CredDefense Toolkit presented at Derbycon 2017 by Beau Bullock, Brian Fehrman, and Derek Banks from Black Hills Information Security

1. Cred Defense Toolkit
Derek Banks (@0xderuke)
Beau Bullock (@dafthack)
Brian Fehrman (@fullmetalcache)

2. About Us
• Pentesters at Black Hills Information Security
• Have a number of SANS, OffSec, and other certs…
• CitySec Meetup Organizers
• CigarCitySec – (Tampa, FL)
• CitrusSec – (Orlando, FL
• TidewaterSec – (Hampton, VA)
• Tradecraft Security Weekly and Hacker Dialogues podcasts
• Avid OWA enthusiasts

3. Overview
• We are often asked by our clients how our tools and tactics used on a
pen test could have been detected or prevented
• Many post exploitation activities revolve around native windows tool
usage and credential abuse
• This talk is a combination of tools and configuration on how to detect
and prevent some of the common post exploitation techniques we
use at BHIS to gain access
• Also, the tools and techniques are free as in beer

4. I’m in…what now?
• Post exploitation is often about gathering and abusing credentials
• End user password choice is critical
• If an attacker can guess a poor password for a domain user it leads to more
access and more credentials
• A domain user can gather potentially important service account
hashes through Kerberos to crack offline
• User password hashes can be gathered through default enabled
protocols (LLMNR) or through a crafted LNK file

5. Toolkit Collection
• Collection of tools and techniques to deter and detect credential
abuse
• Password filter to prevent the usage of poor word choices for
passwords (iterations of Summer2017, May082017, etc.)
• Password Auditing to further identify credential usage and
configuration issues
• Centralized logging of credential usage to detect password attacks like
password spraying and Kerberoasting
• Scanner to detect potential Responder type attacks

6. Toolkit Framework
• Windows Presentation Foundation
• C#
• PowerShell
• …work in progress

7. Password Auditing

8. Password Auditing
• Attempt to find:
• Weak Passwords
• Insecure Password Attributes
• Password Re-use

9. Weak Passwords
• What season is it?
• Do I need a custom-built cracker?
• Company spirit?

10. Insecure Password Attributes
• Passwords that don’t expire
• No password at all…
• What up my LanMan?
• Bro, do you even encrypt?
• Admin Delegation

11. Password Reuse
• Wide-spread local admin…
• …game over!
• Shared network-accounts
• Domain Admin / Domain User

12. CredDefense Auditor
• Adapted from DSInternals (thanks Michael!)
• https://github.com/MichaelGrafnetter/DSInternals
• Leverages AD Replication Sync
• …doesn’t data write to disk
• Just a couple clicks and you’re auditing!

13. CredDefense Auditor
• Allows for specifying domain within forest

14. CredDefense Auditor
• Select DC to target

15. CredDefense Auditor
• Choose Password File and Results Output

16. CredDefense Auditor

17. Password Filter

18. Password Complexity
• Standard Windows Complexity:
• Eight-character minimum
• Three of the following four character types: UPPERCASE, lowercase, $peci@l,
Num321c
• Change every 90 days
• What meets that…but is still easy to remember?
• CurrentSeason + CurrentYear
• The Month+Day+Year that the password was last set (yes…it happens…)
• Similar schemes involving company names

19. Prevent Weak Passwords
• Increasing length requirements helps…
• …but what about SummerSummer2017? Tricky!
• Enter: Windows Password Filter

20. Password Filters
• Commercial tools exist
• Few open source tools…
• Password filter here based on:
• https://github.com/jephthai/OpenPasswordFilter

21. CredDefense Password Filter
• Allows for easily deploying to DCs in your environment
• also allows for uninstalling the feature
• Even easier updating of password lists
• Can specify case-insensitive substrings to look for
• Winter, june, SUmmEr, etc.

22. CredDefense Password Filter
• Select Install/Uninstall or Update

23. CredDefense Password Filter
• Installing / Uninstalling

24. CredDefense Password Filter
• Edit Password List and Deploy Update to all Configured
DCs!

25. Foundation For Alerts
Endpoint Log Consolidation

26. What are you logging?
• Most of the time we find one of two scenarios with customer logging
and alerting
• Every log is being shoveled into a SEIM and no one can use the data
for actionable alerts
• Logs are “reviewed daily”
• There is no centralized logging and no visibility into activity in the
environment
• In either case, an attacker generally will generally go unnoticed

27. Living of the Land for Logs
• Microsoft Windows has the built in ability to consolidate Event Logs
through Windows Event Forwarding, who knew?
• Configurable through Group Policy
• Can scale to Enterprise size
• Added bonus: can be paired with ELK for a DIY tactical SEIM
• Free

28. Eyechart

29. Collecting the Right Stuff
• NSA Spotting the adversary event list
• Sysmon (using and maintaining configuration
file)
• PowerShell Module and script block logging
• Tactical consolidation of specific data rather than cramming
every system log into one place

30. Why are you talking about logs?
• Centralizing login and logout events allows for analysis of credential
usage and activity
• Security Log Event IDs for authentication data
4624,4625,4648,4728,4732,4634,4735,4740,4756
• Honey Accounts
• Failed login frequency
• Blog post on details of set up

31. Data Analysis
• This architecture allows for multiple types of analysis tools
• PowerShell and C# on the WEF server parsing event data
• Kibana searches and visualizations from ELK
• For example potential password spraying detection dashboard

32. Kerberoasting Detection

33. Kerberoasting
• Ability for any domain user to query the domain for a Service
Principal Name for an account associated with running a service
• A request to authenticate over Kerberos results in a service ticket
where a portion is encrypted with the service account hash
• Effectively any domain user can get a hash of a service account with
an SPN and take the resulting ticket offline and attempt to crack it
https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-
%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf

34. Kerberoast Detection
• Create a HoneyToken account that has a fake Service Principal Name
for a service that no legitimate user will use
• Set-ADUser honeytoken -ServicePrincipalNames
@{Add="MSSQLSvc/server161:1433"}
• Make sure not to duplicate a valid SPN
• Kerberos ticket requests logged on Domain Controller – Event 4769
• Both success and failure
HoneyToken Kerberos account described in detail at ADSecurity blog - https://adsecurity.org/?p=3513

35. Kerberoasting Detection
• No legitimate user will request a Kerberos ticket for the HoneyToken
account
• Event ID 4769 logs account name in ServiceName field
• Invoke-CredDefenseEventParser detects this as possible Kerberoasting

36. Password Spraying

37. Password Spraying
• An attack we use on almost all
pentests
• Try 1 password attempt for every
user at an organization
• We tend to spray pretty much
anything (but mostly AD-related)
• Can be done on an internal domain
or externally against portals such as
OWA/ADFS/EWS/O365/VPN/etc…
• Generates many failed login events

38. Detect Password Spraying
• Look at failed login attempts generated from one source IP
• More than 10 failed login attempts from one host in an hour is
probably bad
• Event ID 4625

39. ResponderGuard

40. NBNS & LLMNR Spoofing
• Most pentesters should be familiar
• Responder & Inveigh are both
awesome tools for this attack
• Can help an attacker obtain
password hashes or even relay
credentials to another system
• How you detect this on a network?
• Some tools already exist but have a
few issues with scanning large nets

41. ResponderGuard
• PowerShell tool implemented into CredDefense but also functions as
a standalone script
• Can scan across multiple subnets
• Alerts immediately upon receiving a response to a crafted NBNS
request
• Writes to the Windows Event log
• Has HoneyToken capabilities for additional detection
• https://github.com/CredDefense/CredDefense/blob/master/scripts/ResponderGuard.ps1

42. ResponderGuard

43. Responder Output

44. Windows Event Log

45. References and Links
• Endpoint Log Consolidation:
• https://joshuadlewis.blogspot.com/2014/10/advanced-
threat-detection-with-sysmon_74.html
• https://blogs.technet.microsoft.com/jepayne/2015/11/23
/monitoring-what-matters-windows-event-forwarding-for-
everyone-even-if-you-already-have-a-siem/
• Kerberoasting Detection:
• https://adsecurity.org/?p=3513
• Password Spraying:
• https://www.youtube.com/watch?v=xB26QhnL64c
• DSInternals:
• https://github.com/MichaelGrafnetter/DSInternals
• Password Filtering:
• https://github.com/jephthai/OpenPasswordFilter

46. Conclusions
• We tend to be very successful using
many of the same old attacks
• Most “solutions” for fixing these
problems tend to be expensive and
hard to implement
• Our goal was to develop a
modularized toolkit that could be
utilized to help make us as pentesters
(and real attackers) less successful

47. Questions
• https://github.com/CredDefense/CredDefense
• A blog post explaining the setup will be here:
• https://www.blackhillsinfosec.com/blog/
• Derek Banks (@0xderuke)
• Beau Bullock (@dafthack)
• Brian Fehrman (@fullmetalcache)