github.com/BloodHoundAD/BloodHound
  10. 10. Klassifikation: Public 17 Replication SBA Research gGmbH dcsync Domain Controller Mimikatz
  11. 11. Klassifikation: Public 18 Pass-the-Hash Administrator:8846F7EAEE8FB117AD06BDD830B7586C Administrator:8846F7EAEE8FB117AD06BDD830B7586C= Net-NTLMv2 Mimikatz https://github.com/gentilkiwi/mimikatz SBA Research gGmbH, 2020
  12. 12. Klassifikation: Public 19 Forging of Log Events SBA Research gGmbH, 2020
  13. 13. Klassifikation: Public 20 Tier Model SBA Research gGmbH, 2020 https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
  14. 14. Klassifikation: Public 22 http://digital-forensics.sans.org/blog/2014/11/24/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-more Granting Ticket (TGT) Service Ticket (TGS) for HTTP/www.example.org:80 TGT TGS SBA Research gGmbH, 2020
  15. 15. Klassifikation: Public 23 S4U (con-/unconstrained Delegation) SBA Research gGmbH, 2020
  16. 16. Klassifikation: Public 25 Why Delegation (Impersonation)? Web Application Files Shares Database Act as logged-on (Active Directory) user TGS TGS SBA Research gGmbH, 2020
  17. 17. Klassifikation: Public 26 Unconstrained Delegation Impersonation as user donald@ Access service as user donald@ e.g. WebDav service runs under a service user Service Ticket TGT Service Ticket TGT Domain Controller (Kerberos AS/KDC) TGT https://shenaniganslabs.io/2019/01/28/Wagging- the-Dog.html SBA Research gGmbH, 2020
  18. 18. Klassifikation: Public 29 Constrained Delegation Impersonation as user Administrator@ Access service as user donald@ e.g. WebDav service runs under a service user Service Ticket Service Ticket MSSQL TGT Domain Controller (Kerberos AS/KDC) MSSQL/server https://shenaniganslabs.io/2019/01/28/Wagging- the-Dog.html Service Ticket SBA Research gGmbH, 2020
  19. 19. Klassifikation: Public 30 Domain compromized … is the root domain in danger? SBA Research gGmbH, 2020 Virtual Environment Production Headquarter Tschibutti Uganda
  20. 20. Klassifikation: Public 36 int.mcduck.com int.glomgold.za Forest Trust (two-way) Kerberos Golden Ticket + Extra SIDs ACL abuse, Delegation attack Parent-Child (two-way) Server with delegation enabled SBA Research gGmbH, 2020
  21. 21. Klassifikation: Public 37SBA Research gGmbH, 2020 How to be safe?
  22. 22. Klassifikation: Public 38 Takeaways SBA Research gGmbH, 2020 Least privilege, roles and tiers check trust relationships Test your attack szenarios! Review Objects with delegation attributes Protected Users Security Group for Admins
  23. 23. Klassifikation: Public 40SBA Research gGmbH, 2020 new attacks ahead?
  24. 24. Klassifikation: Public 41 Microsoft Printer Bug https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/ https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 https://www.youtube.com/watch?list=PLyQeLlJVTqDdBbkMHIFN8v6qrric3P38Y&v=bKko3ByTdMs&feature=emb_title SBA Research gGmbH, 2020
  25. 25. Klassifikation: Public 42 Misunderstood Features and Constellations SBA Research gGmbH, 2020 https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
  26. 26. Klassifikation: Public 44 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Wissenstransfer SBA Live Academy | sec4dev | Trainings | Events | Lehre | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org
  27. 27. Klassifikation: Public 45 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 01.04.2020, 13.00 Uhr, live: „Und, wie geht‘s Ihrer Supply- Chain heute so?“ by „Stefan Jakoubi“ Supply Chain und Cyber Security Treten Sie unserer MeetUp Gruppe bei! https://www.meetup.com/Security-Meetup-by-SBA- Research/
  28. 28. Klassifikation: Public 46 Reinhard Kugler SBA Research gGmbH Floragasse 7, 1040 Wien rkugler@sba-research.org SBA Research gGmbH, 2020

×