With global information security spending rapidly approaching $100 billion, you'd think we,d have a pretty good handle on preventing data breaches by now. However, considering that nearly 1 billion records have been exposed in the 5000+ data breaches publicly disclosed since 2005, you,re probably asking yourself the same question as security and risk management professionals all over the world: How does this keep happening? This presentation will walk you through a penetration tester,s process, step-by-step, as the tester goes from unauthorized outsider to domain admin (without being detected). More importantly, we,ll discuss the fundamental security controls that will shut down attackers time and again.

1. STEALING DOMAIN ADMIN
(OR HOW I LEARNED TO STOP WORRYING
AND LOVE THE CSSF)
JEROD BRENNEN

2. WHO AM I?
 Jerod Brennen
 Security Solutions Architect, One Identity
 Alphabet Soup
 ACE, CISSP, GWAPT, GWEB

3. THE CHALLENGE

4. HANDBASKETS, ANYONE?

5. LET’S PLAY FIND THE WHITESPACE
From http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

6. BROKEN RECORD… BROKEN RECORD… BROKEN RECORD…

7. CHOOSEYOUR OWN ADVENTURE

8. PEN TEST FLOW

9. TEN EIGHT STEP PROGRAM
 Step 1: Gather OSINT
 Step 2: Score Some Creds
 Step 3: Logon to an Internal System
 Step 4: Dump SAM/System/Security Hives
 Step 5: Extract Hashes and Get Cracking
 Step 6: Identify Admin Accounts
 Step 7: Find Active DA Logins
 Step 8: Pass the Hash

10. STEP 1: GATHER OSINT (OPEN SOURCE INTELLIGENCE)
 Google search
 site:company_website.com “contact”
 Maltego
 https://www.paterva.com/
 Transform:To Email Address [using Search Engine]
 LinkedIn company search
 Data.com Connect
 https://connect.data.com/
 EmailHarvester
 https://github.com/maldevel/EmailHarvester
 Discover (Lee Baird)
 https://github.com/leebaird/discover

11. STEP 2: SCORE SOME CREDS
 Brute Force Attack
 Lots of usernames, lots of passwords
 Password Spray Attack
 Lots of usernames,VERY few passwords
 ./ntlm-botherer.py –U ./users.txt –p Winter2018 –d target_domain.com
https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth
/user?originalDomain=target_domain.com/WebTicket/WebTicketService.svc
 Burp Suite Intruder / Cluster Bomb
 https://portswigger.net/burp/help/intruder_using.html
 https://portswigger.net/burp/help/intruder_positions.html
 MailSniper
 https://github.com/dafthack/MailSniper

12. STEP 3: LOGON TO AN INTERNAL SYSTEM
 Passive Intel
 Shodan - https://shodan.io/
 Censys - https://censys.io/
 Search Engines
 site:company.com inurl:login
 site:company.com sitemap.xml
 Active Intel
 nmap -Pn -sS xxx.xxx.xxx.0/24 -p 21-
23,80,443,3389,5800,5900,8443
 Remote AdministrationTools
 Bomgar, GoToMeeting,TeamViewer, Join.me, Splashtop,
LogMeIn,WebEx
 Physical/Wireless Network Access

13. STEP 4: DUMP SAM/SYSTEM/SECURITY HIVES
 Dump the hives
 reg.exe save hklmsam c:sam.save
 reg.exe save hklmsystem c:system.save
 reg.exe save hklmsecurity c:security.save
 This one may require elevated privileges
 If so, psexec.exe -i -s cmd.exe, then execute
within new command prompt window
 While you’re there, scope out users & groups
 net user /domain > domain_users.txt
 net groups /domain >
domain_groups.txt
 Exfiltrate
 Box, Dropbox, Google Drive, OneDrive, ShareFile

14. STEP 5: EXTRACT HASHES AND GET CRACKING
 Extract hashes with Impacket (offline)
 https://github.com/CoreSecurity/impacket
 secretsdump.py -sam sam.save -security
security.save -system system.save LOCAL
 Crack SAM hashes
 LM -> Ophcrack
 NT -> hashcat or John the Ripper
 HashKiller
 https://hashkiller.co.uk/ntlm-decrypter.aspx
 Crack domain creds
 hashcat or John the Ripper

15. STEP 6: IDENTIFY ADMIN ACCOUNTS
 Impacket output
 Administrator = RID -500 (“the dash 500 account”)
 Verify Local Admins
 net localgroup administrators
 Dump Active Directory
 AD Users and Computers
 Apache Directory Studio
 Softerra LDAP Administrator/Browser
 LDAP Admin (portable?)

16. STEP 7: FIND ACTIVE DA LOGINS
 PowerShell Empire
 https://github.com/PowerShellMafia/PowerSploit
 https://github.com/PowerShellMafia/PowerSploit/tree/m
aster/Recon
 Invoke-UserHunter
 Input options
 Individual username
 List of usernames
 Domain group
 List of hosts
 PowerShell ProTip
 powershell -exec bypass

17. STEP 8: PASS THE HASH
 Invoke-TheHash
 https://github.com/Kevin-Robertson/Invoke-TheHash
 Dump lsass (Local Security Authority
Subsystem Service)
 Start > Run > taskmgr.exe
 Show processes from all users
 lsass.exe > Right Click > Dump
 c:UsersusernameAppDataLocalTemplsass.DMP
 Grab passwords from lsass
 Online -> procdump.exe
 https://technet.microsoft.com/en-
us/sysinternals/dd996900.aspx
 Offline -> mimikatz
 https://github.com/gentilkiwi/mimikatz

18. STEP 9: CELEBRATE (OPTIONAL)

19. NOTHING NEW UNDER THE SUN
 DumpingWindows Credentials (December 20, 2013)
 https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
 I Hunt Sys Admins (January 19, 2015)
 http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
 Password Spraying Outlook Web Access (February 17, 2016)
 http://www.blackhillsinfosec.com/?p=4694

20. WHAT IF I TOLDYOU…

21. SIMPLICITY IS KEY

22. COMMON SENSE SECURITY FRAMEWORK
 Seven (7) Areas of Protection
 ProtectYour Applications
 ProtectYour Endpoints
 ProtectYour Network
 ProtectYour Servers
 ProtectYour Data
 ProtectYour Locations
 ProtectYour People
 Three (3)Yes/No Questions per Area
 Guidance (free, open source, commercial)
https://commonsenseframework.org/

23. WHO DOESN’T LOVE SPREADSHEETS?

24. WHO DOESN’T LOVE GRAPHS?

25. EVERY BREATHYOU TAKE… EVERY MOVEYOU MAKE…
Step Control
Gather OSINT S01 - Do you follow documented system hardening procedures to secure your servers?
Score Some Creds D02 - Do you periodically review employee account security to ensure that access is appropriate (i.e., least
privilege, individuals accounts, strong passwords)?
Logon to an Internal System N03 - Do you require two factor authentication for remote/VPN access, as well as access to third party
(hosted) applications?
Dump SAM/System/Security Hives S02 - Do you centrally store and actively monitor critical security logs for suspicious events (such as
abnormal admin account activity)?
Extract Hashes and Get Cracking See S02
Identify Admin Accounts E02 - Do you limit local administrator account usage?
Find Active DA Logins See S02
Pass the Hash See S02

26. UNSUNG HERO

27. A FEW FINAL COMMENTS

28. LEADERSHIP NEEDS CONTEXT
 Information Security SpendingWill Top $101 Billion By 2020
 http://www.darkreading.com/operations/information-security-spending-will-top-$101-billion-by-2020/d/d-id/1327178
 World's Biggest Data Breaches
 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
 Privacy Rights Clearinghouse's Chronology of Data Breaches
 https://www.privacyrights.org/data-breaches
 Verizon Data Breach Investigations Report (DBIR)
 http://www.verizonenterprise.com/verizon-insights-lab/dbir/

29. YOUR HOMEWORK
 Self-assess your organization against the CSSF
 Schedule a red team / blue team exercise using these steps as a guide
 Post mortem the exercise
 Update policies, procedures, and standards based on the post mortem
 Site down with leadership (steering committee) and share what you learned
 Fix all the things!

30. QUESTIONS / COMMENTS / DISCUSSION

31. CONTACT INFO
 Email – jerod.brennen@oneidentity.com
 LinkedIn - https://www.linkedin.com/in/slandail/
 Twitter - https://twitter.com/slandail
 GitHub - https://github.com/slandail
 SlideShare - https://www.slideshare.net/JerodBrennenCISSP
 Speaker Deck - https://speakerdeck.com/slandail/