This document discusses exploiting trust relationships and group policies to escalate privileges on a Windows system with full disk encryption. It describes exploiting MS15-122 and MS16-014 to poison the credential cache and authenticate to a rogue domain controller. Group policies can then be used to run applications with SYSTEM privileges and extract credentials or encryption keys before Windows fully loads. While Windows 10 provides some improvements, similar vulnerabilities were still present until MS16-072 was released after several months.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
PS>Attack is designed to make it easy for Penetration Testers to incorporate PowerShell into their bag of tricks. Its a custom PowerShell console packed with some of the best offensive tools available. It's designed to be easy to use and opsec safe.
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Socially Acceptable Methods to Walk in the Front DoorMike Felch
With initial access vectors getting scarce and the threat landscape evolving at a rapid pace, red teams are beginning to reconsider their angle of pursuit. This has caused old means of entry to be revisited in new ways while also paving the way for new entry techniques for emerging technologies. We will introduce novel approaches to gaining remote read and write access to a users Microsoft Windows file system for exfiltrating sensitive files and planting droppers. Additionally, we will share some unique research on Microsoft Azure tokens and compromising access with minimal effort leading to cloud pivoting opportunities. Attendees can expect to learn about some new red team tradecraft for traditional technologies, innovative tradecraft for emerging cloud environments, and a handful of offsec tools designed to regain traction with initial access.
This talk was given live at WWHF 2021.
Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
Attacking Windows Authentication and BitLocker Full Disk EncryptionIan Haken
Presented at BSides Seattle 2015 on February 20, 2016, this talk discusses vulnerabilities MS15-122 and MS16-014 and how they can be exploited to attack Windows authentication and BitLocker full disk encryption.
See also https://github.com/JackOfMostTrades/bluebox .
Level Up! - Practical Windows Privilege Escalationjakx_
For attackers, obtaining access to a Windows workstation with limited privileges can really put a damper on your day. Low privileged access can be a roadblock for even the most skilled "undocumented administrators". Local administrator access to a windows machine within an active directory domain often results in the ability to compromise the whole domain. This talk will walk through how attackers and defenders can learn to identify and exploit practical Windows privilege escalation vectors on the Windows 7 OS.
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
PS>Attack is designed to make it easy for Penetration Testers to incorporate PowerShell into their bag of tricks. Its a custom PowerShell console packed with some of the best offensive tools available. It's designed to be easy to use and opsec safe.
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Socially Acceptable Methods to Walk in the Front DoorMike Felch
With initial access vectors getting scarce and the threat landscape evolving at a rapid pace, red teams are beginning to reconsider their angle of pursuit. This has caused old means of entry to be revisited in new ways while also paving the way for new entry techniques for emerging technologies. We will introduce novel approaches to gaining remote read and write access to a users Microsoft Windows file system for exfiltrating sensitive files and planting droppers. Additionally, we will share some unique research on Microsoft Azure tokens and compromising access with minimal effort leading to cloud pivoting opportunities. Attendees can expect to learn about some new red team tradecraft for traditional technologies, innovative tradecraft for emerging cloud environments, and a handful of offsec tools designed to regain traction with initial access.
This talk was given live at WWHF 2021.
Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
Attacking Windows Authentication and BitLocker Full Disk EncryptionIan Haken
Presented at BSides Seattle 2015 on February 20, 2016, this talk discusses vulnerabilities MS15-122 and MS16-014 and how they can be exploited to attack Windows authentication and BitLocker full disk encryption.
See also https://github.com/JackOfMostTrades/bluebox .
Level Up! - Practical Windows Privilege Escalationjakx_
For attackers, obtaining access to a Windows workstation with limited privileges can really put a damper on your day. Low privileged access can be a roadblock for even the most skilled "undocumented administrators". Local administrator access to a windows machine within an active directory domain often results in the ability to compromise the whole domain. This talk will walk through how attackers and defenders can learn to identify and exploit practical Windows privilege escalation vectors on the Windows 7 OS.
Do you know? Your data can be misused. you can use different type of encryption to protect data. You can protect your private and important data using three methods.
"Les organisations de toute taille s’appuient sur un nombre croissant de services dans le Cloud pour assoir les nouveaux usages et modèles d’affaire dans le cadre de leur transformation numérique. Au-delà des contrôles en place et autres dispositions prises par défaut en matière de sécurité par ces services, d’aucun voit dans le chiffrement de leurs données et l’utilisation de leurs propres clés de chiffrement les clés de la confiance.
Dans ce contexte, cette session vous propose une vue d'ensemble illustrée des différentes solutions de chiffrement proposées dans Azure et Office 365. Elle vise à présenter ces solutions et à donner des indications claires sur la façon de choisir la ou les solutions appropriées en fonction de cas d’usage donnés ou/et d’exigences particulières. Les risques ainsi couverts seront explicités au cas par cas."
For organizations today, cyber security stands as a top priority to keep their information and systems safe from theft, damages, or disruptions. Within the financial industry, cyber security is especially important as it relates to including best practices and procedures that can can help prevent hackers from achieving success. Organizations’ defensive strategies are what will best help them win the game. This presentation reviews how the enemy works, ways to defend your organization from an attack, what hackers are capable of, and more.
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....Denis Gundarev
Imagine that you just found the new job of your dreams: You are now a system administrator in a large enterprise. Everything is going like clockwork, except for one major problem: There are 5 different versions of Presentation Server in use and there is no documentation for any system. Now imagine you are a consultant ready to do an assessment of Citrix infrastructure, but nobody in the company knows how many farms and servers exist, or how they are configured. (Wanting a new imaginary job yet?) In this session, Denis Gundarev will share tips on how to document infrastructure and tricks on how to find all components or users that are "forgotten." Attendees will learn several methods for elevating permissions and taking ownership of forgotten systems.
Discover what’s new in Windows 8.1 regarding interface, settings, deployment, security, … How will Windows 8.1 fit in your enterprise? How do you upgrade? All answers are here!
An important issue is how important security is, and how much are we willing to pay it financial, convenience, performance and other terms.
IS YOUR DESKTOP SECURE ? ? ?
HOW TO SECURE OWN DESKTOP ? ? ?
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From zero to SYSTEM on full disk encrypted windows system
1. from zero to system
Nabeel ahmed & tom gilis
on full disk encrypted windows system
2. From zero to system
on full disk encrypted windows system
ABOUT US
๏ Nabeel Ahmed, Security Researcher
and Penetration Tester, Dimension
Data Belgium
๏ I love to break things =)
๏ @NabeelAhmedBE
๏ blog.nabeelahmed.com
๏ Tom Gilis, Security Consultant (and Team
Leader) at Dimension Data Belgium
๏More “boring” stuff like compliancy, …
๏@tgilis
๏Co-organizer of BruCON
2
3. From zero to system
on full disk encrypted windows system
Inspiration
3
4. From zero to system
on full disk encrypted windows system
November 2015
4
5. From zero to system
on full disk encrypted windows system
Ian haken
5
๏ A new way to defeat FDE
๏ Rogue Domain Controller
๏ Poison Credential Cache
๏ Windows Security Feature bypass
6. From zero to system
on full disk encrypted windows system
Ms15-122
๏ Implements trust relationship before local cache is updated
๏ Works on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 up to
2012 (Windows XP, Windows Server 2003, …)
6
7. From zero to system
on full disk encrypted windows system
Bitlocker
๏ TPM (Trusted Platform Module)
๏ Pre-boot PIN
๏ USB Key
7
8. From zero to system
on full disk encrypted windows system
๏ TPM (Trusted Platform Module)
๏
๏
8
Bitlocker
9. From zero to system
on full disk encrypted windows system
Bitlocker tpm
9
๏ BitLocker key is stored in TPM
๏ No user interaction when decrypting
the drive
๏ Windows login screen is the first and
only line of defense
10. From zero to system
on full disk encrypted windows system
Trust relationship?
๏ Computer account password is used for trust
๏ Randomly generated every 30 days
๏ 2 computer account passwords are stored
๏ Stored in
“HKLMSECURITYPolicySecrets$machine.ACC”
10
11. From zero to system
on full disk encrypted windows system
Bypassing the patch
11
12. From zero to system
on full disk encrypted windows system
Difference
12
Legitimate DC
Rogue DC
13. From zero to system
on full disk encrypted windows system
Ticket missing
13
14. From zero to system
on full disk encrypted windows system
SPN
14
SPNs are used to support mutual authentication
between a client application and a service. A service
principal name is associated with an account and an
account can have many service principal names.
– MSDN
SPNs are usually formatted as SERVICE/HOST, but
sometimes they also include a port like
SERVICE/HOST:PORT.
15. From zero to system
on full disk encrypted windows system
Demo time
15
16. From zero to system
on full disk encrypted windows system
Kerberos Password change
16
?????????? EXP_PASS
17. From zero to system
on full disk encrypted windows system
Kerberos Password change
17
?????????? EXP_PASS
NEW_PASS
18. From zero to system
on full disk encrypted windows system
18
Conclusion
๏ Checks if a service ticket (T) has been received
BUT only validates AFTER the password change
๏ MS16-014 / CVE-2016-0049
๏ “Suggested workaround” disable local
password caching
๏ Patched on all supported Windows versions
19. From zero to system
on full disk encrypted windows system
Bluebox
19
๏ Automated exploitation of MS15-122 and MS16-014
๏ Less than 1 minute
๏ Written in Python
๏ Portable (Raspberry Pi)
๏ Kudos to Ian Haken (@ianhaken)
๏ https://github.com/JackOfMostTrades/bluebox
20. From zero to system
on full disk encrypted windows system
WHAT’s NEXT ?
20
๏ Extract any personal data
o Documents, emails, passwords..
๏ Requires admin privileges to :
o Retrieve BitLocker Recovery Key (or disable it)
o Install Malware
o Extract data from other users
o …
21. From zero to system
on full disk encrypted windows system
Trust relationship?
๏ Trust relationship is not always validated
๏ Working Active Directory set-up
๏ Any other Windows functionality missing trust validation?
22
22. From zero to system
on full disk encrypted windows system
PRIVILEGE ESCALATION
23
Will Group Policies work ?
๏ Works on all supported Windows versions
๏ No need for additional (vulnerable) software
๏ No specific configuration requirements
23. From zero to system
on full disk encrypted windows system
Group Policies
24
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM Privileges
SYSTEM Privileges
User account password Machine account password
24. From zero to system
on full disk encrypted windows system
Group Policies
25
User Configuration Computer Configuration
During login (or on refresh) Before login (or on refresh)
User or
SYSTEM Privileges
SYSTEM Privileges
User account password Machine account password
25. From zero to system
on full disk encrypted windows system
Group policies
26
26. From zero to system
on full disk encrypted windows system
EXAMPLE – CMD AS SYSTEM
27
1. New Group Policy and assign it to the user account
2. Add the following configuration to the policy :
• Download file (e.g. NetCat.exe)
• Run NetCat as SYSTEM
• Connect to service as User
Screenshot Scheduled task GPO
27. From zero to system
on full disk encrypted windows system
It works!?
28
28. From zero to system
on full disk encrypted windows system
Why does it work?
29
๏ Client can successfully authenticate against the DC using
his credentials
๏ All encrypted traffic remains intact (SMB,LDAP,RPC)
๏ Assumes that the user credentials are sufficient to
acknowledge trust relationship.
๏ Reported to Microsoft, who acknowledged the vulnerability
but ...
29. From zero to system
on full disk encrypted windows system
IS it NEW ?
30
๏ Luke Jennings (MWR Labs) demonstrated how you can gain
SYSTEM access through MITM in March 2015
๏ MITM attack against legitimate GPO communication, resulting
two patches (MS15-011 and MS15-014)
๏ Jennings’ conclusion : “Even on Vista/2008 onwards, user
settings group policy can be exploited if you know a user’s
password to conduct a form of privilege escalation to gain
SYSTEM on domain members. Microsoft have shown no
intention thus far of providing a control to protect against this.”
30. From zero to system
on full disk encrypted windows system
WINDOWS 10 ?
31
31. From zero to system
on full disk encrypted windows system
WINDOWS 10 ?
32
32. From zero to system
on full disk encrypted windows system
WIN 7 vs Win 10
33
33. From zero to system
on full disk encrypted windows system
WIN 7 vs Win 10
34
34. From zero to system
on full disk encrypted windows system
Relative ID
User SID
35
S-1-5-21-124525095-708259637-1543119021-20937
Domain Security Identifier
Incremental
Uses Machine SID
when new domain is
created
35. From zero to system
on full disk encrypted windows system
Setting the SID
36
๏ Possibilities :
o Setting the Machine SID before the AD is created:
o Windows SysPrep – Generates new “random” SID
o Commercial tools exist
o Off-line edit the NTDS.DIT File
o SAMBA NT4 PDC to AD-DC
Lengthy, complex and prone to errors
36. From zero to system
on full disk encrypted windows system
mimikatz to the rescue
37
37. From zero to system
on full disk encrypted windows system
Demo time
38
38. From zero to system
on full disk encrypted windows system
39
Conclusion
๏ First validates trust with computer account
๏ MS16-072 / CVE-2016-3223
๏ Took approx. 8 months to patch and then …
39. From zero to system
on full disk encrypted windows system
40
40. From zero to system
on full disk encrypted windows system
Recovering original password
41
๏ (convert .sys to .dmp)
๏ WinDbg
๏ Mimikatz (extract plaintext credentials)
๏ Only Windows 7 and below
Force
Hibernation
Bypass login
screen
Elevate
privileges
Extract
HIBERFIL.SYS
Reset Local
Password Cache
41. From zero to system
on full disk encrypted windows system
timeline
42
42. From zero to system
on full disk encrypted windows system
timeline
43
43. From zero to system
on full disk encrypted windows system
Take aways
44
๏ Trust relationships not always validated
๏ Don’t take physical security for granted
๏ Backwards compatibility makes patching very difficult
๏ Bypassing authentication and escalating privileges without a
single line of code
๏ Kudos to Ian Haken @ianhaken and Benjamin Delpy @gentilwiki
๏ Third time’s a charm?
o November 2015 (MS15-122)
o February 2016 (MS16-014)
o … July 2016 (MS16-???)
@nabeelahmedbe
blog.ahmednabeel.com
@tgilis