Hacker Halted 2014 - How to create permanent Domain Administrator privilege (Mimikatz: Golden Ticket)

•

1 like•763 views

An attacker is capable to create a Ticket Granting Ticket (TGT) by using the krbtgt domain user’s password hash to impersonate ANY domain user including the Domain Administrator(s). This ticket is valid for 10 years and can be renewed for ten more years. This means 20 years of full control over the domain. To do this I will demonstrate the golden ticket capability of the famous Mimikatz app by Benjamin Delpy. The audience can learn about Kerberos infrastructure, tickets and Windows privilege impersonation through this presentation. It includes the solution as well, how to defend our domain against these kind of attacks.

Technology

How to create permanent Domain
Administrator privilege
Balazs Bucsay

Bio / Balazs Bucsay
• Hungarian Hacker!
• 14 years of experience in IT-Security!
• Strictly technical certificates: OSCE, OSCP, GIAC
GPEN!
• Currently working for world’s second largest mobile
company (Vodafone)
2

Bio / Balazs Bucsay
• Started with ring0 debuggers and disassemblers in
2000 (13 years old)!
• Major project in 2009: GI John a distributed password
cracker (22 years old)!
• 27 years old right now !
• Webpage: http://rycon.hu!
• Twitter: @xoreipeip!
• Linkedin: http://hu.linkedin.com/pub/balazs-bucsay/
30/911/379

mimikatz
• Made by Benjamin Delpy (gentilkiwi) - Big up!!
• First version was introduced in 2007 (v0.1)!
• Right now it is at 2.0 alpha (Windows only)!
• http://blog.gentilkiwi.com/mimikatz!
• Exploiting conceptional bugs/features, not vulnerabilities!
• Lots of features (not a full list):!
• Pass the hash!
• Exporting protected unexportable private keys!
• Credential dumps (even cleartext)!
• and of course Golden Ticket

Me and mimikatz
• Love at first sight!
• Daily usage in penetration testing!
• Hacker’s best friend!!
• First English documentation about the Golden Ticket!
• First presentation in Hungarian

Golden Ticket
• Post Exploitation Technique!
• Backdoor for unlimited time (20 years default)!
• Offensive side: good fun, easy to use backdoor!
• Defensive side: hard problem to solve!
• Well known feature of Kerberos, not a bug!
• Cannot be fixed

Kerberos
$XWKHQWLFDWLRQVHUYLFHUHTXHVW
$XWKHQWLFDWLRQVHUYLFHUHVSRQVH
7LFNHWJUDQWLQJVHUYLFHUHTXHVW
7LFNHWJUDQWLQJVHUYLFHUHVSRQVH
OLHQWFRPSXWHU .HGLVWULEXWLRQVHUYHU
6HUYLFHUHTXHVW
$SSOLFDWLRQVHUYHUHJ)LOHVHUYHU

Kerberos
• Developed by MIT (v5 - 1993)!
• Main goal to ensure secure communication and
authentication over an insecure channel!
• Single Sign On!
• Mutual authentication with tickets!
• Tickets are encrypted!
• Encryption keys are stored in the AD!
• Supported authentication protocol since Windows 2000

Ticket Granting Ticket
• Similar to a passport!
• Issued by the Authentication
Service (Government)!
• User’s password is needed to
create the ticket!
• Default session is valid for 10
hours!
• Circumvents the need for
password

Service Ticket
• Similar to a visa (issued by the Embassy)!
• Ticket Granting Service issues the Service Ticket!
• Service Ticket contains the information for authentication!
• Sending Service Ticket to the Service results in session

$XWKHQWLFDWLRQVHUYLFHUHTXHVW
$XWKHQWLFDWLRQVHUYLFHUHVSRQVH
7LFNHWJUDQWLQJVHUYLFHUHTXHVW
7LFNHWJUDQWLQJVHUYLFHUHVSRQVH
OLHQWFRPSXWHU .HGLVWULEXWLRQVHUYHU
6HUYLFHUHTXHVW
$SSOLFDWLRQVHUYHUHJ)LOHVHUYHU

Keys
• NTLM/AES hashes of the entities from Active
Directory!
• Ticket Granting Ticket is encrypted with the krbtgt
user’s hash!
• Service Tickets are encrypted with the server’s and
the session key

krbtgt user
• Default, must have Active Directory account!
• Previous Domain Controller compromise!
• krbtgt user NTLM/AES hash dump!
• Arbitrary Ticket Granting Ticket can be created with
the krbtgt user’s hash

This document provides an overview and preparation guide for the Offensive Security Certified Professional (OSCP) certification. It begins with an introduction and outlines the agenda, which includes an overview of the OSCP, course registration details, prerequisites, an overview of the course content and lab environment, exam preparation tips, and exam details. It then provides additional exam tips, discusses what to expect after passing the OSCP exam, and recommends additional reference materials and websites. The document is intended to help those interested in understanding and preparing for the OSCP certification exam.

Codebits 2011

Martin Paljak

This document discusses the history and evolution of Estonia's national ID card system and associated software. It describes how the initial proprietary software led to distrust, which motivated volunteers to create open-source alternatives like OpenSC. Over time, the ID card system and software have improved, with official open-source middleware and increased transparency. However, some generic concerns about single sign-on systems and database usage remain. The document advocates for continued transparency and open-source approaches to address distrust and potential issues.

Securing Your Bitcoins - Kitten Tofu

Bitcoin Barcamp

Client Cert Deployment Models and Hardware Tokens/Smart Cards

Ed Dodds

This document summarizes a presentation about client certificate deployment models and the use of hardware tokens and smart cards. The presentation discusses the history of public key infrastructure (PKI) and reasons for its limited adoption compared to SSL/TLS certificates. It explores various deployment models at different scales from testing to enterprise-wide or education-wide. The presentation also compares more rigorous deployment models using hardware tokens that require in-person identity verification to less rigorous online-only models.

Speech-Enabling Web Apps

Mojo Lingo

Serverless Evolution during 3 years of Serverless Toronto

Daniel Zivkovic

Four presentations for the 3rd Birthday of our User Group! After a short overview about Serverless Mindset (regardless of your tech stack), see: 1. how #Serverless has changed Software Development Process (Gareth McCumskey of Serverless.com) and a demo of Serverless Desktop (https://github.com/serverless/desktop) 2. How small teams achieve BIG things with Firebase and #GCP Serverless Services (Kudzanai Murefu of Strma.io) 3. See folks competing to get involved with "COVID-19 Vaccination Passport", a project with a greater moral purpose in today's "upside-down world" (David Janes of Consensas.com) 4. A reflection on the Serverless evolution and optimism for the future of Serverless (and Startups) as the line between its ecosystem and other Cloud-native Technologies keeps blurring (Mike Apted of #AWS #Startups). BONUS 1. Recording https://youtu.be/mdxT929JJoE 2. Invitation https://www.meetup.com/Serverless-Toronto/events/273716629/ 3. For more forward-looking #Software #Developerment topics, join #ServerlessTO User Group LINKS FROM THE MEETUP https://www.askyourdeveloper.com/ https://www.meetup.com/en-AU/lean-product/ https://www.linkedin.com/in/marcbrouillard/ https://www.youtube.com/watch?t=1390&v=Ivcndg9pTpk https://youtu.be/8Rzv68K8ZOY https://www.youtube.com/watch?t=2304&v=SPsaqiegOP4 https://www.manning.com/ https://www.serverless.com/author/garethmccumskey/ https://www.linkedin.com/in/kudzanai-murefu-7b128886/ https://www.linkedin.com/in/davidjanes/ https://www.linkedin.com/in/mikeapted/ https://serverless.com/slack https://github.com/serverless/desktop https://strma.io https://cccc4.ca/ https://passport.consensas.com/ https://github.com/Consensas/information-passport/tree/main/docs https://dpjanes.medium.com/ https://en.wikipedia.org/wiki/Antoine_de_Saint-Exup%C3%A9ry https://youtu.be/1SqfJo47kMA https://youtu.be/tz89XTBby-M https://aws.amazon.com/activate/founders/ https://aws.amazon.com/builders-library/ https://www.amazon.science/publications https://www.linkedin.com/in/rupakg

Cryptography: zero knowledge proof and multi party computation, OW2online, Ju...

OW2

Go passwordless with fido2

Rob Dudley

- FIDO2 is a passwordless authentication standard that uses public key cryptography instead of passwords - It involves an initial registration process where a public/private key pair is created and the public key is associated with the user's account - Authentication then involves validating the signature from the private key without exposing any secrets - FIDO2 supports various form factors beyond USB keys like mobile devices and provides stronger security than passwords

These are the slides that were be presented at a GlobalSign customer event in Leuven on September 16, 2014. In my talk, I explained why digital signatures are important. I introduced the audience to the basic concepts used when signing documents and showed how these concepts are used in the context of PDF. Furthermore, I discussed different architectures to implement a digital signature solution, as well as how digital signatures can be used in a workflow and how we can create digital signatures for the long term.

0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay

Shakacon

One of the largest ISPs in Europe distributed millions of vulnerable devices to their customers without any security checks. Now these devices are up and running all over Europe and can provide Internet access and jump hosts for hackers and criminals. In this presentation the speaker will show you the whole process of a proper CPE device testing with its pitfalls and joyrides. During this test a handful of 0days were discovered and these will be presented. It will be shown how an attacker with zero-knowledge can log into a private network by getting the factory default WPA passphrases from MAC addresses or even worse, the changed passphrase! The other 0day brings a root shell with plenty of buffer overflows, factory backdoors in the firmware. All vulnerabilities’ root cause will be presented to the audience with good laughs.

0day hunting a.k.a. The story of a proper CPE test

Balazs Bucsay

The Internet of Things and You

TechWell

Jim McKeeth of Embarcadero Technologies gave a presentation on the Internet of Things (IoT) and development considerations. He discussed how everyday devices are increasingly connecting to the internet and how the value of the IoT network increases exponentially as more things connect. McKeeth covered opportunities in various industries, common device types and connectivity standards used in IoT. He emphasized avoiding lock-in to specific networks or platforms and addressed privacy, security and legal issues for developers to consider when creating IoT solutions.

Security Keys Presentation.pptx

Alok Sharma

Security keys provide stronger authentication than text or call-based two-factor authentication by requiring a physical device to log in. They use standards like FIDO U2F and FIDO2 to generate unique keys for each service, preventing stolen credentials from being used across sites. While not hackproof, security keys like YubiKey are currently the most secure option for two-factor authentication. Suppliers offer various options that support different device types and protocols.

Second screen iot_day_stockholm_2014

Steffen Larsen

Building chat bots using ai platforms (wit.ai or api.ai) in nodejs

Entrepreneur / Startup

This document discusses building chatbots using existing platforms like Facebook Messenger and APIs. It provides steps to create a Facebook app and page, set up a webhook to receive messages, and use the Messenger API to send and receive messages. Natural language processing tools like API.AI and Wit.ai are presented to help bots understand language. Examples are given of chatbots for tasks like travel booking, payments and customer support.

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.

Krzysztof Kotowicz

Krzysztof Kotowicz gave a talk at Hack in Paris in June 2014 about lessons learned from trusting JavaScript cryptography. He discussed the history of skepticism around JS crypto due to language weaknesses like implicit type coercion and lack of exceptions. He then analyzed real-world vulnerabilities in JS crypto libraries like Cryptocat that exploited these issues, as well as web-specific issues like cross-site scripting. Finally, he argued that while the JS language has flaws, developers can still implement crypto securely through practices like strict mode, type checking, and defense-in-depth against web vulnerabilities.

VR - Creating the ultimate reality

Sebastien Kuntz

Blockchain for Business on Hyperledger

All Things Open

Blockchain technology allows strangers on the internet to agree on transactions without a central authority through the use of distributed ledgers, consensus algorithms, and cryptography. The Hyperledger project is developing open source blockchain frameworks and tools for businesses to create applications on permissioned blockchains. An example application tracks pork products in a supply chain using smart contracts on Hyperledger Fabric to provide transparency into where products come from.

Managing Remote Operation Teams

Sagi Brody

Advances in technology and ubiquitous connectivity worldwide have made the utilization of a dispersed workforce more common. Whether that remote team is located across the street, city, state or country, management styles and approaches will have to be adjusted to accommodate this imminent, new dynamic. Corporate leadership will need to motivate and manage these virtual teams very differently than on-site personnel, whether they are hired internally or outsourced to a third-party support company. This presenat

Innovating the hell out of banking #withCIB

Péter Harang

This document provides an imaginative brainstorming session on potential innovations in the banking sector. It discusses using existing technologies like near-field communication, augmented reality, drones, and artificial intelligence to modernize and streamline banking processes. Some ideas presented include developing mobile point-of-sale devices using NFC, implementing biometric authentication like fingerprints, outsourcing authentication to tech companies, using drones and satellite imagery to inspect properties remotely for loans, and creating virtual banking assistants using voice and hologram technologies. The document envisions a future where emerging technologies reduce human involvement in banking transactions and services.

Unleashing your parish geeks

NicoleParrot

Implementing Certificate Based Authentication for HCL Traveler Access - Enga...

Milan Matejic

How the SSL/TLS protocol works (very briefly) How to use HTTPS

whj76337

1. HTTPS provides encryption for web traffic but has integration challenges with browsers. The lock icon is meant to indicate encryption but does not always accurately represent the security of a page. 2. Problems include sites initially loading over HTTP and then switching to HTTPS, certificates that do not clearly match the domain, and pages that load mixed encrypted and unencrypted content which can enable attacks. 3. Users often ignore or are confused by invalid certificate warnings, allowing man-in-the-middle attacks. The lock icon and browser interfaces could be improved to better convey security and privacy.

JustGiving API presentation for CRUK Hackathon

Jamie Parkins

This document provides information about JustGiving's APIs and how developers can use them. JustGiving has over 15 million users and has raised over £1 billion for charities. Their APIs allow developers to create fundraising pages, get donation details, register user accounts, and more. The document outlines several API endpoints and provides test credit card details and links to documentation to help developers get started with the APIs.

Remo presentatie v1

Onno Hansen-Staszyński

The document discusses common cyber threats like phishing, hacking, and DDoS attacks. It notes several major data breaches in recent years at Target and Home Depot that resulted in billions of dollars lost. To protect against these threats, the document recommends businesses implement security measures like audits, encryption, web application firewalls, malware analysis, and employee cybersecurity training. Regular security monitoring and having a crisis plan are also advised.

Fun With SHA2 Certificates

Gabriella Davis

Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it then just remember to renew it every couple of years. Then suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them as strongly as possible this session will show you how."

WebAuthn

Kelley Robinson

Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.

Cracking the Chat bot Code

Elvis D'Souza

The rise of messaging apps has led to strong interest in how brands and businesses can leverage them to engage with their customers. Bots using text as a medium has piqued the interest of developers and consumers alike. Breakthroughs in AI have only fuelled great expectations on user experience of such bots. We will explore the rationale for chatbots, what a chatbot can and cannot do, how chatbots interface with users, technology challenges in building chatbots, understanding user context, handling and nurturing user trust.

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World

Hacker Halted 2014 - How to create permanent Domain Administrator privilege (Mimikatz: Golden Ticket)

Recommended

Recommended

More Related Content

Similar to Hacker Halted 2014 - How to create permanent Domain Administrator privilege (Mimikatz: Golden Ticket)

Similar to Hacker Halted 2014 - How to create permanent Domain Administrator privilege (Mimikatz: Golden Ticket) (20)

More from EC-Council

More from EC-Council (20)

Recently uploaded

Recently uploaded (20)

Hacker Halted 2014 - How to create permanent Domain Administrator privilege (Mimikatz: Golden Ticket)