SlideShare a Scribd company logo

Externally Testing Modern AD Domains - Arcticcon

Download as PPTX, PDF
Karl Fosaaen
Karl Fosaaen

Externally federated domain endpoints are an exciting target for Red Team assessments. While often overlooked, externally federated domain services can provide multiple access points to an internal network, from the internet. This talk will cover enumeration of federated domains (ADFS and AzureAD), the enumeration of federated services (Office365, Skype for Business, etc.), and attacks that you can leverage against these endpoints to gain access to an internal network. Additional PowerShell tools will be included in the talk to help you automate these attacks.

Technology
1 of 66
Externally Testing Modern Active Directory Domains Karl Fosaaen
Introductions • Who am I? ‒Karl Fosaaen • What do I do? ‒Wear lots of hats ‒Pen Testing ‒Password Cracking ‒Social Engineering ‒Blog ‒DEF CON Swag Goon ‒Pinball Repair
Slides Overview • Intro • Domain Enumeration • Authentication Endpoint Enumeration ‒ Graph API ‒ ADFS ‒ Office 365 • Microsoft Online login • Exchange • Skype for Business • Pivoting to the internal network • Attack Mitigations • Conclusions
Intro • Standard ExPen Process ‒ Enumeration of domain info • Services • Username/Email recon ‒ Exploitation of issues • Phishing • Web Vulnerabilities • Weak/Default logins ‒ Pivot to internal network ‒ Escalate internally
Domain Enumeration
Domain Federation Overview Federation can mean many things ‒ Domain to Domain ‒ Domain to Microsoft ‒ Arbitrary meanings based off of forum posts
Managed Domain Overview Diagram of (Managed) O365 federation
Federated Domain Overview Diagram of (Federated) O365 federation
Domain Enumeration Side Note: • Office365 had an Authentication Bypass issue ‒ Insecure SAML assertions ‒ Affected all federated Office365 domains ‒ They called out this method in their blog post Source: http://www.economyofmechanism.com/office365- authbypass.html
Domain Enumeration • Using Microsoft Online
Domain Enumeration • Example user check request
Domain Enumeration • Microsoft’s Responses ‒ Federated Domain ‒ Microsoft Managed Domain
Domain Enumeration • Grab the PowerShell script from NetSPI • https://github.com/NetSPI/PowerShell/blob/master/Get- FederationEndpoint.ps1
Domain Enumeration ‒ Federated Domain ‒ Microsoft Managed Domain https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
Domain Enumeration • Multiple domains at once https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
Domain Enumeration • What’s the current exposure? ‒ 47,455 (4.7%) of the top 1 Million have “ms=ms*” DNS records • Personal Experience ‒ Managed/Federated/Neither 50% 40% 10%
Authentication Endpoint Enumeration
Graph API
Graph API Overview • Using the Graph API ‒ This works for federated and managed domains
Graph API – Credential Brute Forcing • Using the Graph API $token = Get-GraphAPIToken -TenantName DOMAIN_GOES_HERE Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1 *Requires Azure AD PowerShell Modules
Graph API – Credential Brute Forcing • Using the Graph API
Graph API – User Enumeration • Get-GraphData -Token $token -Tenant DOMAIN_GOES_HERE -Resource users Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1
ADFS
ADFS Overview Active Directory Federation Services (AD FS) “is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.” Source: https://msdn.microsoft.com/en-us/library/bb897402.aspx
ADFS – Credential Brute Forcing • Get-FederationEndpoint gives us the appropriate command to run for the domain ‒ Federated Domain
ADFS – Credential Brute Forcing • Invoke-ADFSSecurityTokenRequest* Invoke-ADFSSecurityTokenRequest -ClientCredentialType UserName -ADFSBaseUri https://adfs.example.com/ -AppliesTo https://adfs.example.com/adfs/services/trust/13/usernamemixed -UserName 'karl.fosaaen‘ -Password 'Winter2016‘ -Domain ‘example.com‘ -OutputType Token -SAMLVersion 2 -IgnoreCertificateErrors https://blogs.msdn.microsoft.com/besidethepoint/2012/10/17/request-adfs-security- token-with-powershell/
ADFS – User Enumeration • Go back a few slides to the GraphAPI information
Office365
Office365 Overview • Office365 ‒Azure AD ‒Exchange ‒Skype for Business • Credential Brute Force • User Enumeration
Setting Up Your Test Environment • Install the Azure AD PowerShell Module • https://msdn.microsoft.com/en- us/library/azure/jj151815(v=azure.98).aspx
Office365 - Credential Brute Forcing • Get-FederationEndpoint gives us the appropriate command to run for the domain ‒ Microsoft Managed Domain
Office365 - Credential Brute Forcing • Connect-msolservice – AzureAD PS Module
Office365 – User Enumeration 1. $msolcred = get-credential 2. connect-msolservice -credential $msolcred 3. Get-MsolUser -All | ft –AutoSize • This also works for apps (Web/Thick) using AzureAD for account management
Office365 - Exchange • If the domain uses Office365, you can most likely connect to Office365 Exchange with PowerShell
Exchange – Credential Brute Forcing $PWord = ConvertTo-SecureString -String 'Summer2016' -AsPlainText –Force $credentials = New-Object -TypeName "System.Management.Automation.PSCredential " -ArgumentList "test@example.com", $PWord
Exchange – Credential Brute Forcing $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $credentials -Authentication Basic –AllowRedirection Import-PSSession $Session
Exchange – User Enumeration Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:tempemail_users.csv -NoTypeInformation
Skype For Business – Overview • Formerly Lync, now Skype for Business • Commonly Federated with other domains ‒ Great for credential guessing, user enumeration, and social engineering
Skype For Business – Tools • Grab the PowerShell modules from NetSPI • https://github.com/NetSPI/PowerShell/blob/master/Power Skype.ps1
Skype For Business – Credential Brute Forcing ‒ Get-SkypeLoginURL • In progress ‒ Invoke-SkypeLogin ‒ Credit to @Nyxgeek for the auth endpoints
Skype For Business – Blind User Enumeration • Using a federated Skype account, we can enumerate other federated Skype users • Just open a chat with them
Skype For Business – Blind User Enumeration • Or we can just chat with these CEOs
Skype For Business – Blind User Enumeration • Blind User enumeration (email confirmation) requires the SDK ‒ Also requires a signed in federated user • You can use guessed credentials (autodiscover) • or pay Microsoft for a cheap federated account • ~$6/month
Skype For Business – Tools • Install Skype for Business and the Lync SDK ‒ Requires Visual Studio 2010 for the easiest install https://www.microsoft.com/en-us/download/details.aspx?id=36824
Skype For Business – Blind User Enumeration • Let’s just wrap it with PowerShell Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize
Skype For Business – Blind User Enumeration
Skype For Business – Blind User Enumeration Demo • Get-SkypeStatus -inputFile "C:TempLiveAdmins.txt" | ft -AutoSize • It helps if we run it a couple of times…
Skype For Business – Blind User Enumeration
Skype4Business – Authenticated User Enumeration • Or if it’s autodiscover enabled, you can list the users from the Skype user’s contact list
Pivoting to the Internal Network
Pivoting to the Internal Network – Exchange • Attacking Email Accounts ‒ If Autodiscover is enabled, adding an account can be done from anywhere ‒ Email is interesting, but I’d like a shell ‒ This can not be done programmatically with PowerShell (*Easily) ‒ “Malicious Outlook Rules” • Nick Landers – Silent Break Security ‒ “MAPI over HTTP and Mailrule Pwnage” • Etienne - sensepost
Pivoting to the Internal Network – Skype • Send messages from OWA or Skype for Business ‒ Autodiscover is also handy here ‒ People will trust their co-workers • “Can you look over this word doc for me?”
Pivoting to the Internal Network – Skype Demo • Get-SkypeStatus -email karl.fosaaen@netspi.com • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello from Derbycon" • for ($i = 0; $i -lt 10; $i++){Invoke- SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello $i"}
Pivoting to the Internal Network – Skype
Pivoting to the Internal Network – Skype
Pivoting to the Internal Network – VPN • Single Factor VPN Example ‒ Enumerated user emails on LinkedIn ‒ Guessed passwords against MSOnline with PowerShell ‒ Enumerated VPN interfaces ‒ Logged in with guessed credentials ‒ GPP -> Local admin on DA system ‒ DCSync • “Store passwords using reversible encryption”
Pivoting to the Internal Network – Other • Other Routes ‒ Single Factor Services • Management Protocols • RDP • SSH • Terminal Services – Web Based • Citrix • VDI • Etc.
Pivoting to the Internal Network – OneDrive • Malicious OneDrive Documents ‒ Can’t use macros in the online version of excel
Pivoting to the Internal Network - SharePoint • Malicious SharePoint Documents ‒ Same concept as OneDrive, just a different platform ‒ Backdoor a document ‒ Edit pages
Attack Mitigations
Attack Mitigations • Enable Dual factor authentication for external endpoints* *On all channels
Attack Mitigations • Limit federation to trusted domains • Limit exposed services surface area • Monitor your Federated and Azure endpoints • Enforce strong password requirements
Conclusions
Conclusions • Lots of authentication endpoints on the Internet • There’s always a $SEASON$YEAR password out there • There are several ways to pivot internally with credentials • MFA will help reduce your risk
Next Steps • Yet another framework for pen testing… ‒ Enumerate all of the potential AD authentication endpoints for a domain • And again, AutoDiscover is handy here ‒ Include credential brute force methods for each interface type ‒ Easy mode, autopwn, etc. • Give it a domain, user list, and go for it ‒ Try to keep it dependency free • Easier to use • More portable
Questions Questions? Karl Fosaaen @kfosaaen https://blog.netspi.com https://github.com/netspi http://www.slideshare.net/kfosaaen

Recommended

Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
 
ECS19 - Ingo Gegenwarth - Running Exchange in large environment
ECS19 - Ingo Gegenwarth - Running Exchange in large environmentECS19 - Ingo Gegenwarth - Running Exchange in large environment
ECS19 - Ingo Gegenwarth - Running Exchange in large environmentEuropean Collaboration Summit
 
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...Jason Himmelstein
 
PowerShell for the Anxious ITPro
PowerShell for the Anxious ITProPowerShell for the Anxious ITPro
PowerShell for the Anxious ITProJason Himmelstein
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Navigating the turbulence on take-off: Setting up SharePoint on Azure IaaS th...
Navigating the turbulence on take-off: Setting up SharePoint on Azure IaaS th...Navigating the turbulence on take-off: Setting up SharePoint on Azure IaaS th...
Navigating the turbulence on take-off: Setting up SharePoint on Azure IaaS th...Jason Himmelstein
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock
 
It's just Skype for Business - THOTCON
It's just Skype for Business - THOTCONIt's just Skype for Business - THOTCON
It's just Skype for Business - THOTCONKarl Fosaaen
 

Recommended

Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
 
ECS19 - Ingo Gegenwarth - Running Exchange in large environment
ECS19 - Ingo Gegenwarth - Running Exchange in large environmentECS19 - Ingo Gegenwarth - Running Exchange in large environment
ECS19 - Ingo Gegenwarth - Running Exchange in large environmentEuropean Collaboration Summit
 
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...Jason Himmelstein
 
PowerShell for the Anxious ITPro
PowerShell for the Anxious ITProPowerShell for the Anxious ITPro
PowerShell for the Anxious ITProJason Himmelstein
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Navigating the turbulence on take-off: Setting up SharePoint on Azure IaaS th...
Navigating the turbulence on take-off: Setting up SharePoint on Azure IaaS th...Navigating the turbulence on take-off: Setting up SharePoint on Azure IaaS th...
Navigating the turbulence on take-off: Setting up SharePoint on Azure IaaS th...Jason Himmelstein
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock
 
It's just Skype for Business - THOTCON
It's just Skype for Business - THOTCONIt's just Skype for Business - THOTCON
It's just Skype for Business - THOTCONKarl Fosaaen
 
ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...
ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...
ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...European Collaboration Summit
 
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint Files
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint FilesECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint Files
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint FilesEuropean Collaboration Summit
 
Installing SharePoint 2013 – Step by Step presented by Alan Richards
Installing SharePoint 2013 – Step by Step presented by Alan RichardsInstalling SharePoint 2013 – Step by Step presented by Alan Richards
Installing SharePoint 2013 – Step by Step presented by Alan RichardsEuropean SharePoint Conference
 
Dealing with and learning from the sandbox
Dealing with and learning from the sandboxDealing with and learning from the sandbox
Dealing with and learning from the sandboxElaine Van Bergen
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest ApocalypseBeau Bullock
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteDNN
 
Sps bris - Customising Office 365 on the Client side
Sps bris - Customising Office 365 on the Client sideSps bris - Customising Office 365 on the Client side
Sps bris - Customising Office 365 on the Client sideElaine Van Bergen
 
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Casey Smith
 
O365Con18 - Automate your Tasks through Azure Functions - Elio Struyf
O365Con18 - Automate your Tasks through Azure Functions - Elio StruyfO365Con18 - Automate your Tasks through Azure Functions - Elio Struyf
O365Con18 - Automate your Tasks through Azure Functions - Elio StruyfNCCOMMS
 
Deep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingDeep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingAmazon Web Services
 
Coding 100-session-slides
Coding 100-session-slidesCoding 100-session-slides
Coding 100-session-slidesCisco DevNet
 
How to build a SaaS solution in 60 days
How to build a SaaS solution in 60 daysHow to build a SaaS solution in 60 days
How to build a SaaS solution in 60 daysBrett McLain
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
How Shopify Scales Rails
How Shopify Scales RailsHow Shopify Scales Rails
How Shopify Scales Railsjduff
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
2019 DevCon - The future of Authentication by Codrin Chirica
2019 DevCon - The future of Authentication by Codrin Chirica2019 DevCon - The future of Authentication by Codrin Chirica
2019 DevCon - The future of Authentication by Codrin ChiricaCodrin Chirica
 
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...Vadym Kazulkin
 
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember DataIn The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember DataStacy London
 
Azure and web sites hackaton deck
Azure and web sites hackaton deckAzure and web sites hackaton deck
Azure and web sites hackaton deckAlexey Bokov
 
Adopting Java for the Serverless world at Serverless Meetup Singapore
Adopting Java for the Serverless world at Serverless Meetup SingaporeAdopting Java for the Serverless world at Serverless Meetup Singapore
Adopting Java for the Serverless world at Serverless Meetup SingaporeVadym Kazulkin
 
Attacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConAttacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConKarl Fosaaen
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 

More Related Content

What's hot

ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...
ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...
ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...European Collaboration Summit
 
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint Files
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint FilesECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint Files
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint FilesEuropean Collaboration Summit
 
Installing SharePoint 2013 – Step by Step presented by Alan Richards
Installing SharePoint 2013 – Step by Step presented by Alan RichardsInstalling SharePoint 2013 – Step by Step presented by Alan Richards
Installing SharePoint 2013 – Step by Step presented by Alan RichardsEuropean SharePoint Conference
 
Dealing with and learning from the sandbox
Dealing with and learning from the sandboxDealing with and learning from the sandbox
Dealing with and learning from the sandboxElaine Van Bergen
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest ApocalypseBeau Bullock
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteDNN
 
Sps bris - Customising Office 365 on the Client side
Sps bris - Customising Office 365 on the Client sideSps bris - Customising Office 365 on the Client side
Sps bris - Customising Office 365 on the Client sideElaine Van Bergen
 
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Casey Smith
 
O365Con18 - Automate your Tasks through Azure Functions - Elio Struyf
O365Con18 - Automate your Tasks through Azure Functions - Elio StruyfO365Con18 - Automate your Tasks through Azure Functions - Elio Struyf
O365Con18 - Automate your Tasks through Azure Functions - Elio StruyfNCCOMMS
 
Deep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingDeep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingAmazon Web Services
 
Coding 100-session-slides
Coding 100-session-slidesCoding 100-session-slides
Coding 100-session-slidesCisco DevNet
 
How to build a SaaS solution in 60 days
How to build a SaaS solution in 60 daysHow to build a SaaS solution in 60 days
How to build a SaaS solution in 60 daysBrett McLain
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
How Shopify Scales Rails
How Shopify Scales RailsHow Shopify Scales Rails
How Shopify Scales Railsjduff
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
2019 DevCon - The future of Authentication by Codrin Chirica
2019 DevCon - The future of Authentication by Codrin Chirica2019 DevCon - The future of Authentication by Codrin Chirica
2019 DevCon - The future of Authentication by Codrin ChiricaCodrin Chirica
 
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...Vadym Kazulkin
 
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember DataIn The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember DataStacy London
 
Azure and web sites hackaton deck
Azure and web sites hackaton deckAzure and web sites hackaton deck
Azure and web sites hackaton deckAlexey Bokov
 
Adopting Java for the Serverless world at Serverless Meetup Singapore
Adopting Java for the Serverless world at Serverless Meetup SingaporeAdopting Java for the Serverless world at Serverless Meetup Singapore
Adopting Java for the Serverless world at Serverless Meetup SingaporeVadym Kazulkin
 

What's hot (20)

ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...
ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...
ECS19 - Patrick Curran - Expanding User Profiles with Line of Business Data (...
 
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint Files
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint FilesECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint Files
ECS19 - Mike Ammerlaan - Integrate with OneDrive and SharePoint Files
 
Installing SharePoint 2013 – Step by Step presented by Alan Richards
Installing SharePoint 2013 – Step by Step presented by Alan RichardsInstalling SharePoint 2013 – Step by Step presented by Alan Richards
Installing SharePoint 2013 – Step by Step presented by Alan Richards
 
Dealing with and learning from the sandbox
Dealing with and learning from the sandboxDealing with and learning from the sandbox
Dealing with and learning from the sandbox
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest Apocalypse
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET Website
 
Sps bris - Customising Office 365 on the Client side
Sps bris - Customising Office 365 on the Client sideSps bris - Customising Office 365 on the Client side
Sps bris - Customising Office 365 on the Client side
 
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
 
O365Con18 - Automate your Tasks through Azure Functions - Elio Struyf
O365Con18 - Automate your Tasks through Azure Functions - Elio StruyfO365Con18 - Automate your Tasks through Azure Functions - Elio Struyf
O365Con18 - Automate your Tasks through Azure Functions - Elio Struyf
 
Deep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingDeep Dive on Elastic Load Balancing
Deep Dive on Elastic Load Balancing
 
Coding 100-session-slides
Coding 100-session-slidesCoding 100-session-slides
Coding 100-session-slides
 
How to build a SaaS solution in 60 days
How to build a SaaS solution in 60 daysHow to build a SaaS solution in 60 days
How to build a SaaS solution in 60 days
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
How Shopify Scales Rails
How Shopify Scales RailsHow Shopify Scales Rails
How Shopify Scales Rails
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
2019 DevCon - The future of Authentication by Codrin Chirica
2019 DevCon - The future of Authentication by Codrin Chirica2019 DevCon - The future of Authentication by Codrin Chirica
2019 DevCon - The future of Authentication by Codrin Chirica
 
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...
FaaS or not to FaaS. Visible and invisible benefits of the Serverless paradig...
 
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember DataIn The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
 
Azure and web sites hackaton deck
Azure and web sites hackaton deckAzure and web sites hackaton deck
Azure and web sites hackaton deck
 
Adopting Java for the Serverless world at Serverless Meetup Singapore
Adopting Java for the Serverless world at Serverless Meetup SingaporeAdopting Java for the Serverless world at Serverless Meetup Singapore
Adopting Java for the Serverless world at Serverless Meetup Singapore
 

Similar to Externally Testing Modern AD Domains - Arcticcon

Attacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConAttacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConKarl Fosaaen
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?Tomislav Lulic
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobilityFabrizio Volpe
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Share point 2013 in a hybrid world
Share point 2013 in a hybrid worldShare point 2013 in a hybrid world
Share point 2013 in a hybrid worldJethro Seghers
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenNCCOMMS
 
SharePoint 2016 Platform Adoption Lessons Learned and Advanced Troubleshooting
SharePoint 2016 Platform Adoption Lessons Learned and Advanced TroubleshootingSharePoint 2016 Platform Adoption Lessons Learned and Advanced Troubleshooting
SharePoint 2016 Platform Adoption Lessons Learned and Advanced TroubleshootingJohn Calvert
 
Microsoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesMicrosoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesAidan Finn
 
[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI ScenariosEuropean Collaboration Summit
 
SharePoint 2013 in a hybrid world
SharePoint 2013 in a hybrid worldSharePoint 2013 in a hybrid world
SharePoint 2013 in a hybrid worldJethro Seghers
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedHoward Greenberg
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...Vincent Biret
 
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...Nik Patel
 
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon Web Services
 
SharePoint Saturday New York: PowerShell for Office 365
SharePoint Saturday New York: PowerShell for Office 365SharePoint Saturday New York: PowerShell for Office 365
SharePoint Saturday New York: PowerShell for Office 365Vlad Catrinescu
 

Similar to Externally Testing Modern AD Domains - Arcticcon (20)

Attacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConAttacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyCon
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobility
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Share point 2013 in a hybrid world
Share point 2013 in a hybrid worldShare point 2013 in a hybrid world
Share point 2013 in a hybrid world
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
SharePoint 2016 Platform Adoption Lessons Learned and Advanced Troubleshooting
SharePoint 2016 Platform Adoption Lessons Learned and Advanced TroubleshootingSharePoint 2016 Platform Adoption Lessons Learned and Advanced Troubleshooting
SharePoint 2016 Platform Adoption Lessons Learned and Advanced Troubleshooting
 
Microsoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesMicrosoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For Techies
 
[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios[Vončina] Configuring SharePoint 2016 for BI Scenarios
[Vončina] Configuring SharePoint 2016 for BI Scenarios
 
SharePoint 2013 in a hybrid world
SharePoint 2013 in a hybrid worldSharePoint 2013 in a hybrid world
SharePoint 2013 in a hybrid world
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
 
Andy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro'sAndy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro's
 
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
 
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
 
SharePoint Saturday New York: PowerShell for Office 365
SharePoint Saturday New York: PowerShell for Office 365SharePoint Saturday New York: PowerShell for Office 365
SharePoint Saturday New York: PowerShell for Office 365
 

Recently uploaded

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Externally Testing Modern AD Domains - Arcticcon

  • 1. Externally Testing Modern Active Directory Domains Karl Fosaaen
  • 2. Introductions • Who am I? ‒Karl Fosaaen • What do I do? ‒Wear lots of hats ‒Pen Testing ‒Password Cracking ‒Social Engineering ‒Blog ‒DEF CON Swag Goon ‒Pinball Repair
  • 3. Slides Overview • Intro • Domain Enumeration • Authentication Endpoint Enumeration ‒ Graph API ‒ ADFS ‒ Office 365 • Microsoft Online login • Exchange • Skype for Business • Pivoting to the internal network • Attack Mitigations • Conclusions
  • 4. Intro • Standard ExPen Process ‒ Enumeration of domain info • Services • Username/Email recon ‒ Exploitation of issues • Phishing • Web Vulnerabilities • Weak/Default logins ‒ Pivot to internal network ‒ Escalate internally
  • 6. Domain Federation Overview Federation can mean many things ‒ Domain to Domain ‒ Domain to Microsoft ‒ Arbitrary meanings based off of forum posts
  • 7. Managed Domain Overview Diagram of (Managed) O365 federation
  • 8. Federated Domain Overview Diagram of (Federated) O365 federation
  • 9. Domain Enumeration Side Note: • Office365 had an Authentication Bypass issue ‒ Insecure SAML assertions ‒ Affected all federated Office365 domains ‒ They called out this method in their blog post Source: http://www.economyofmechanism.com/office365- authbypass.html
  • 10. Domain Enumeration • Using Microsoft Online
  • 11. Domain Enumeration • Example user check request
  • 12. Domain Enumeration • Microsoft’s Responses ‒ Federated Domain ‒ Microsoft Managed Domain
  • 13. Domain Enumeration • Grab the PowerShell script from NetSPI • https://github.com/NetSPI/PowerShell/blob/master/Get- FederationEndpoint.ps1
  • 14. Domain Enumeration ‒ Federated Domain ‒ Microsoft Managed Domain https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
  • 15. Domain Enumeration • Multiple domains at once https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
  • 16. Domain Enumeration • What’s the current exposure? ‒ 47,455 (4.7%) of the top 1 Million have “ms=ms*” DNS records • Personal Experience ‒ Managed/Federated/Neither 50% 40% 10%
  • 19. Graph API Overview • Using the Graph API ‒ This works for federated and managed domains
  • 20. Graph API – Credential Brute Forcing • Using the Graph API $token = Get-GraphAPIToken -TenantName DOMAIN_GOES_HERE Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1 *Requires Azure AD PowerShell Modules
  • 21. Graph API – Credential Brute Forcing • Using the Graph API
  • 22. Graph API – User Enumeration • Get-GraphData -Token $token -Tenant DOMAIN_GOES_HERE -Resource users Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1
  • 23. ADFS
  • 24. ADFS Overview Active Directory Federation Services (AD FS) “is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.” Source: https://msdn.microsoft.com/en-us/library/bb897402.aspx
  • 25. ADFS – Credential Brute Forcing • Get-FederationEndpoint gives us the appropriate command to run for the domain ‒ Federated Domain
  • 26. ADFS – Credential Brute Forcing • Invoke-ADFSSecurityTokenRequest* Invoke-ADFSSecurityTokenRequest -ClientCredentialType UserName -ADFSBaseUri https://adfs.example.com/ -AppliesTo https://adfs.example.com/adfs/services/trust/13/usernamemixed -UserName 'karl.fosaaen‘ -Password 'Winter2016‘ -Domain ‘example.com‘ -OutputType Token -SAMLVersion 2 -IgnoreCertificateErrors https://blogs.msdn.microsoft.com/besidethepoint/2012/10/17/request-adfs-security- token-with-powershell/
  • 27. ADFS – User Enumeration • Go back a few slides to the GraphAPI information
  • 29. Office365 Overview • Office365 ‒Azure AD ‒Exchange ‒Skype for Business • Credential Brute Force • User Enumeration
  • 30. Setting Up Your Test Environment • Install the Azure AD PowerShell Module • https://msdn.microsoft.com/en- us/library/azure/jj151815(v=azure.98).aspx
  • 31. Office365 - Credential Brute Forcing • Get-FederationEndpoint gives us the appropriate command to run for the domain ‒ Microsoft Managed Domain
  • 32. Office365 - Credential Brute Forcing • Connect-msolservice – AzureAD PS Module
  • 33. Office365 – User Enumeration 1. $msolcred = get-credential 2. connect-msolservice -credential $msolcred 3. Get-MsolUser -All | ft –AutoSize • This also works for apps (Web/Thick) using AzureAD for account management
  • 34. Office365 - Exchange • If the domain uses Office365, you can most likely connect to Office365 Exchange with PowerShell
  • 35. Exchange – Credential Brute Forcing $PWord = ConvertTo-SecureString -String 'Summer2016' -AsPlainText –Force $credentials = New-Object -TypeName "System.Management.Automation.PSCredential " -ArgumentList "test@example.com", $PWord
  • 36. Exchange – Credential Brute Forcing $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $credentials -Authentication Basic –AllowRedirection Import-PSSession $Session
  • 37. Exchange – User Enumeration Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:tempemail_users.csv -NoTypeInformation
  • 38. Skype For Business – Overview • Formerly Lync, now Skype for Business • Commonly Federated with other domains ‒ Great for credential guessing, user enumeration, and social engineering
  • 39. Skype For Business – Tools • Grab the PowerShell modules from NetSPI • https://github.com/NetSPI/PowerShell/blob/master/Power Skype.ps1
  • 40. Skype For Business – Credential Brute Forcing ‒ Get-SkypeLoginURL • In progress ‒ Invoke-SkypeLogin ‒ Credit to @Nyxgeek for the auth endpoints
  • 41. Skype For Business – Blind User Enumeration • Using a federated Skype account, we can enumerate other federated Skype users • Just open a chat with them
  • 42. Skype For Business – Blind User Enumeration • Or we can just chat with these CEOs
  • 43. Skype For Business – Blind User Enumeration • Blind User enumeration (email confirmation) requires the SDK ‒ Also requires a signed in federated user • You can use guessed credentials (autodiscover) • or pay Microsoft for a cheap federated account • ~$6/month
  • 44. Skype For Business – Tools • Install Skype for Business and the Lync SDK ‒ Requires Visual Studio 2010 for the easiest install https://www.microsoft.com/en-us/download/details.aspx?id=36824
  • 45. Skype For Business – Blind User Enumeration • Let’s just wrap it with PowerShell Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize
  • 46. Skype For Business – Blind User Enumeration
  • 47. Skype For Business – Blind User Enumeration Demo • Get-SkypeStatus -inputFile "C:TempLiveAdmins.txt" | ft -AutoSize • It helps if we run it a couple of times…
  • 48. Skype For Business – Blind User Enumeration
  • 49. Skype4Business – Authenticated User Enumeration • Or if it’s autodiscover enabled, you can list the users from the Skype user’s contact list
  • 50. Pivoting to the Internal Network
  • 51. Pivoting to the Internal Network – Exchange • Attacking Email Accounts ‒ If Autodiscover is enabled, adding an account can be done from anywhere ‒ Email is interesting, but I’d like a shell ‒ This can not be done programmatically with PowerShell (*Easily) ‒ “Malicious Outlook Rules” • Nick Landers – Silent Break Security ‒ “MAPI over HTTP and Mailrule Pwnage” • Etienne - sensepost
  • 52. Pivoting to the Internal Network – Skype • Send messages from OWA or Skype for Business ‒ Autodiscover is also handy here ‒ People will trust their co-workers • “Can you look over this word doc for me?”
  • 53. Pivoting to the Internal Network – Skype Demo • Get-SkypeStatus -email karl.fosaaen@netspi.com • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello from Derbycon" • for ($i = 0; $i -lt 10; $i++){Invoke- SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello $i"}
  • 54. Pivoting to the Internal Network – Skype
  • 55. Pivoting to the Internal Network – Skype
  • 56. Pivoting to the Internal Network – VPN • Single Factor VPN Example ‒ Enumerated user emails on LinkedIn ‒ Guessed passwords against MSOnline with PowerShell ‒ Enumerated VPN interfaces ‒ Logged in with guessed credentials ‒ GPP -> Local admin on DA system ‒ DCSync • “Store passwords using reversible encryption”
  • 57. Pivoting to the Internal Network – Other • Other Routes ‒ Single Factor Services • Management Protocols • RDP • SSH • Terminal Services – Web Based • Citrix • VDI • Etc.
  • 58. Pivoting to the Internal Network – OneDrive • Malicious OneDrive Documents ‒ Can’t use macros in the online version of excel
  • 59. Pivoting to the Internal Network - SharePoint • Malicious SharePoint Documents ‒ Same concept as OneDrive, just a different platform ‒ Backdoor a document ‒ Edit pages
  • 61. Attack Mitigations • Enable Dual factor authentication for external endpoints* *On all channels
  • 62. Attack Mitigations • Limit federation to trusted domains • Limit exposed services surface area • Monitor your Federated and Azure endpoints • Enforce strong password requirements
  • 64. Conclusions • Lots of authentication endpoints on the Internet • There’s always a $SEASON$YEAR password out there • There are several ways to pivot internally with credentials • MFA will help reduce your risk
  • 65. Next Steps • Yet another framework for pen testing… ‒ Enumerate all of the potential AD authentication endpoints for a domain • And again, AutoDiscover is handy here ‒ Include credential brute force methods for each interface type ‒ Easy mode, autopwn, etc. • Give it a domain, user list, and go for it ‒ Try to keep it dependency free • Easier to use • More portable