2. About Us
• Pentesters at Black Hills Information Security
• Have a number of SANS, OffSec, and other certs…
• CitySec Meetup Organizers
• CigarCitySec – (Tampa, FL)
• CitrusSec – (Orlando, FL
• TidewaterSec – (Hampton, VA)
• Tradecraft Security Weekly and Hacker Dialogues podcasts
• Avid OWA enthusiasts
4. I’m in…what now?
• Post exploitation is often about gathering and abusing credentials
• End user password choice is critical
• If an attacker can guess a poor password for a domain user it leads to more
access and more credentials
• A domain user can gather potentially important service account
hashes through Kerberos to crack offline
• User password hashes can be gathered through default enabled
protocols (LLMNR) or through a crafted LNK file
5. Toolkit Collection
• Collection of tools and techniques to deter and detect credential
abuse
• Password filter to prevent the usage of poor word choices for
passwords (iterations of Summer2017, May082017, etc.)
• Password Auditing to further identify credential usage and
configuration issues
• Centralized logging of credential usage to detect password attacks like
password spraying and Kerberoasting
• Scanner to detect potential Responder type attacks
10. Insecure Password Attributes
• Passwords that don’t expire
• No password at all…
• What up my LanMan?
• Bro, do you even encrypt?
• Admin Delegation
12. CredDefense Auditor
• Adapted from DSInternals (thanks Michael!)
• https://github.com/MichaelGrafnetter/DSInternals
• Leverages AD Replication Sync
• …doesn’t data write to disk
• Just a couple clicks and you’re auditing!
18. Password Complexity
• Standard Windows Complexity:
• Eight-character minimum
• Three of the following four character types: UPPERCASE, lowercase, $peci@l,
Num321c
• Change every 90 days
• What meets that…but is still easy to remember?
• CurrentSeason + CurrentYear
• The Month+Day+Year that the password was last set (yes…it happens…)
• Similar schemes involving company names
19. Prevent Weak Passwords
• Increasing length requirements helps…
• …but what about SummerSummer2017? Tricky!
• Enter: Windows Password Filter
21. CredDefense Password Filter
• Allows for easily deploying to DCs in your environment
• also allows for uninstalling the feature
• Even easier updating of password lists
• Can specify case-insensitive substrings to look for
• Winter, june, SUmmEr, etc.
26. What are you logging?
• Most of the time we find one of two scenarios with customer logging
and alerting
• Every log is being shoveled into a SEIM and no one can use the data
for actionable alerts
• Logs are “reviewed daily”
• There is no centralized logging and no visibility into activity in the
environment
• In either case, an attacker generally will generally go unnoticed
27. Living of the Land for Logs
• Microsoft Windows has the built in ability to consolidate Event Logs
through Windows Event Forwarding, who knew?
• Configurable through Group Policy
• Can scale to Enterprise size
• Added bonus: can be paired with ELK for a DIY tactical SEIM
• Free
29. Collecting the Right Stuff
• NSA Spotting the adversary event list
• Sysmon (using and maintaining configuration
file)
• PowerShell Module and script block logging
• Tactical consolidation of specific data rather than cramming
every system log into one place
30. Why are you talking about logs?
• Centralizing login and logout events allows for analysis of credential
usage and activity
• Security Log Event IDs for authentication data
4624,4625,4648,4728,4732,4634,4735,4740,4756
• Honey Accounts
• Failed login frequency
• Blog post on details of set up
34. Kerberoast Detection
• Create a HoneyToken account that has a fake Service Principal Name
for a service that no legitimate user will use
• Set-ADUser honeytoken -ServicePrincipalNames
@{Add="MSSQLSvc/server161:1433"}
• Make sure not to duplicate a valid SPN
• Kerberos ticket requests logged on Domain Controller – Event 4769
• Both success and failure
HoneyToken Kerberos account described in detail at ADSecurity blog - https://adsecurity.org/?p=3513
37. Password Spraying
• An attack we use on almost all
pentests
• Try 1 password attempt for every
user at an organization
• We tend to spray pretty much
anything (but mostly AD-related)
• Can be done on an internal domain
or externally against portals such as
OWA/ADFS/EWS/O365/VPN/etc…
• Generates many failed login events
38. Detect Password Spraying
• Look at failed login attempts generated from one source IP
• More than 10 failed login attempts from one host in an hour is
probably bad
• Event ID 4625
40. NBNS & LLMNR Spoofing
• Most pentesters should be familiar
• Responder & Inveigh are both
awesome tools for this attack
• Can help an attacker obtain
password hashes or even relay
credentials to another system
• How you detect this on a network?
• Some tools already exist but have a
few issues with scanning large nets