1. The document discusses breaking trusts between Active Directory forests by leveraging compromised unconstrained delegation and the "printer bug" to coerce authentication across forest boundaries.
2. It explains how a compromised server with unconstrained delegation in one forest can be used to extract ticket granting tickets (TGTs) that can then be reused to access resources in a separate, trusting forest.
3. The "printer bug" allows remotely forcing authentication and is used to extract TGTs from the separate forest to circumvent typical cross-forest security restrictions. This bypasses the assumption that forests provide a security boundary when two-way trusts exist between them.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?
This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
How attackers go from zero to (Domain) Admin
MS14-068: the vulnerability, the exploit, and the danger
"SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
Exploiting weak service account passwords as a regular AD user
Mimikatz, the attacker's multi-tool
Using Silver Tickets for stealthy persistence that won’t be detected (until now)
Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
Detecting offensive PowerShell tools like Invoke-Mimikatz
Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.
One of several documents describing an earlier version of the Secure Computing InFrastructure (SCIF) architecture and embodiment for a medical applicaton
Windows Server 2016 offers huge improvements for Active Directory scalability and UI, which we'll talk about in detail. Don't miss a demo session on using Active Directory PowerShell History Viewer and the new graphic user interface for Active Directory Recycle Bin and fine-grained password policy features!
Exploiting Active Directory Administrator InsecuritiesPriyanka Aash
"Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer?
Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process.
This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement.
Some of the areas explored in this talk:
Current methods organizations use to administer Active Directory and the weaknesses around them.
Using RODCs in the environment in ways the organization didn't plan for (including persistence).
Exploiting access to agents typically installed on Domain Controllers and other highly privileged systems to run/install code when that's not their typical purpose.
Discovering and exploiting an AD forest that leverages an AD Admin Forest (aka Red Forest) without touching the Admin Forest.
If you are wondering how to pentest/red team against organizations that are improving their defenses, this talk is for you. If you are a blue team looking for inspiration on effective defenses, this talk is also for you to gain better insight into how you can be attacked."
Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se
evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
This document is to help a new user set up the network when deploying a 3-node Cloudian storage cluster in your data center for use with the Cloudian HyperStore Hybrid Cloud Service from AWS Marketplace.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
5. What If...
Full ticket-granting-tickets
could move across the trust
from ForestA to ForestB
5
A computer in ForestA
authenticates* to a
computer ForestB
We had a way to easily
extract and reuse these
TGTs while in ForestB? *bonus if we can force the
authentication step :)
7. Kerberos tl;dr
✘ Kerberos is dense, and we don’t have
time to explain the entire protocol
○ Instead we’ll focus on a few key terms and
points that are necessary to understand
the nuances of the trust attack
✘ For a more in depth explanation, see
Sean Metcalf’s post at
https://bit.ly/2JhbAXl
7
8. Kerberos tl;dr
1. An account authenticates to a domain controller (DC/KDC) by
encrypting some data with with a key derived from the user’s
password (e.g. RC4_HMAC(NTLM hash) or AES128/256_HMAC keys)
2. If auth is successful, the DC returns a ticket granting ticket (TGT) to
the user that contains a privileged attribute certificate (PAC)
○ The PAC is encrypted with the hash of the krbtgt (Kerberos ticket-
granting-ticket service) account and contains auth information like
the user’s SID and groups they’re in.
8
9. Kerberos tl;dr
3. The account requests a service ticket to a particular service
principal name (SPN) by presenting the TGT to the domain
controller
4. The DC returns a service ticket with the same auth info as the TGT.
5. The user sends the service ticket to the target service/machine,
which decides whether to grant the user access.
9
12. The Reason Delegation is Needed
12
User Front
End
Back
End
Auth To
Front End
Service
“Pretend”
to be
User
13. Unconstrained
A user requests a
forwardable TGT and sends
it to the remote service
with the service ticket.
The remote service
extracts the TGT from the
service ticket and uses it
to impersonate the user.
Traditional Constrained
The service requests a ticket
to itself as another user
(S4U2self)
The service uses this ticket
to request a service ticket to
another service as that user
(S4U2proxy).
Service must be specified in
msDS-AllowedToDelegateTo
Resource-based
Constrained
ACL in a field (msDS-
AllowedToActOnBehalfOfOthe
rIdentity) on the target
resource that dictates who
can perform S4U2proxy to
the resource
13
Delegation Types
14. Unconstrained Madness
✘ UNCONSTRAINED DELEGATION IS DANGEROUS!
✘ If an attacker can compromise a server with unconstrained
delegation, they can obtain the TGT for any (non-protected) user
who authenticates to that server
✘ In modern domains, only domain controllers are configured for
unconstrained delegation by default
○ But we often see “misconfigurations” in the field :)
14
17. Trusts 101
✘ Trusts link up the authentication systems of two domains
○ This allows authentication traffic to flow between them
✘ This is done by each domain negotiating an “inter-realm trust key”
that’s used to encrypt Kerberos referral tickets
✘ Access is passed around with via these referrals and “inter-realm
ticket granting tickets"
17
18. Trusts 201
✘ Trust directions/transitivity:
○ One-way - one domain trusts the other
○ Two-way - both domains trust each other (2x one-way trusts)
○ Transitive - A trusts B and B trusts C, so A trusts C
✘ The main trust type categories we care about:
○ Intra-forest - parent/child, cross-link (all transitive)
○ Inter-domain - forest (transitive), external (non-transitive)
18
19. Privilege Attribute Certificates (PAC)
✘ Recall: When you first authenticate, you receive a TGT
○ Inside each TGT is a PAC
○ A TGT’s PAC contains the user/group SIDs that identify the user
19
Ticket Granting Ticket
Privilege Attribute Certificate (PAC)
User S-1-5-21-2532535433-4733566781-1284343941-1001
Groups S-1-5-21-2532535433-4733566781-1284343941-1353
S-1-5-21-2532535433-4733566781-1284343941-2604
ExtraSids S-1-5-21-3416895347-7456555532-9337766299-519
CORPitadmin
CORPFileShareAccess
CORPHelpDesk
ACMEEnterprise Admins
20. SID Filtering
✘ During auth to another domain, the remote domain (the “trusting
domain”) analyzes the SIDs in the TGT’s PAC
✘ Depending on the trust type, the remote domain removes (“filters”)
SIDs under various circumstances (see MS-PAC section 4.1.2.2)
✘ E.g. when authenticating from ForestA to ForestB, the PAC from
ForestA should not contain SIDs for a default set of privileged
groups in ForestB.
✘ Other cross-domain/forest group memberships can be exploited
20
21. Intent of SID filtering
Stop a compromised trusted domain/forest
from compromising a trusting domain/forest.
How well does this work in practice? Let’s find out...
21
23. Why The Domain != A Security Boundary
✘ The SID for “Enterprise Admins” is NOT filtered out by default for
inter-realm tickets if both domains are within the same forest
○ So if you can set your sidHistory to be “Enterprise Admins” (i.e.
ExtraSids in the PAC), you can escalate from a child domain to
the forest root domain!
23
24. Forests == A Security Boundary? 🤔
✘ SID filtering of sensitive groups DOES protect across Forest boundaries
○ Hence, people have assumed that Forests were a security boundary :)
24
27. So what? Let’s review
✘ Delegated TGTs (like some TGTs found on unconstrained servers)
are usable across Forests boundaries.
✘ A compromised unconstrained delegation server means an an
attacker can extract TGTs of users who auth to that machine, even
if that user connects from another forest!
✘ Hmm…...can we coerce accounts to authenticate to an
unconstrained delegation server?
27
30. Printer Bug Overview
✘ Abuses the old enabled-by-default Print System Remote Protocol
(MS-RPRN).
✘ RPC Methods: RpcRemoteFindFirstPrinterChangeNotification(Ex)
○ Purpose: “<ComputerA>, please send <ComputerB> a notification
when ____ happens” (e.g. when there’s a new print job)
○ When invoked, ComputerA will authenticate to ComputerB
✘ This a way to coerce authentication. There are others and likely
more to come.
30
31. Reference: Printer Bug Details
✘ Print System Remote Protocol (MS-RPRN)
○ SMB-RPC (TCP 445)
○ Named Pipe: pipespoolss
○ RPC UUID: 12345678-1234-ABCD-EF00-0123456789AB
○ Opnum 62 - RpcRemoteFindFirstPrinterChangeNotification
○ Opnum 65 - RpcRemoteFindFirstPrinterChangeNotificationEx
✘ The RPC server is accessible by “Authenticated Users” on Windows
>= 8 if the Spooler service is started (Server & Workstations have it
enabled by default).
○ Supposedly this will change in the future….
○ On Windows < 8 , seems possible if hosts have shared a printer.
○ Independently discovered by Elad Shamir (@elad_shamir)
31
34. Scenario
✘ An attacker completely compromises ForestB
○ This includes ForestB’s DC with unconstrained delegation ;)
✘ ForestB shares a two way forest trust with ForestA
✘ Tools Used:
○ Rubeus TGT monitoring/extraction
○ SpoolSample coerced authentication (the “printer bug”)
○ Mimikatz DCSync m/
34
37. tl;dr
37
The compromise of any server with
unconstrained delegation (domain
controller or otherwise) can not only be
leveraged to compromise the current
domain and/or any domains in the
current forest, but also any/all domains
in any foreign forest the current forest
shares a two-way forest trust with!
38. Public Reaction?
(mostly good, but…)
“Still a security boundary as
long as it is not a two way
trust AD forest/domain”
38
“Step 1: Have forest root
domain admin credentials.
Step 2: Have things be
grossly misconfigured.”
“I just don't think I've
heard anyone claim a
boundary still exists when
a 2-way trust is in place.”
39. Why This Matters
✘ This attack works with default, modern configurations for Active
Directory forests as long as a two-way forest trust is in place.
✘ The security of ForestA is now completely dependent on the
security of ForestB (think acquisitions…)
○ Even if ForestA has *near perfect* security it can be completely
compromised by the takeover of a single unconstrained delegation
server in ForestB!
39
40. Microsoft: A Great Example
✘ We reported this to MSRC in the fall of last year
○ The associated Microsoft engineering teams determined that it wasn’t a
vulnerability they would patch, but it would be something they might
harden in the future (i.e. v.Next)
✘ After we published details (and defensive guidance) they decided
this decision was a mistake, and soon released an advisory (and
eventually a patch!)
✘ We applaud Microsoft/MSRC at admitting their error and handling
the resulting situation in the best way possible!
40
43. ✘ “Selective authentication is a security setting that can be set on
interforest trusts. It provides Active Directory administrators who
manage a trusting forest more control over which groups of users in
a trusted forest can access shared resources in a trusting forest.”
✘ However, this is focused on administrative users
○ Domain controller objects often need the “Allowed to authenticate”
right on foreign domain controllers in order for the system to work
correctly
Selective Authentication
43
44. Disabling Kerberos Full Delegation Across Trusts
44
✘ To prevent ForestA from accepting delegated TGTs from ForestB:
○ netdom trust foresta.local /domain:forestb.local
/EnableTGTDelegation:no
✘ This flips the
TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION
bit to prevent delegated TGTs from transiting the forest boundary
✘ This has to be done on each end of the trust(s)!
45. CVE-2019-0683 Details
45
✘ As mentioned, Microsoft recently recognized this issue as CVE-
2019-0683
✘ A patch is being slowly rolled out (see next slide) that disables TGT
delegation across forest trust boundaries by default
✘ On the roadmap (July 2019)
○ “...adding a new safe default configuration for unconstrained Kerberos
delegation across Active Directory forest trusts.”
46. CVE-2019-0683 Timeline
46
✘ March 12, 2019
○ Kerberos full delegation block is backported to Server 2008[R2]
✘ May 14, 2019
○ A new trust flag will be introduced in case you need full delegation
across trusts
○ "EnableTGTDelegation” set to “no” for all new trusts
✘ July 9, 2019
○ Start of enforcement of new trust flag
○ "EnableTGTDelegation” ignored from this point forward