SlideShare a Scribd company logo
Not A Security
“Boundary”
Breaking Trusts
Red teamer and offensive engineer
SpecterOps.io
I write lots of code :)
2
Red teamer, hunter, researcher
SpecterOps.io
I love shiny things :)
3
4
Microsoft’s “What Are Domains and
Forests?” documentation
What If...
Full ticket-granting-tickets
could move across the trust
from ForestA to ForestB
5
A computer in ForestA
authenticates* to a
computer ForestB
We had a way to easily
extract and reuse these
TGTs while in ForestB? *bonus if we can force the
authentication step :)
Kerberos in 60 seconds
OK maybe a few minutes ;)
6
1.
Kerberos tl;dr
✘ Kerberos is dense, and we don’t have
time to explain the entire protocol
○ Instead we’ll focus on a few key terms and
points that are necessary to understand
the nuances of the trust attack
✘ For a more in depth explanation, see
Sean Metcalf’s post at
https://bit.ly/2JhbAXl
7
Kerberos tl;dr
1. An account authenticates to a domain controller (DC/KDC) by
encrypting some data with with a key derived from the user’s
password (e.g. RC4_HMAC(NTLM hash) or AES128/256_HMAC keys)
2. If auth is successful, the DC returns a ticket granting ticket (TGT) to
the user that contains a privileged attribute certificate (PAC)
○ The PAC is encrypted with the hash of the krbtgt (Kerberos ticket-
granting-ticket service) account and contains auth information like
the user’s SID and groups they’re in.
8
Kerberos tl;dr
3. The account requests a service ticket to a particular service
principal name (SPN) by presenting the TGT to the domain
controller
4. The DC returns a service ticket with the same auth info as the TGT.
5. The user sends the service ticket to the target service/machine,
which decides whether to grant the user access.
9
10
2.
Delegation
When You Need to be Someone Else
11
The Reason Delegation is Needed
12
User Front
End
Back
End
Auth To
Front End
Service
“Pretend”
to be
User
Unconstrained
A user requests a
forwardable TGT and sends
it to the remote service
with the service ticket.
The remote service
extracts the TGT from the
service ticket and uses it
to impersonate the user.
Traditional Constrained
The service requests a ticket
to itself as another user
(S4U2self)
The service uses this ticket
to request a service ticket to
another service as that user
(S4U2proxy).
Service must be specified in
msDS-AllowedToDelegateTo
Resource-based
Constrained
ACL in a field (msDS-
AllowedToActOnBehalfOfOthe
rIdentity) on the target
resource that dictates who
can perform S4U2proxy to
the resource
13
Delegation Types
Unconstrained Madness
✘ UNCONSTRAINED DELEGATION IS DANGEROUS!
✘ If an attacker can compromise a server with unconstrained
delegation, they can obtain the TGT for any (non-protected) user
who authenticates to that server
✘ In modern domains, only domain controllers are configured for
unconstrained delegation by default
○ But we often see “misconfigurations” in the field :)
14
15
3.
Domain Trusts:
Crash Course
16
Trusts 101
✘ Trusts link up the authentication systems of two domains
○ This allows authentication traffic to flow between them
✘ This is done by each domain negotiating an “inter-realm trust key”
that’s used to encrypt Kerberos referral tickets
✘ Access is passed around with via these referrals and “inter-realm
ticket granting tickets"
17
Trusts 201
✘ Trust directions/transitivity:
○ One-way - one domain trusts the other
○ Two-way - both domains trust each other (2x one-way trusts)
○ Transitive - A trusts B and B trusts C, so A trusts C
✘ The main trust type categories we care about:
○ Intra-forest - parent/child, cross-link (all transitive)
○ Inter-domain - forest (transitive), external (non-transitive)
18
Privilege Attribute Certificates (PAC)
✘ Recall: When you first authenticate, you receive a TGT
○ Inside each TGT is a PAC
○ A TGT’s PAC contains the user/group SIDs that identify the user
19
Ticket Granting Ticket
Privilege Attribute Certificate (PAC)
User S-1-5-21-2532535433-4733566781-1284343941-1001
Groups S-1-5-21-2532535433-4733566781-1284343941-1353
S-1-5-21-2532535433-4733566781-1284343941-2604
ExtraSids S-1-5-21-3416895347-7456555532-9337766299-519
CORPitadmin
CORPFileShareAccess
CORPHelpDesk
ACMEEnterprise Admins
SID Filtering
✘ During auth to another domain, the remote domain (the “trusting
domain”) analyzes the SIDs in the TGT’s PAC
✘ Depending on the trust type, the remote domain removes (“filters”)
SIDs under various circumstances (see MS-PAC section 4.1.2.2)
✘ E.g. when authenticating from ForestA to ForestB, the PAC from
ForestA should not contain SIDs for a default set of privileged
groups in ForestB.
✘ Other cross-domain/forest group memberships can be exploited
20
Intent of SID filtering
Stop a compromised trusted domain/forest
from compromising a trusting domain/forest.
How well does this work in practice? Let’s find out...
21
Why The Domain != A Security Boundary
22
Why The Domain != A Security Boundary
✘ The SID for “Enterprise Admins” is NOT filtered out by default for
inter-realm tickets if both domains are within the same forest
○ So if you can set your sidHistory to be “Enterprise Admins” (i.e.
ExtraSids in the PAC), you can escalate from a child domain to
the forest root domain!
23
Forests == A Security Boundary? 🤔
✘ SID filtering of sensitive groups DOES protect across Forest boundaries
○ Hence, people have assumed that Forests were a security boundary :)
24
Sidenote: “Authenticated Users” in Referrals
25
Sidenote: Delegation and Trusts
26
So what? Let’s review
✘ Delegated TGTs (like some TGTs found on unconstrained servers)
are usable across Forests boundaries.
✘ A compromised unconstrained delegation server means an an
attacker can extract TGTs of users who auth to that machine, even
if that user connects from another forest!
✘ Hmm…...can we coerce accounts to authenticate to an
unconstrained delegation server?
27
28
4.
The “Printer Bug”
Our Final Ingredient
29
Printer Bug Overview
✘ Abuses the old enabled-by-default Print System Remote Protocol
(MS-RPRN).
✘ RPC Methods: RpcRemoteFindFirstPrinterChangeNotification(Ex)
○ Purpose: “<ComputerA>, please send <ComputerB> a notification
when ____ happens” (e.g. when there’s a new print job)
○ When invoked, ComputerA will authenticate to ComputerB
✘ This a way to coerce authentication. There are others and likely
more to come.
30
Reference: Printer Bug Details
✘ Print System Remote Protocol (MS-RPRN)
○ SMB-RPC (TCP 445)
○ Named Pipe: pipespoolss
○ RPC UUID: 12345678-1234-ABCD-EF00-0123456789AB
○ Opnum 62 - RpcRemoteFindFirstPrinterChangeNotification
○ Opnum 65 - RpcRemoteFindFirstPrinterChangeNotificationEx
✘ The RPC server is accessible by “Authenticated Users” on Windows
>= 8 if the Spooler service is started (Server & Workstations have it
enabled by default).
○ Supposedly this will change in the future….
○ On Windows < 8 , seems possible if hosts have shared a printer.
○ Independently discovered by Elad Shamir (@elad_shamir)
31
Weaponization
✘ SpoolSample - https://github.com/leechristensen/SpoolSample
32
LABDC01$
authenticated to
WIN10
5.
Breaking Forest Trusts
Smash Smash Smash
33
Scenario
✘ An attacker completely compromises ForestB
○ This includes ForestB’s DC with unconstrained delegation ;)
✘ ForestB shares a two way forest trust with ForestA
✘ Tools Used:
○ Rubeus TGT monitoring/extraction
○ SpoolSample coerced authentication (the “printer bug”)
○ Mimikatz DCSync m/
34
DCB
DCA
<- two-way
forest trust ->
Compromised Forest (FORESTB) Victim Forest (FORESTA)
The “printer bug”
Not a Security Boundary
tl;dr
37
The compromise of any server with
unconstrained delegation (domain
controller or otherwise) can not only be
leveraged to compromise the current
domain and/or any domains in the
current forest, but also any/all domains
in any foreign forest the current forest
shares a two-way forest trust with!
Public Reaction?
(mostly good, but…)
“Still a security boundary as
long as it is not a two way
trust AD forest/domain”
38
“Step 1: Have forest root
domain admin credentials.
Step 2: Have things be
grossly misconfigured.”
“I just don't think I've
heard anyone claim a
boundary still exists when
a 2-way trust is in place.”
Why This Matters
✘ This attack works with default, modern configurations for Active
Directory forests as long as a two-way forest trust is in place.
✘ The security of ForestA is now completely dependent on the
security of ForestB (think acquisitions…)
○ Even if ForestA has *near perfect* security it can be completely
compromised by the takeover of a single unconstrained delegation
server in ForestB!
39
Microsoft: A Great Example
✘ We reported this to MSRC in the fall of last year
○ The associated Microsoft engineering teams determined that it wasn’t a
vulnerability they would patch, but it would be something they might
harden in the future (i.e. v.Next)
✘ After we published details (and defensive guidance) they decided
this decision was a mistake, and soon released an advisory (and
eventually a patch!)
✘ We applaud Microsoft/MSRC at admitting their error and handling
the resulting situation in the best way possible!
40
41
6.
Defenses
Preventing and Detection
42
✘ “Selective authentication is a security setting that can be set on
interforest trusts. It provides Active Directory administrators who
manage a trusting forest more control over which groups of users in
a trusted forest can access shared resources in a trusting forest.”
✘ However, this is focused on administrative users
○ Domain controller objects often need the “Allowed to authenticate”
right on foreign domain controllers in order for the system to work
correctly
Selective Authentication
43
Disabling Kerberos Full Delegation Across Trusts
44
✘ To prevent ForestA from accepting delegated TGTs from ForestB:
○ netdom trust foresta.local /domain:forestb.local
/EnableTGTDelegation:no
✘ This flips the
TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION
bit to prevent delegated TGTs from transiting the forest boundary
✘ This has to be done on each end of the trust(s)!
CVE-2019-0683 Details
45
✘ As mentioned, Microsoft recently recognized this issue as CVE-
2019-0683
✘ A patch is being slowly rolled out (see next slide) that disables TGT
delegation across forest trust boundaries by default
✘ On the roadmap (July 2019)
○ “...adding a new safe default configuration for unconstrained Kerberos
delegation across Active Directory forest trusts.”
CVE-2019-0683 Timeline
46
✘ March 12, 2019
○ Kerberos full delegation block is backported to Server 2008[R2]
✘ May 14, 2019
○ A new trust flag will be introduced in case you need full delegation
across trusts
○ "EnableTGTDelegation” set to “no” for all new trusts
✘ July 9, 2019
○ Start of enforcement of new trust flag
○ "EnableTGTDelegation” ignored from this point forward
thanks!
Any questions?
[will | lee]@specterops.io
@harmj0y | @tifkin_
47
References
✘ Breaking Forests Trusts (Red) - https://bit.ly/2Ck1HlW
✘ Breaking Forests Trusts (Blue) - https://bit.ly/2Y2Etd5
✘ Attack Demo Video - https://bit.ly/2ULitRW
✘ Microsoft Advisory - https://bit.ly/2ObHAv2
✘ Microsoft Updates Timeline - https://bit.ly/2ugBZdM
✘ CVE-2019-0683 details - https://bit.ly/2CopVLR
48

More Related Content

What's hot

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Mimikatz
MimikatzMimikatz
Mimikatz
rishabh sharma
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Beyond the mcse red teaming active directory
Beyond the mcse  red teaming active directoryBeyond the mcse  red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation  Red Pill2017How fun of privilege escalation  Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 

What's hot (20)

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Mimikatz
MimikatzMimikatz
Mimikatz
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Beyond the mcse red teaming active directory
Beyond the mcse  red teaming active directoryBeyond the mcse  red teaming active directory
Beyond the mcse red teaming active directory
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation  Red Pill2017How fun of privilege escalation  Red Pill2017
How fun of privilege escalation Red Pill2017
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 

Similar to Not a Security Boundary

DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessing
NCCOMMS
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez
 
Mamouth white paper
Mamouth white paperMamouth white paper
Mamouth white paper
W Fred Seigneur
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
Sergey Yrievich
 
Отчет Audit report RAPID7
 Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
Sergey Yrievich
 
Active Directory and Virtualization
Active Directory and VirtualizationActive Directory and Virtualization
Active Directory and Virtualization
Aniket Pandey
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
Priyanka Aash
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1
milkux
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
Yossi Sassi
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
Festival Software Livre
 
Virtual Machines Security Internals: Detection and Exploitation
 Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
Mattia Salvi
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Cloudian
 
R2D2 slides from Velocity Conference London 2013
R2D2 slides from Velocity Conference London 2013R2D2 slides from Velocity Conference London 2013
R2D2 slides from Velocity Conference London 2013
Oby Sumampouw
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 

Similar to Not a Security Boundary (20)

DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessing
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Mamouth white paper
Mamouth white paperMamouth white paper
Mamouth white paper
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Отчет Audit report RAPID7
 Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Active Directory and Virtualization
Active Directory and VirtualizationActive Directory and Virtualization
Active Directory and Virtualization
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Virtual Machines Security Internals: Detection and Exploitation
 Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 
R2D2 slides from Velocity Conference London 2013
R2D2 slides from Velocity Conference London 2013R2D2 slides from Velocity Conference London 2013
R2D2 slides from Velocity Conference London 2013
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
Will Schroeder
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
Will Schroeder
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
Will Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
Will Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
Will Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
Will Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 

More from Will Schroeder (18)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 

Recently uploaded

Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
AirtoryInc
 
Best CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web DevelopersBest CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web Developers
Shrestha Raaz
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
Bangladesh Network Operators Group
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Krishna L
 
Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
Preston University
 
University of California, Riverside diploma
University of California, Riverside diplomaUniversity of California, Riverside diploma
University of California, Riverside diploma
eufdev
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
shamrisumri
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
JunaManroe1
 
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
mahigarg2024#G05
 
Dewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show caseDewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show case
DEWANSTUDIO.COM
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
Lumiverse Solutions Pvt Ltd
 
Saint Louis University diploma
Saint Louis University diplomaSaint Louis University diploma
Saint Louis University diploma
eufdev
 
Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...
APNIC
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
exgf28
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
Thierry TROUIN ☁
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
shamrisumri
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
pdfsubmission50
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
dilbaagsingh0898
 
Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
Piotr Siuda
 

Recently uploaded (20)

Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
 
Best CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web DevelopersBest CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web Developers
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
 
Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
 
University of California, Riverside diploma
University of California, Riverside diplomaUniversity of California, Riverside diploma
University of California, Riverside diploma
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
 
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
 
Dewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show caseDewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show case
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
 
Saint Louis University diploma
Saint Louis University diplomaSaint Louis University diploma
Saint Louis University diploma
 
Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
 
Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
 

Not a Security Boundary

  • 2. Red teamer and offensive engineer SpecterOps.io I write lots of code :) 2
  • 3. Red teamer, hunter, researcher SpecterOps.io I love shiny things :) 3
  • 4. 4 Microsoft’s “What Are Domains and Forests?” documentation
  • 5. What If... Full ticket-granting-tickets could move across the trust from ForestA to ForestB 5 A computer in ForestA authenticates* to a computer ForestB We had a way to easily extract and reuse these TGTs while in ForestB? *bonus if we can force the authentication step :)
  • 6. Kerberos in 60 seconds OK maybe a few minutes ;) 6 1.
  • 7. Kerberos tl;dr ✘ Kerberos is dense, and we don’t have time to explain the entire protocol ○ Instead we’ll focus on a few key terms and points that are necessary to understand the nuances of the trust attack ✘ For a more in depth explanation, see Sean Metcalf’s post at https://bit.ly/2JhbAXl 7
  • 8. Kerberos tl;dr 1. An account authenticates to a domain controller (DC/KDC) by encrypting some data with with a key derived from the user’s password (e.g. RC4_HMAC(NTLM hash) or AES128/256_HMAC keys) 2. If auth is successful, the DC returns a ticket granting ticket (TGT) to the user that contains a privileged attribute certificate (PAC) ○ The PAC is encrypted with the hash of the krbtgt (Kerberos ticket- granting-ticket service) account and contains auth information like the user’s SID and groups they’re in. 8
  • 9. Kerberos tl;dr 3. The account requests a service ticket to a particular service principal name (SPN) by presenting the TGT to the domain controller 4. The DC returns a service ticket with the same auth info as the TGT. 5. The user sends the service ticket to the target service/machine, which decides whether to grant the user access. 9
  • 10. 10
  • 11. 2. Delegation When You Need to be Someone Else 11
  • 12. The Reason Delegation is Needed 12 User Front End Back End Auth To Front End Service “Pretend” to be User
  • 13. Unconstrained A user requests a forwardable TGT and sends it to the remote service with the service ticket. The remote service extracts the TGT from the service ticket and uses it to impersonate the user. Traditional Constrained The service requests a ticket to itself as another user (S4U2self) The service uses this ticket to request a service ticket to another service as that user (S4U2proxy). Service must be specified in msDS-AllowedToDelegateTo Resource-based Constrained ACL in a field (msDS- AllowedToActOnBehalfOfOthe rIdentity) on the target resource that dictates who can perform S4U2proxy to the resource 13 Delegation Types
  • 14. Unconstrained Madness ✘ UNCONSTRAINED DELEGATION IS DANGEROUS! ✘ If an attacker can compromise a server with unconstrained delegation, they can obtain the TGT for any (non-protected) user who authenticates to that server ✘ In modern domains, only domain controllers are configured for unconstrained delegation by default ○ But we often see “misconfigurations” in the field :) 14
  • 15. 15
  • 17. Trusts 101 ✘ Trusts link up the authentication systems of two domains ○ This allows authentication traffic to flow between them ✘ This is done by each domain negotiating an “inter-realm trust key” that’s used to encrypt Kerberos referral tickets ✘ Access is passed around with via these referrals and “inter-realm ticket granting tickets" 17
  • 18. Trusts 201 ✘ Trust directions/transitivity: ○ One-way - one domain trusts the other ○ Two-way - both domains trust each other (2x one-way trusts) ○ Transitive - A trusts B and B trusts C, so A trusts C ✘ The main trust type categories we care about: ○ Intra-forest - parent/child, cross-link (all transitive) ○ Inter-domain - forest (transitive), external (non-transitive) 18
  • 19. Privilege Attribute Certificates (PAC) ✘ Recall: When you first authenticate, you receive a TGT ○ Inside each TGT is a PAC ○ A TGT’s PAC contains the user/group SIDs that identify the user 19 Ticket Granting Ticket Privilege Attribute Certificate (PAC) User S-1-5-21-2532535433-4733566781-1284343941-1001 Groups S-1-5-21-2532535433-4733566781-1284343941-1353 S-1-5-21-2532535433-4733566781-1284343941-2604 ExtraSids S-1-5-21-3416895347-7456555532-9337766299-519 CORPitadmin CORPFileShareAccess CORPHelpDesk ACMEEnterprise Admins
  • 20. SID Filtering ✘ During auth to another domain, the remote domain (the “trusting domain”) analyzes the SIDs in the TGT’s PAC ✘ Depending on the trust type, the remote domain removes (“filters”) SIDs under various circumstances (see MS-PAC section 4.1.2.2) ✘ E.g. when authenticating from ForestA to ForestB, the PAC from ForestA should not contain SIDs for a default set of privileged groups in ForestB. ✘ Other cross-domain/forest group memberships can be exploited 20
  • 21. Intent of SID filtering Stop a compromised trusted domain/forest from compromising a trusting domain/forest. How well does this work in practice? Let’s find out... 21
  • 22. Why The Domain != A Security Boundary 22
  • 23. Why The Domain != A Security Boundary ✘ The SID for “Enterprise Admins” is NOT filtered out by default for inter-realm tickets if both domains are within the same forest ○ So if you can set your sidHistory to be “Enterprise Admins” (i.e. ExtraSids in the PAC), you can escalate from a child domain to the forest root domain! 23
  • 24. Forests == A Security Boundary? 🤔 ✘ SID filtering of sensitive groups DOES protect across Forest boundaries ○ Hence, people have assumed that Forests were a security boundary :) 24
  • 27. So what? Let’s review ✘ Delegated TGTs (like some TGTs found on unconstrained servers) are usable across Forests boundaries. ✘ A compromised unconstrained delegation server means an an attacker can extract TGTs of users who auth to that machine, even if that user connects from another forest! ✘ Hmm…...can we coerce accounts to authenticate to an unconstrained delegation server? 27
  • 28. 28
  • 29. 4. The “Printer Bug” Our Final Ingredient 29
  • 30. Printer Bug Overview ✘ Abuses the old enabled-by-default Print System Remote Protocol (MS-RPRN). ✘ RPC Methods: RpcRemoteFindFirstPrinterChangeNotification(Ex) ○ Purpose: “<ComputerA>, please send <ComputerB> a notification when ____ happens” (e.g. when there’s a new print job) ○ When invoked, ComputerA will authenticate to ComputerB ✘ This a way to coerce authentication. There are others and likely more to come. 30
  • 31. Reference: Printer Bug Details ✘ Print System Remote Protocol (MS-RPRN) ○ SMB-RPC (TCP 445) ○ Named Pipe: pipespoolss ○ RPC UUID: 12345678-1234-ABCD-EF00-0123456789AB ○ Opnum 62 - RpcRemoteFindFirstPrinterChangeNotification ○ Opnum 65 - RpcRemoteFindFirstPrinterChangeNotificationEx ✘ The RPC server is accessible by “Authenticated Users” on Windows >= 8 if the Spooler service is started (Server & Workstations have it enabled by default). ○ Supposedly this will change in the future…. ○ On Windows < 8 , seems possible if hosts have shared a printer. ○ Independently discovered by Elad Shamir (@elad_shamir) 31
  • 32. Weaponization ✘ SpoolSample - https://github.com/leechristensen/SpoolSample 32 LABDC01$ authenticated to WIN10
  • 34. Scenario ✘ An attacker completely compromises ForestB ○ This includes ForestB’s DC with unconstrained delegation ;) ✘ ForestB shares a two way forest trust with ForestA ✘ Tools Used: ○ Rubeus TGT monitoring/extraction ○ SpoolSample coerced authentication (the “printer bug”) ○ Mimikatz DCSync m/ 34
  • 35. DCB DCA <- two-way forest trust -> Compromised Forest (FORESTB) Victim Forest (FORESTA) The “printer bug”
  • 37. tl;dr 37 The compromise of any server with unconstrained delegation (domain controller or otherwise) can not only be leveraged to compromise the current domain and/or any domains in the current forest, but also any/all domains in any foreign forest the current forest shares a two-way forest trust with!
  • 38. Public Reaction? (mostly good, but…) “Still a security boundary as long as it is not a two way trust AD forest/domain” 38 “Step 1: Have forest root domain admin credentials. Step 2: Have things be grossly misconfigured.” “I just don't think I've heard anyone claim a boundary still exists when a 2-way trust is in place.”
  • 39. Why This Matters ✘ This attack works with default, modern configurations for Active Directory forests as long as a two-way forest trust is in place. ✘ The security of ForestA is now completely dependent on the security of ForestB (think acquisitions…) ○ Even if ForestA has *near perfect* security it can be completely compromised by the takeover of a single unconstrained delegation server in ForestB! 39
  • 40. Microsoft: A Great Example ✘ We reported this to MSRC in the fall of last year ○ The associated Microsoft engineering teams determined that it wasn’t a vulnerability they would patch, but it would be something they might harden in the future (i.e. v.Next) ✘ After we published details (and defensive guidance) they decided this decision was a mistake, and soon released an advisory (and eventually a patch!) ✘ We applaud Microsoft/MSRC at admitting their error and handling the resulting situation in the best way possible! 40
  • 41. 41
  • 43. ✘ “Selective authentication is a security setting that can be set on interforest trusts. It provides Active Directory administrators who manage a trusting forest more control over which groups of users in a trusted forest can access shared resources in a trusting forest.” ✘ However, this is focused on administrative users ○ Domain controller objects often need the “Allowed to authenticate” right on foreign domain controllers in order for the system to work correctly Selective Authentication 43
  • 44. Disabling Kerberos Full Delegation Across Trusts 44 ✘ To prevent ForestA from accepting delegated TGTs from ForestB: ○ netdom trust foresta.local /domain:forestb.local /EnableTGTDelegation:no ✘ This flips the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION bit to prevent delegated TGTs from transiting the forest boundary ✘ This has to be done on each end of the trust(s)!
  • 45. CVE-2019-0683 Details 45 ✘ As mentioned, Microsoft recently recognized this issue as CVE- 2019-0683 ✘ A patch is being slowly rolled out (see next slide) that disables TGT delegation across forest trust boundaries by default ✘ On the roadmap (July 2019) ○ “...adding a new safe default configuration for unconstrained Kerberos delegation across Active Directory forest trusts.”
  • 46. CVE-2019-0683 Timeline 46 ✘ March 12, 2019 ○ Kerberos full delegation block is backported to Server 2008[R2] ✘ May 14, 2019 ○ A new trust flag will be introduced in case you need full delegation across trusts ○ "EnableTGTDelegation” set to “no” for all new trusts ✘ July 9, 2019 ○ Start of enforcement of new trust flag ○ "EnableTGTDelegation” ignored from this point forward
  • 47. thanks! Any questions? [will | lee]@specterops.io @harmj0y | @tifkin_ 47
  • 48. References ✘ Breaking Forests Trusts (Red) - https://bit.ly/2Ck1HlW ✘ Breaking Forests Trusts (Blue) - https://bit.ly/2Y2Etd5 ✘ Attack Demo Video - https://bit.ly/2ULitRW ✘ Microsoft Advisory - https://bit.ly/2ObHAv2 ✘ Microsoft Updates Timeline - https://bit.ly/2ugBZdM ✘ CVE-2019-0683 details - https://bit.ly/2CopVLR 48