Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
Learn how to turn your network’s DNS into a Security Tool! Webinar-Oct 12th
What do you do if the security tools are not protecting your network? Cyber-criminals are constantly finding ways to bypass your security tools and own your network. When the threat changes, you should grow with the threat - think out of the box – using tools that the criminals have not yet considered; the DNS.
ISC’s Internet Critical Open Source DNS software BIND has a new feature that would turn a DNS Caching Resolver into a tool to help protect your network from malware. All the computers in your network must contact your DNS Resolvers to get to the outside world. Your DNS Resolvers are critical “choke-point” for which all devices in your network must interact to get to the outside world. This "choke-point" is a logical choice to put security capabilities to check if a domain is "clean" or "dirty."
How can you have your DNS Resolver check if a domain is clean or dirty? Use BIND’s new feature – the DNS Response Policy Zone (DNSRPZ). DNSRPZ uses secure and fast zone transfer technologies to pull down black list of bad domains and put them into your DNS resolver.
The archived recording of the Webinar is here: www.isc.org/webinars
Who should watch this Webinar?
E-mail Administrators: Find out how DNSRPZ offers more effective way to work with the Anti-Spam black list.
Network Operators: Learn how DNSRPZ can be used inside your network to keep your users from being in-inadvertently infected by malware, zero-days, and malvertisements.
Security Engineers: Discover how DNSRPZ is a tool to help contain infections that get into your network and try to “call home” to a BOTNET controller.
Hosting Providers: By default, most of your hosting customers are using your DNS resolvers. Learn how DNSRPZ can help prevent and contain the threat of your customers getting infected.
Service Providers: Learn how to turn your DNS services into a tool to help protect all your customers from infection.
Mobile Telecoms Operators: Find a new tool that would prevent miscreant smart phone applications from calling home with DNS and infecting your customer’s phones.
SCADA and Critical Industrial System Operators: Learn how DNSRPZ is a tool to help protect legacy control systems that need DNS to work.
Speaking from experience building MyGet.org: users are insane. If you are lucky, they use your service, but in reality, they probably abuse. Crazy usage patterns resulting in more requests than expected, request bursts when users come back to the office after the weekend, and more! These all pose a potential threat to the health of our web application and may impact other users or the service as a whole. Ideally, we can apply some filtering at the front door: limit the number of requests over a given timespan, limiting bandwidth, ...
In this talk, we’ll explore the simple yet complex realm of rate limiting. We’ll go over how to decide on which resources to limit, what the limits should be and where to enforce these limits – in our app, on the server, using a reverse proxy like Nginx or even an external service like CloudFlare or Azure API management. The takeaway? Know when and where to enforce rate limits so you can have both a happy application as well as happy customers.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
Learn how to turn your network’s DNS into a Security Tool! Webinar-Oct 12th
What do you do if the security tools are not protecting your network? Cyber-criminals are constantly finding ways to bypass your security tools and own your network. When the threat changes, you should grow with the threat - think out of the box – using tools that the criminals have not yet considered; the DNS.
ISC’s Internet Critical Open Source DNS software BIND has a new feature that would turn a DNS Caching Resolver into a tool to help protect your network from malware. All the computers in your network must contact your DNS Resolvers to get to the outside world. Your DNS Resolvers are critical “choke-point” for which all devices in your network must interact to get to the outside world. This "choke-point" is a logical choice to put security capabilities to check if a domain is "clean" or "dirty."
How can you have your DNS Resolver check if a domain is clean or dirty? Use BIND’s new feature – the DNS Response Policy Zone (DNSRPZ). DNSRPZ uses secure and fast zone transfer technologies to pull down black list of bad domains and put them into your DNS resolver.
The archived recording of the Webinar is here: www.isc.org/webinars
Who should watch this Webinar?
E-mail Administrators: Find out how DNSRPZ offers more effective way to work with the Anti-Spam black list.
Network Operators: Learn how DNSRPZ can be used inside your network to keep your users from being in-inadvertently infected by malware, zero-days, and malvertisements.
Security Engineers: Discover how DNSRPZ is a tool to help contain infections that get into your network and try to “call home” to a BOTNET controller.
Hosting Providers: By default, most of your hosting customers are using your DNS resolvers. Learn how DNSRPZ can help prevent and contain the threat of your customers getting infected.
Service Providers: Learn how to turn your DNS services into a tool to help protect all your customers from infection.
Mobile Telecoms Operators: Find a new tool that would prevent miscreant smart phone applications from calling home with DNS and infecting your customer’s phones.
SCADA and Critical Industrial System Operators: Learn how DNSRPZ is a tool to help protect legacy control systems that need DNS to work.
Speaking from experience building MyGet.org: users are insane. If you are lucky, they use your service, but in reality, they probably abuse. Crazy usage patterns resulting in more requests than expected, request bursts when users come back to the office after the weekend, and more! These all pose a potential threat to the health of our web application and may impact other users or the service as a whole. Ideally, we can apply some filtering at the front door: limit the number of requests over a given timespan, limiting bandwidth, ...
In this talk, we’ll explore the simple yet complex realm of rate limiting. We’ll go over how to decide on which resources to limit, what the limits should be and where to enforce these limits – in our app, on the server, using a reverse proxy like Nginx or even an external service like CloudFlare or Azure API management. The takeaway? Know when and where to enforce rate limits so you can have both a happy application as well as happy customers.
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
Rethinking Security and how you can Act on Meaningful Change
What the industry recommends to protect your network is NOT working! The industry is stuck in a dysfunctional ecosystem that encourages the cyber-criminal innovation at the cost to business and individual loss throughout the world. We do not need a “Manhattan Project” for the security of the Internet. What we need are tools to help operators throughout the world ask the right question that would lead them to meaningful action. Security empowerment must empower the grassroots and provide the tools to push back on the root cause. This talk will explore these issues, highlight the dysfunction in our “security” economy, and present “take home” tools that would facilitate immediate action.
We browse the Internet. We host our applications on a server or a cloud that is hooked up with a nice domain name. That’s all there is to know about DNS, right? This talk is a refresher about how DNS works. How we can use it and how it can affect availability of our applications. How we can use it as a means of configuring our application components. How this old geezer protocol is a resilient, distributed system that is used by every Internet user in the world. How we can use it for things that it wasn’t built for. Come join me on this journey through the innards of the web!
OpenDNS Enterprise Web Filtering allows organizations of all sizes to block websites at work. Choose from over 50 customizable categories. Use block page bypass to grant exceptions to your Web filtering policy. OpenDNS Enterprise offers web filtering without an appliance, can be deployed nearly instantly, and can be managed anywhere you have an Internet connection.
MongoDB Ops Manager allows administrators to manage all of their MongoDB infrastructure in one place. Go beyond the "quick start" guide and become an Ops Manager Power User. Learn to automate Ops Manager tasks through the API, how to effectively setup users, groups, and roles for a secure Ops Manager installation, and more. Some previous Ops Manager experience expected.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
This presentation, given at BSidesPittsburgh 2015, discusses free tools and techniques penetration testers use that can be translated to network defenders for immediate impact and value.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
MySQL security is critical to ensure data security. Destruction, falsification or simply unwanted publication are the most serious threat that wait in the dark the first faux-pas of any administrator. During this session, we'll review the common vulnerabilities, the intrusion techniques, MySQL security features, and configurations.
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Sections Updated for OWASP Meeting:
- SQL Server Link Crawling
- UNC path injection targets
- Command execution details
Built-in query caching for all PHP MySQL extensions/APIsUlf Wendel
Query caching boosts the performance of PHP MySQL applications. Caching can be done on the database server or at the web clients. A new mysqlnd plugin adds query caching to all PHP MySQL extension: written in C, immediately usable with any PHP application because of no API changes, supports Memcache, APC, SQLite and main memory storage, integrates itself smoothless into existing PHP deployment infrastructure, helps you to scale by client, ... Enjoy!
Multi-Tenancy is a critical component of any Software as a Service (SaaS) application, which enables one application instance to serve multiple organizations, or tenants. This presentation by Scott Crespo covers the basics of multi-tenant architectures, and how to implement multi-tenancy using Python, Django, and the open-source project known as Django Tenant Schemas.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2. @harmj0y
Co-founder of
Empire | Veil-Framework | PowerTools
PowerSploit developer
Researcher at Veris Group’s
Adaptive Threat Division
3. What I am Not Covering
▣ Any kind of memory corruption attacks
○ We haven’t thrown an exploit in years
▣ Too Much Active Directory background
○ Too many slides, too little time :(
▣ Mimikatz and Kerberos attacks
○ Covered better and in more depth by others
▣ PowerShell Weaponization
○ We like Empire and Cobalt Strike ;)
4. What I am Covering
▣ Offensive Active Directory 101
○ Why care? And what’s Powerview?
▣ Identifying/Hunting Your Prey
▣ Local Administrator Enumeration
▣ GPO Enumeration and Abuse
▣ AD ACLs (and a few persistence methods)
▣ Domain Trusts (enumeration and abuse)
▣ Lots of PowerView tips and tricks
○ and a lot of ground to cover!
6. Active Directory 101
▣ At its core, Active Directory is a way to organize
user and computer objects
○ Used to authenticate and authorize users and computers
on a network and provide access to specific resources
○ Also provides security policies, centralized management,
and other rich features
▣ Red teams and real bad guys have been abusing AD
for years, but not much offensive AD information
has existed publicly (until fairly recently)
7. Why Not
The Active Directory Cmdlets?
▣ The RSAT-AD-PowerShell module is:
○ only compatible with PowerShell 3.0+
○ only installed by default on servers with the Active
Directory Domain Services role
▣ We want something:
○ PowerShell 2.0 compliant (yay Win7)
○ fully self-contained with no dependencies
○ usable without any installation
8. PowerView
▣ A pure PowerShell domain/network situational
awareness tool
○ everything is kept version 2.0 compliant
○ now part of PowerSploit™! (not really trademarked)
▣ Built to automate large components of the
tradecraft on our red team engagements
▣ No installation and can reside purely in memory
○ and PowerShell 2.0 is included by default in Win7
9. Sidenote: LDAP Optimizations
▣ A lot of the PowerView domain functionality
reduces down to various chained and optimized
LDAP queries
▣ Much is transparent to the user:
○ e.g. LDAP queries for foreign domains are ‘reflected’
through the current domain PDC to get around network
segmentation
▣ Much of this of isn’t revolutionary, but chaining
functionality lets you pull off some awesome stuff
10. Also: The Pipeline
▣ The PowerShell pipeline allows you to pass full
objects between functions (instead of just strings)
▣ This lets you perform complex chaining and
filtering, allowing you accomplish a lot very
quickly
▣ Users who’ve logged on within the last week:
○ Get-NetUser | ? {$_.lastlogon -gt [DateTime]::Today.
AddDays(-7)} | Sort-Object name
12. ▣ Before you start targeted spread, you need to know
who you’re going after
▣ PowerView helps with enumeration of:
○ Users: Get-NetUser <*USER*>
○ Groups: Get-NetGroup <*admin*>
○ Group members: Get-NetGroupMember <GroupName>
▣ All of the above also accept manual LDAP filters
with -Filter “(field=*value*)”
Who Are My Admins?
13. ▣ Get all the groups a user is effectively a member of
('recursing up'):
○ Get-NetGroup -UserName <USER>
▣ Get all the effective members of a group ('recursing
down'):
○ Get-NetGroupMember -GoupName <GROUP> -Recurse
▣ Search the forest global catalog:
○ Get-NetUser -UserName <USER> -ADSpath “GC:
//domain.com”
PowerTips
14. ▣ Machine accounts can sometimes end up in
privileged groups https://adsecurity.org/?p=2753
▣ To find any computer accounts in any privileged
groups:
Privileged Machine Accounts
Get-NetGroup -AdminCount | `
Get-NetGroupMember -Recurse | `
?{$_.MemberName -like '*$'}
15. ▣ Some organizations separate out administrative
functionality into multiple accounts for the same
person
○ e.g. “john” and“john-admin”
▣ By performing some correlation on AD data
objects, you can often pull out groupings of
accounts likely owned by the same person
○ We often hunt for/compromise an admin’s unprivileged
account
Separated Roles
16. ▣ Finding all user accounts with a specific email
address:
▣ Get-NetUser -Filter "(mail=john@domain.com)"
Separated Roles - Simple Example
19. 1. Query for all members of “Domain Admins” in the
current domain, returning the full data objects
2. Extract out the “Firstname Lastname” from
DisplayName for each user object
3. Query for additional users with the same
“Firstname Lastname”
Separated Roles - Complex Example
In plain English:
20. ▣ Once you’ve identified who you want to go after,
you need to know where they’re located
▣ We break this down into:
○ pre-elevated access, when you have regular domain
privileges. This is usually the lateral spread phase.
○ post-elevated access, when you have elevated (e.g.
Domain Admin) privileges. This is usually the
‘demonstrate impact’ phase.
I Hunt Sysadmins
21. ▣ Flexible PowerView function that:
○ queries AD for hosts or takes a target list
○ queries AD for users of a target group, or takes a
list/single user
○ uses Win32 API calls to enumerate sessions and logged
in users, matching against the target user list
○ Doesn’t need administrative privileges!
▣ We like using the -ShowAll flag and grepping
results for future analysis
Invoke-UserHunter
23. ▣ Uses an old red teaming trick:
○ Queries AD for all users and extracts all
homeDirectory/scriptPath/profilePath fields (as well
as DFS shares and DCs) to identify highly trafficked
servers
○ Runs Get-NetSession against each file server to
enumerate remote sessions, match against target users
▣ Reasonable coverage with a lot less traffic
○ also doesn’t need admin privileges
○ also accepts the -ShowAll flag
Invoke-UserHunter -Stealth
26. The WinNT Service Provider
▣ Leftover from Windows NT domain deployments
○ ([ADSI]"WinNT://SERVER/Administrators").psbase.
Invoke('Members') | %{$_.GetType().InvokeMember
("Name", 'GetProperty', $null, $_, $null)}
▣ With an unprivileged domain account, you can use
PowerShell and WinNT to enumerate all members
(local and domain) of a local group on a remote
machine
27. Get-NetLocalGroup
▣ Get-NetLocalGroup <SERVER>
○ -ListGroups will list the groups
○ a group can be specified with -GroupName <GROUP>
▣ The -Recurse flag will resolve the members of any
result that’s a group, giving you a list of effective
domain users that can access a given server
○ Invoke-UserHunter -TargetServer <SERVER> will use
this to hunt for users who can admin a particular server
29. “Derivative Local Admin”
▣ Large enterprise networks often utilize heavily
delegated group roles
▣ From the attacker perspective, anyone who could
be used to chain to that local administrative access
can be considered a target
▣ More info from @sixdub: http://www.sixdub.net/?
p=591
30. “Derivative Local Admin”
▣ Tim (a domain admin) is on a machine w/
WorkstationAdminsA in the local admins
▣ WorkstationAdminsA contains Bob
▣ Bob’s machine has WorkstationAdminsB
▣ WorkstationAdminsB contains Eve
▣ If we exploit Eve, we can get Bob and any
workstation he has access to, chaining to
compromise Tim
▣ Eve’s admin privileges on A’s machine derive
through Bob
32. “Derivative Local Admin”
▣ Can be require several hops
▣ The process:
○ Invoke-UserHunter –Stealth –ShowAll to get required
user location data
○ Get-NetLocalGroup –Recurse to identify the local
admins on the target
○ Use location data to find those users
○ Get-NetLocalGroup -Recurse on locations discovered
○ Use location data to find those users
○ Continue until you find your path!
33. ▣ Recently released by fellow ATD member Andy
Robbins (@_wald0)
▣ Uses input from PowerView along with graph
theory and Dijkstra’s algorithm to automate the
chaining of local accesses
▣ More information from @_wald0: https://wald0.
com/?p=14
“Automated Derivative Local Admin”
35. Group Policy Preferences
▣ Many organizations historically used Group Policy
Preference files to set the local administrator
password for machines
○ This password is encrypted but reversible
○ The patch for this prevents now reversible passwords
from being set but doesn’t remove the old files
▣ PowerSploit’s Get-GPPPassword will find and
decrypt any of these passwords found on a DC’s
SYSVOL
37. PowerView and GPP
▣ If you’re able to recover a cpassword from a Group
Policy Preferences file you can use PowerView to
quickly locate all machines that password is set on!
▣ Get-NetOU -GUID <GPP_GUID> | %{ Get-
NetComputer -ADSPath $_ }
38. More GPO Enumeration
▣ Group Policy Objects (though a GptTmpl.inf) can
determine what users have local admin rights by
setting ‘Restricted Groups’
○ Group Policy Preferences can do something similar with
“groups.xml”
▣ If we have a user account, why not just ask the
GPO configuration where this user has local
administrative rights?
39. More GPO Enumeration
▣ Find-GPOLocation will:
1. resolve a user's sid
2. build a list of group SIDs the user is a part of
3. use Get-NetGPOGroup to pull GPOs that set
'Restricted Groups' or GPPs that set groups.xml
4. match the target SID list to the queried GPO SID list
to enumerate all GPOs the user is effectively applied
5. enumerate all OUs and sites and applicable GPO GUIs
are applied to through gplink enumeration
6. query for all computers under the given OUs or sites
42. ▣ AD objects (like files) have permissions/access
control lists
○ These can sometimes be misconfigured, and can also be
backdoored for persistence
▣ Get-ObjectACL -ResolveGUIDs -
SamAccountName <NAME>
▣ Set-ObjectACL lets you modify ;)
○ more on this in a bit
AD ACLs
44. ▣ Group policy objects are of particular interest
▣ Any user with modification rights to a GPO can get
code execution for machine the GPO is applied to
▣ Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -
Name $_.Name}
GPO ACLs
46. Auditing AD ACLs
▣ Pulling all AD ACLs will give you A MOUNTAIN of
data
▣ Invoke-ACLScanner will scan specifable AD
objects (default to all domain objects) for ACLs
with modify rights and a domain RID of >1000
▣ This helps narrow down the search scope to find
possibly misconfigured/backdoored AD object
permissions
47. AdminSDHolder
▣ AdminSDHolder is a special Active Directory object
located at “CN=AdminSDHolder,CN=System,
DC=domain,DC=com”
▣ If you modify the permissions of AdminSDHolder,
that permission template will be pushed out to all
protected admin accounts automatically by SDProp
▣ More info: https://adsecurity.org/?p=1906
48. PowerView and AdminSDHolder
▣ Add-ObjectAcl -TargetADSprefix
'CN=AdminSDHolder,CN=System' … will let you
modify AdminADHolder:
50. Targeted Plaintext Downgrades
▣ We can set ENCRYPTED_TEXT_PWD_ALLOWED
with PowerView:
○ Set-ADObject -SamAccountName <USER> -
PropertyName useraccountcontrol -
PropertyXorValue 128
▣ Invoke-DowngradeAccount <USER> will
downgrade the encryption and forces the user to
change their password on next login
52. Speaking of DCSync...
▣ There’s a small set of permissions needed to
execute DCSync on a domain:
53. ▣ PowerView lets you easily enumerate all users with
replication/DCSync rights for a particular domain:
PowerView and DCSync
Get-ObjectACL -DistinguishedName "dc=testlab,
dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or `
($_.ActiveDirectoryRights -match 'GenericAll')
}
54. ▣ You can easily modify the permissions of of the
domain partition itself with PowerView’s Add-
ObjectACL and “-Rights DCSync”
A DCSync Backdoor
Add-ObjectACL -TargetDistinguishedName
"dc=testlab,dc=local" -
PrincipalSamAccountName jason -Rights
DCSync
57. Domain Trusts 101
▣ Trusts allow separate domains to form inter-
connected relationships
○ Often utilized during acquisitions (i.e. forest trusts or
cross-link trusts)
▣ A trust just links up the authentication systems
of two domains and allows authentication traffic
to flow between them
▣ A trust allows for the possibility of privileged
access between domains, but doesn’t guarantee it*
58. Why Does This Matter?
▣ Red teams often compromise accounts/machines
in a domain trusted by their actual target
▣ This allows operators to exploit these existing
trust relationships to achieve their end goal
▣ I LOVE TRUSTS: http://www.harmj0y.
net/blog/tag/domain-trusts/
59. PowerView Trust Enumeration
▣ Domain/forest trust relationships can be
enumerated through several PowerView functions:
○ Get-NetForest: info about the current forest
○ Get-NetForestTrust: grab all forest trusts
○ Get-NetForestDomain: grab all domains in a forest
○ Get-NetDomainTrust: nltest à la PowerShell
▣ If a trust exists, most functions in PowerView can
accept a “-Domain <name>” flag to operate
across a trust
60. Mapping the Mesh
▣ Large organizations with tons of
subgroups/subsidiaries/acquisitions can end up
with a huge mesh of domain trusts
○ mapping this mesh used to be manual and time-
consuming process
▣ Invoke-MapDomainTrust can recursively map all
reachable domain and forest trusts
○ The -LDAP flag gets around network restrictions at the
cost of accuracy
62. Visualizing the Mesh
▣ This raw data is great, but it’s still raw
▣ @sixdub’s DomainTrustExplorer tool can
perform nodal analysis of trust data
○ https://github.com/sixdub/DomainTrustExplorer
○ It can also generate GraphML output of the entire mesh,
which yED can use to build visualizations
▣ More information: http://www.sixdub.net/?p=285
65. The Mimikatz Trustpocalypse
▣ Thanks to @gentilkiwi and @pyrotek3, Mimikatz
Golden Tickets now accept SIDHistories though
the new /sids:<X> argument
▣ If you compromise a DC in a child domain, you can
create a golden ticket with the “Enterprise
Admins” in the SID history
▣ This can let you compromise the forest root and all
forest domains!
○ won’t work for external domain trusts b/c of sid filtering
66. The Mimikatz Trustpocalypse
If you compromise any
domain administrator of
any domain in a forest, you
can compromise the entire
forest!
68. Sidenote: CheatSheets!
▣ We’ve released cheetsheets for PowerView as well
as PowerUp and Empire at https://github.
com/harmj0y/cheatsheets/
69. Credits
Thanks to Sean Metcalf (@pyrotek3) for guidance, ideas, and awesome
information on offensive Active Directory approaches. Check out his
blog at http://adsecurity.org !
Thanks to Benjamin Delpy (@gentilkiwi) and Vincent LE TOUX for
Mimikatz and its DCSync capability!
Thanks to Ben Campbell (@meatballs__) for PowerView modifications
and LDAP optimizations!
And a big thanks to Justin Warner (@sixdub) and the rest of the ATD
team for tradecraft development and helping making PowerView not
suck!