Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go. Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
Seccomp Profiles and you: A practical guide.Duffie Cooley
Have you wondered what a seccomp security profile is, and how it relates to Linux Capabilities?
Folks often dismiss seccomp profiles and Capabilities as a way of hardening applications as it is too difficult to determine what syscalls are in use by a given application.
In this session we will explore a couple of tools designed to make this more approachable.
Come learn about these super powers!
Terraform is an Infrastructure Automation tools. This can work equally good for on-premises, public cloud, private cloud, hybrid-cloud and multi-cloud infrastructure.
Visit us for more at www.zekeLabs.com
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go. Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
Seccomp Profiles and you: A practical guide.Duffie Cooley
Have you wondered what a seccomp security profile is, and how it relates to Linux Capabilities?
Folks often dismiss seccomp profiles and Capabilities as a way of hardening applications as it is too difficult to determine what syscalls are in use by a given application.
In this session we will explore a couple of tools designed to make this more approachable.
Come learn about these super powers!
Terraform is an Infrastructure Automation tools. This can work equally good for on-premises, public cloud, private cloud, hybrid-cloud and multi-cloud infrastructure.
Visit us for more at www.zekeLabs.com
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
I would appreciate help with these 4 questions. Thank You.
1) Explain what the following are: root certificates, self-signed certificates. Describe how they
are used. Provide some examples of each explaining how they are used. You should be able to
find examples of each on your system by looking through various options available on your
browser.
2) Provide a listing of the fields associated with a certificate of your choosing. Use the X509
definition to match the general fields of a certificate with the certificate you choose to look at.
Describe each field.
3) Your manager is considering implementing a PKI infrastructure. They are considering using
RSA encryption technology for the central part of their infrastructure. You manager would like
to know some products or services that utilize RSA encryption technology. Provide three
examples and explain how they make use of the RSA encryption technology. Provide a few
original sentences describing each of your examples.
4) Compare the functionality offered by the RSA and Diffie-Hellman algorithms.
Solution
A Root SSL certificate could be a certificate issued by a trusty certificate authority (CA).In the
SSL system, anyone will generate a language key and sign a replacement certificate therewith
signature. However, that certificate isn\'t thought-about valid unless it\'s been directly or
indirectly signed by a trusty CA.A trusty certificate authority is Associate in Nursing entity that
has been entitled to verify that somebody is effectively World Health Organization it declares to
be. so as for this model to figure, all the participants on the sport should agree on a group of CA
that they trust. All operational systems and most of net browsers ship with a group of trusty
CAs.The SSL system is predicated on a model of trust relationship, conjointly known as “chain
of trust”. once a tool validates a certificate, it compares the certificate establishment with the list
of trusty CAs. If a match isn\'t found, the shopper can then check to check if the certificate of the
supplying CA was issued by a trusty CA, so on till the tip of the certificate chain. the highest of
the chain, the basis certificate, should be issued by a trusty Certificate Authority.
Self-signed certificates or certificates issued by a non-public CAs aren\'t appropriate to be used
with the overall public.A certificate serves two essential purpose distribute the public key and
verifying the individuality of the server so guests know they aren’t sending their information to
the wrong person. It can only properly verify the identity of the server when it is signed by a
trusted third party because any attacker can create a self-signed certificate and launch a man-in-
the-middle attack. If a user just accept a self-signed certificate, an attacker could drop on all the
traffic or try to set up an imitation server to phish additional information out of the user. Because
of this, you will approximately on no account want to use a self signe.
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
Presented to DoD/IC PKI Users Group. Steps through overview of Red Hat Certificate System, covering issues such as: (1) Token Innovations; (2) Scalability and Performance; (3) High Availability and Disaster Recovery; (4) Tools and SDKs; (5) NSS Crypto Libraries; (6) New features; (7) Roadmap (certificate renewal, SELinux policies, IPv6, TPS roles....).
Cisco iso based CA (certificate authority)Netwax Lab
IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates
in environments where PKI is needed for security reasons.
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital
certificates. A digital certificate certifies the ownership of a public key by the named subject of the
certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the
private key that corresponds to the certified public key. In this model of trust relationships, a CA is a
trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon
the certificate.
Deploying Compliant Kubernetes: Real World Edge CasesDevOps.com
With container adoption on a meteoric rise, Kubernetes is often considered a “silver bullet” in the world of container deployment and management. While Kubernetes enables DevOps and continuous delivery – traditional compliance controls built for static environments are now a thing of the past.
So, how do you deploy a Kubernetes cluster to meet rigorous compliance requirements while maintaining DevOps speed and scale?
Katie Paugh, the DevOps Team Lead at Lola, recently went through the process when she migrated their services to Kubernetes while maintaining PCI DSS compliance. In this webinar, Katie will discuss compliance edge cases specific to Kubernetes and other lessons learned from her experience.
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
In every organization, there is a growing need for a strong well-designed public key infrastructure solution and in many of these; Active Directory Certificate Services will be used. This session will guide you through a solution based on best practice, shed some light on common issues encountered and some shortcuts to assist in management with PowerShell.
One obvious side effect of migrating to a microservices architecture is the need for infrastructure automation. Unfortunately, most automation systems do not take security into consideration, making production deployments orders of magnitude more complex than the initial testbed deployment.
The perfect example of this steep increase in deployment difficulty is the creation and management of Public-Key-Infrastructures (PKI). Even though the use of TLS Certificates for service to service communication is known as a best-practice, very few companies actually deploy their systems using mutually-authenticated TLS connections.
In this talk I will go over why TLS is the right solution for service to service communication, describe ways to automate the creation and management of your PKI, and present in detail how Docker's swarm orchestration system bootstraps and manages individual node certificates.
EC PKI Training on-prem and cloud-based PKIParnashreeSaha
This presentation is an overview of the PKI training Encryption Consulting LLC provides.
In this training program, you will learn PKI from scratch including MS PKI and cloud-based PKI options.
Get more details on our website www.encryptionconsulting.com
Deeper understanding of how Kerberos works . This understanding will work as platform to understand various attacks on it. It also show cases how symmetric key algorithm is used for confidentiality. Some references are from shaun harris CISSP books, primarily the components slide
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 1: Access Control
- Identity Management
- Centralised vs Decentralised Access Control
- Directories
- Single Sign-On
- Kerberos
- Kerberos Process
- Kerberos Weaknesses
- SESAME
Avaya is putting the responsibility of choosing, obtaining, installing and renewing expiring certifications on you. Are you prepared for that? David is here to talk you through the basics in understanding and deploying these critical certifications.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
3. Active Directory Certificate Services
➜ AD CS is a server role that functions as
Microsoft’s public key infrastructure (PKI)
implementation
- Used by organization for smart cards, SSL
certificates, code signing, etc.
➜ Clients send certificate signing requests
(CSRs) to an (enterprise) CA, which signs
issued certificates using the private key for
the CA certificate
3
6. Certificate Templates
➜ CAs issue certificates with “blueprint” settings defined
by certificate templates (stored as AD objects)
6
7. Subject Alternative Names (SANs)
7
➜ Allows additional identities to be bound to a
certificate beyond the Subject
➜ Can be dangerous when combined with certificates
that allow domain authentication!
- AD maps certificates to user accounts using the SAN
8. Aren’t Smartcards Required?
8
➜ No! Rubeus and Kekeo support Kerberos
authentication using certificates via PKINIT
- Schannel authentication also supports certificates (e.g., LDAPS)
10. “Passive” Certificate Theft
10
➜ If hardware protection is not used, existing
user/machine certificates are stored using DPAPI
- Mimikatz and SharpDPAPI can steal such certs/private keys
11. “Active” Certificate Theft
➜ Users/machines can enroll in any template they have
Enroll permissions for
- By default the User and Machine templates are available
➜ We want a template that allows for AD
authentication
- Lets us get a user’s TGT (and NTLM!)
- Lets us compromise a computer through RBCD/S4U2Self
➜ We can enroll through DCOM (Certify), RPC, and AD
CS web endpoints
11
13. Offensive Advantages
13
➜ Doesn’t touch lsass.exe’s memory!
➜ Doesn’t need elevation (for user contexts)!
➜ Few existing detection methods! (*currently* lesser
known technique : )
➜ Separate credential material from passwords
- Works even if an account changes its password!
- Long lifetime. By default, User/Machine templates issue
certificates valid for 1 year.
15. Template Misconfigurations:
General Requirements
➜ The Enterprise CA grants low-privileged users
enrollment rights
➜ Low privileged users can enroll in the template
- Specified by the certificate template AD object’s security
descriptor
➜ Manager approval is disabled
➜ No “authorized signatures” are required
15
16. Key Misconfiguration:
Templates that Process User-Supplied SANs
1. An attacker can specify an arbitrary SAN
when requesting a certificate
2. The certificate enables domain authentication
3. The CA creates and signs a certificate using
the attacker-supplied SAN
16
Then the attacker can become
any account in the domain!
17. Escalation Scenarios
17
➜ ESC1
- General Requirements
- [PKINIT] Client Authentication, Smart Card Logon, Any
Purpose, or No EKU (i.e., EKU allows auth)
- The ENROLLEE_SUPPLIES_SUBJECT flag
➜ ESC2
- General requirements
- The Any Purpose EKU or No EKU
➜ ESC3
- General requirements + no “enrollment agent restrictions”
- The Certificate Request Agent EKU
- Enrollment rights to template with a few other requirements
19. Escalation Scenarios (cont.)
19
➜ ESC4
- Vulnerable certificate template access control
➜ ESC5
- Vulnerable PKI object access control
➜ ESC6
- EDITF_ATTRIBUTESUBJECTALTNAME2 flag set on a CA
- (Allows CSRs for ANY template to specify a SAN!)
➜ ESC7
- Vulnerable CA access control
- The ManageCA permission can be used to fixate ESC6
20. ESC8 - NTLM Relay to HTTP
Enrollment Endpoints
20
➜ AD CS web enrollment endpoints are optional roles
(but commonly installed)
- All of these endpoints are vulnerable to NTLM relay!
➜ If there is a user-enrollable auth template:
- Extends the window for user NTLM relay scenarios
➜ If there is a machine-enrollable auth template:
- Combine with printer bug for coerced auth
- I.e., take over ANY system in the domain running the
spooler service!
24. Stealing CA Private Keys
24
➜ If the private key for a CA’s certificate is not protected
by a TPM/HSM, it’s protected by DPAPI
- CAs sign issued certificates with this key
➜ If we can steal private key of any CA cert in
NTAuthCertificates, we can forge our own
certificates as anyone in the domain!
➜ These forged certs can’t be revoked!
- The certs are never actually “issued”!
- Forged certs work as long as the CA cert is still valid :)
26. Bonus: PKINIT -> NTLM
26
➜ As part of [MS-PKCA], for backwards compatibility a
legitimate certificate can be used to retrieve the
associated user/computer’s NTLM hash
- First publicly/offensively detailed by @gentilkiwi
- Recently integrated into Rubeus by @_ethicalchaos_ and
@exploitph
➜ If we combine this with “golden” certificates, we have
an alternative way to obtain NTLM credentials for any
active user/computer (i.e., an alternative to DCSync)
28. Summary
28
➜ AD CS has a lot of abuse potential!
- User credential theft/machine persistence
- Domain escalation and persistence
➜ Our 140 page whitepaper has complete details
- Includes extensive defensive information and additional
architectural considerations
- https://bit.ly/3xLziQ9
➜ Certify and ForgeCert are now live in the GhostPack
GitHub organization, along with PSPKIAudit for
auditing your environment
29. Acknowledgements
29
➜ Previous work (see the paper for complete details):
- Benjamin Delpy, PKISolutions, Christoph Falta, CQURE,
Keyfactor, @Elkement, Carl Sörqvist, Brad Hill
➜ Ceri Coburn and Charlie Clark for PKINIT + U2U
Rubeus additions
➜ Special thanks to Mark Gamache for collaborating
with us on parts of this work