Kerberos on macOS with and without Active Directory (AD). Where are attacks possible in Kerberos and how does the LKDC (Local Key Distribution Center) come into play.
Presented at Objective By The Sea (OBTS) 3.0 in Maui, Hawaii March 2020
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Features of Alfresco Search Services.
Features of Alfresco Search & Insight Engine.
Future plans for the product
---
DEMO GUIDE
[1] Queries: Share > Node Browser
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
[2] Queries: Share > JS Console
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_FTS_ALFRESCO,
"ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'");
logger.log(ResultSet.getNodeRefs());
---
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_CMIS_ALFRESCO,
"SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')");
logger.log(ResultSet.getNodeRefs());
---
var def =
{
query: "ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'",
language: "fts-alfresco"
};
var results = search.query(def);
logger.log(results);
[3] Queries: api-explorer
{
"query": {
"language": "afts",
"query": "ASPECT:\"cm:titled\" AND cm:title:\"*Sample\" AND TEXT:\"code\""
}
}
---
{
"query": {
"language": "cmis",
"query": "SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')"
}
}
[4] Queries: CMIS Workbench > Groovy Console
rs = session.query("SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')", false)
for (res in rs) {
println(res.getPropertyValueById('cmis:objectId'))
}
[5] Queries: SOLR Web Console > (alfresco) > Query
/afts
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
---
/cmis
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
---
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
MongoDB 3.0 introduces a pluggable storage architecture and a new storage engine called WiredTiger. The engineering team behind WiredTiger team has a long and distinguished career, having architected and built Berkeley DB, now the world's most widely used embedded database.
In this webinar Michael Cahill, co-founder of WiredTiger, will describe our original design goals for WiredTiger, including considerations we made for heavily threaded hardware, large on-chip caches, and SSD storage. We'll also look at some of the latch-free and non-blocking algorithms we've implemented, as well as other techniques that improve scaling, overall throughput and latency. Finally, we'll take a look at some of the features we hope to incorporate into WiredTiger and MongoDB in the future.
This is the session delivered during the Alfresco Developers Conference in Lisbon, January 2018. Learn all what you need to know to perform a proper backup and disaster recovery strategy. From a single server installation with hundreds of documents to a large deployment with multiple nodes, layers, databases and multi-million documents. What is the best way for each case?
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Getting Ready to Use Redis with Apache Spark with Dvir VolkSpark Summit
Getting Ready to use Redis with Apache Spark is a technical tutorial designed to address integrating Redis with an Apache Spark deployment to increase the performance of serving complex decision models. To set the context for the session, we start with a quick introduction to Redis and the capabilities Redis provides. We cover the basic data types provided by Redis and cover the module system. Using an ad serving use-case, we look at how Redis can improve the performance and reduce the cost of using complex ML-models in production. Attendees will be guided through the key steps of setting up and integrating Redis with Spark, including how to train a model using Spark then load and serve it using Redis, as well as how to work with the Spark Redis module. The capabilities of the Redis Machine Learning Module (redis-ml) will be discussed focusing primarily on decision trees and regression (linear and logistic) with code examples to demonstrate how to use these feature. At the end of the session, developers should feel confident building a prototype/proof-of-concept application using Redis and Spark. Attendees will understand how Redis complements Spark and how to use Redis to serve complex, ML-models with high performance.
Speaker: Jay Runkel, Principal Solution Architect, MongoDB
Session Type: 40 minute main track session
Track: Operations
When architecting a MongoDB application, one of the most difficult questions to answer is how much hardware (number of shards, number of replicas, and server specifications) am I going to need for an application. Similarly, when deploying in the cloud, how do you estimate your monthly AWS, Azure, or GCP costs given a description of a new application? While there isn’t a precise formula for mapping application features (e.g., document structure, schema, query volumes) into servers, there are various strategies you can use to estimate the MongoDB cluster sizing. This presentation will cover the questions you need to ask and describe how to use this information to estimate the required cluster size or cloud deployment cost.
What You Will Learn:
- How to architect a sharded cluster that provides the required computing resources while minimizing hardware or cloud computing costs
- How to use this information to estimate the overall cluster requirements for IOPS, RAM, cores, disk space, etc.
- What you need to know about the application to estimate a cluster size
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Criação de log de ações através do banco - PostgreSQLMarcos Thomaz
Esta apresentação foi utilizada na palestra ministrada na Conferência Brasileira de PostgreSQL, realizada na cidade de Porto Velho - Rondônia - Brasil, em 2013. Ela apresenta uma forma simples de se manter o log das ações realizadas no banco de dados, mantendo um histórico de modificações.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Features of Alfresco Search Services.
Features of Alfresco Search & Insight Engine.
Future plans for the product
---
DEMO GUIDE
[1] Queries: Share > Node Browser
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
[2] Queries: Share > JS Console
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_FTS_ALFRESCO,
"ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'");
logger.log(ResultSet.getNodeRefs());
---
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_CMIS_ALFRESCO,
"SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')");
logger.log(ResultSet.getNodeRefs());
---
var def =
{
query: "ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'",
language: "fts-alfresco"
};
var results = search.query(def);
logger.log(results);
[3] Queries: api-explorer
{
"query": {
"language": "afts",
"query": "ASPECT:\"cm:titled\" AND cm:title:\"*Sample\" AND TEXT:\"code\""
}
}
---
{
"query": {
"language": "cmis",
"query": "SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')"
}
}
[4] Queries: CMIS Workbench > Groovy Console
rs = session.query("SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')", false)
for (res in rs) {
println(res.getPropertyValueById('cmis:objectId'))
}
[5] Queries: SOLR Web Console > (alfresco) > Query
/afts
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
---
/cmis
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
---
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
MongoDB 3.0 introduces a pluggable storage architecture and a new storage engine called WiredTiger. The engineering team behind WiredTiger team has a long and distinguished career, having architected and built Berkeley DB, now the world's most widely used embedded database.
In this webinar Michael Cahill, co-founder of WiredTiger, will describe our original design goals for WiredTiger, including considerations we made for heavily threaded hardware, large on-chip caches, and SSD storage. We'll also look at some of the latch-free and non-blocking algorithms we've implemented, as well as other techniques that improve scaling, overall throughput and latency. Finally, we'll take a look at some of the features we hope to incorporate into WiredTiger and MongoDB in the future.
This is the session delivered during the Alfresco Developers Conference in Lisbon, January 2018. Learn all what you need to know to perform a proper backup and disaster recovery strategy. From a single server installation with hundreds of documents to a large deployment with multiple nodes, layers, databases and multi-million documents. What is the best way for each case?
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Getting Ready to Use Redis with Apache Spark with Dvir VolkSpark Summit
Getting Ready to use Redis with Apache Spark is a technical tutorial designed to address integrating Redis with an Apache Spark deployment to increase the performance of serving complex decision models. To set the context for the session, we start with a quick introduction to Redis and the capabilities Redis provides. We cover the basic data types provided by Redis and cover the module system. Using an ad serving use-case, we look at how Redis can improve the performance and reduce the cost of using complex ML-models in production. Attendees will be guided through the key steps of setting up and integrating Redis with Spark, including how to train a model using Spark then load and serve it using Redis, as well as how to work with the Spark Redis module. The capabilities of the Redis Machine Learning Module (redis-ml) will be discussed focusing primarily on decision trees and regression (linear and logistic) with code examples to demonstrate how to use these feature. At the end of the session, developers should feel confident building a prototype/proof-of-concept application using Redis and Spark. Attendees will understand how Redis complements Spark and how to use Redis to serve complex, ML-models with high performance.
Speaker: Jay Runkel, Principal Solution Architect, MongoDB
Session Type: 40 minute main track session
Track: Operations
When architecting a MongoDB application, one of the most difficult questions to answer is how much hardware (number of shards, number of replicas, and server specifications) am I going to need for an application. Similarly, when deploying in the cloud, how do you estimate your monthly AWS, Azure, or GCP costs given a description of a new application? While there isn’t a precise formula for mapping application features (e.g., document structure, schema, query volumes) into servers, there are various strategies you can use to estimate the MongoDB cluster sizing. This presentation will cover the questions you need to ask and describe how to use this information to estimate the required cluster size or cloud deployment cost.
What You Will Learn:
- How to architect a sharded cluster that provides the required computing resources while minimizing hardware or cloud computing costs
- How to use this information to estimate the overall cluster requirements for IOPS, RAM, cores, disk space, etc.
- What you need to know about the application to estimate a cluster size
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Criação de log de ações através do banco - PostgreSQLMarcos Thomaz
Esta apresentação foi utilizada na palestra ministrada na Conferência Brasileira de PostgreSQL, realizada na cidade de Porto Velho - Rondônia - Brasil, em 2013. Ela apresenta uma forma simples de se manter o log das ações realizadas no banco de dados, mantendo um histórico de modificações.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
Andrew Brandt, Symantec
Back in 2014 and 2015, the Dyre (sometimes called Dyreza) Trojan was a distinctive crimeware tool for the simple reason that it appeared to employ, and experiment with, a whole range of sophisticated tactics, techniques and procedures: It was the first Trojan which exclusively employed HTTPS for its C2 traffic; It operated on a modular basis with a small cadre of other malware families, such as the Upatre downloader, which seemed to support it exclusively, as well as email address scraping tools and spam mail relayers; and it was at least as interested in profiling the environment it had infected as it was in exfiltrating any data it could find on the victim's machine. Then it disappeared suddenly, but re-emerged this year in the form of a Trojan now called Trickbot (aka Trickybot), completely rewritten but with many of the same features. In the lab, we permit Trickbot samples to persist on infected machines for days to weeks in order to perform man-in-the-middle SSL decryption on their C2 traffic. In this session, attendees will get a detailed forensic analysis of the content of some of this C2 traffic and the endpoint behavior of various machines (virtual and bare-metal) when left infected for an extended period of time. Finally, we will share what we know about the botnet's C2 infrastructure and its historical reputation. By understanding how Trickbot functions, and to where it communicates, we hope we can help identify infections more rapidly and, maybe, interpret the motives of whoever is operating this shadowy botnet to predict its next course of action.
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
Historically, security hasn't been a high priority in regards to Hadoop (reflection of type of data and organizations using Hadoop), but now Hadoop is being used by more traditional firms with heightened security requirements. MapR's Senior Principal Technologist, Keys Botzum, gives a talk on how you can build a secure cluster.
The design criteria behind TLS/SSL, presented at Cal Poly on 2010/6/3. An updated version of a previous talk, this presentation includes descriptions of the Null-byte certificate attack and the recent session renegotiation attack (both from 2009).
In this talk we will discuss how to build and run containers without root privileges. As part of the discussion, we will introduce new programs like fuse-overlayfs and slirp4netns and explain how it is possible to do this using user namespaces. fuse-overlayfs allows to use the same storage model as "root" containers and use layered images. slirp4netns emulates a TCP/IP stack in userland and allows to use a network namespace from a container and let it access the outside world (with some limitations).
We will also introduce Usernetes, and how to run Kubernetes in an unprivileged user namespace
https://sched.co/Jcgg
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
1. Walking the Bifrost:
An Operator's Guide to Heimdal &
Kerberos on macOS
Cody Thomas
Objective By The Sea 3.0
March 2020
2. WHO AM I?
Cody Thomas - @its_a_feature_
● Operator / Instructor at SpecterOps
● Open Source Developer
○ Apfell – Red Team C2 Framework
○ Bifrost – Kerberos Manipulation
○ Orchard – Open Directory Access
○ GitHub: https://github.com/its-a-feature
3. OVERVIEW
● Brief intro to Kerberos
○ What is it / How does it work / Why do we care?
● Attacking Active Directory Kerberos from macOS
○ Credential Storage / Theft
○ Common Attacks
● Other Kerberos details on macOS
○ LKDC
5. KERBEROS 101
● What is Kerberos?
○ Authentication mechanism invented by MIT in 1980s
○ Designed for use on insecure networks
○ Uses math and cryptography to provide strong guarantees
○ Based on a client/server model - stateless
○ Uses ASN.1/DER encoding of data
○ Scoped to ‘realms’ of authentication
● Many implementations
○ Traditional MIT (with plugins)
○ Windows
○ macOS
6. KERBEROS 101 – AUTH STEPS
1. Client and Key Distribution Center (KDC) have shared secret
○ Think of the KDC like an all-knowing PKI management server
2. Client makes a request to the Authentication Server (AS) to be
authenticated with the shared secret – i.e. an AS-REQ
○ AS forwards request to the KDC, typically these are the same machine
3. AS responds with a ticket to the krbtgt SPN and encrypts a portion
with the krbtgt hash. This ticket is called a Ticket Granting Ticket
(TGT). This is an AS-REP.
○ The TGT proves you are who you say you are to the KDC because of the
encrypted portion
○ Think of this like a new username/password combination
7. KERBEROS 101 – AUTH STEPS
4. Client presents their TGT to the Ticket Granting Service (TGS) and
requests to speak to a specific service – i.e. TGS-REQ
5. TGS responds with a ticket to the service and encrypts a portion with
the service account’s hash (another shared secret)
○ This is a TGS-REP. The ticket is a Service Ticket
6. Client presents Service Ticket to the service and requests services
7. Service checks ticket to determine if the client is authorized for access
○ Service validates the ticket due to the shared secret the service has with the KDC
8. KERBEROS 101 - EXTRAS
● The KDC is bound to a ‘realm’ that it knows about
○ In Windows, this is the Fully Qualified Domain Name (FQDN) of AD
○ Technically, can be anything though
● Tickets have expiration times
○ Tickets can potentially be renewed or revoked
● Services are requested via Service Principal Name (SPN)
○ A combination of the service and the computer that hosts the service
○ Must be an exact match (no IP addresses, use hostnames)
9. KERBEROS – WHY CARE?
As a Red Teamer:
● User passwords only get you so far
○ Sometimes hard to get on macOS
● Kerberos tickets are just as valuable
● Potentially less protected
● More moving pieces makes
it harder to change
As a Blue Teamer:
● More authentication logs for correlation
● More credential material to track
● You might be using it and not even know it
11. WHAT / WHO IS HEIMDAL?
• Heimdall in Norse Mythology guards the Bifrost (rainbow road) in
Asgard (where Thor, Loki, Odin, etc live)
• Heimdal is Apple’s slightly tweaked implementation of Kerberos
• We’ll cover those differences
as we go along
• This is Marvel’s version ->
12. HOW TO USE HEIMDAL
• macOS has a Kerberos framework we can import into XCode
• Throughout these slides we’ll use these API calls in Objective C
• There are other implementations out there in scripting languages
• According to Apple, all 3rd party scripting languages should be removed
soon TM, so we should pretend they’re already gone from a Red Team
perspective
• We will manually craft the network traffic to TCP port 88
• We will use the user TESTtest_lab_admin in the test.lab.local
domain on the spooky.test.lab.local computer
14. STAGE 1 – THE SHARED SECRET
1. Client and Key Distribution Center (KDC) have shared secret
• In Windows, you don’t send your password around, you use a hash
• Active Directory knows this hash, not your plaintext password
• AD knows many hashes of your password to be able to support a wide
range of system versions
• We need to convert our password to a hash, but what kind?
• RC4, AES128, AES256, DES3, etc
15. STAGE 1 – THE SHARED SECRET
• Heimdal has us covered:
krb5_c_string_to_key(context, ENCTYPE, &password, &salt, &newKey);
• ENCTYPE
• ENCTYPE_ARCFOUR_HMAC – unsalted NTLM
• ENCTYPE_AES128_CTS_HMAC_SHA1_96 – salted AES128
• ENCTYPE_AES256_CTS_HMAC_SHA1_96 – salted AES256
• Salt?
• If normal account: DOMAINFQDNusername
• If computer account: DOMAINFQDNhostusername.domainfqdn
• RC4 hashes are so enticing because they’re not unique across domains and are
easier to crack
16. STAGE 1 – THE SHARED SECRET
• If you’re curious how to
get your computer$
shared secret, you can
reveal it with admin
credentials from the
SYSTEM Keychain
• Found under
/Active Directory/
NETBIOS Name
• Also found via dscl
(Open Directory)
18. STAGE 1.5 – SAVING HASHES
• What if you can’t be bothered to keep typing your password each
time to generate that shared secret?
• Keytabs
• A table of keys associated with various accounts
• System generated (/etc/krb5.keytab)
• Your system has one for hashes of its own computer$ account
• Need to be root to access
• User generated
• Users can generate their own at any time (yikes!)
19. STAGE 1.5 – SAVING HASHES
• [[ Bifrost keytab dump ]]
Same hash we generated
manually with Bifrost
Backing account for VNC is
spooky$
20. STAGE 1 ATTACKS
• If you compromise the user’s plaintext password:
• You can generate their shared secret and continue the rest of the
process
• If you compromise the user’s / computer$ shared secret (hash):
• You can continue the process because the plaintext is only used to
generate the shared secret
• Typically called “Over-Pass-The-Hash” or “Pass-The-Hash” in windows
depending on if you’re messing with LSASS
• If you get the user’s RC4 secret, you can attempt to crack it
• This allows you to “be” that user/account
21. STAGE 2 – AS-REQ
FOR TGT
• Sending a request to the
Authentication Server (AS) for a
TGT
• Uses ASN.1 Encoding for structure
• Need to prove we know the secret
from stage 1 somewhere
• PADATA section for this called
PADATA-ENC-TIMESTAMP
• You guessed it, we’ll encrypt a
timestamp with the hash as proof
22. STAGE 2 – AS-REQ FOR TGT
• Remember: it all boils down to a ticket request with a few things:
• Who we are
• Proof of who we are
• What service we want a ticket for
• In this section, we request a ticket (TGT) that can be used with the Ticket
Granting Service (TGS)
• We say who we are and prove it with the encrypted timestamp
• TGT requests have a Service Principal of krbtgt for the realm
24. STAGE 2 – ATTACKS
• Note: in pure MIT Kerberos we don’t do this encryption
• Any user requests a TGT for any other user. The resulting TGT is
encrypted with the target user’s shared secret (hash).
• The idea being that only the right user can decrypt.
• Very trusting
• This is the idea behind AS-REP roasting
• This requirement can be added to MIT Kerberos with a PKINIT plugin.
25. STAGE 3 – AS-REP WITH TGT
• AS and KDC validate what was sent:
• Does the user requested exist?
• And is it active?
• Is this KDC authoritative over the requested realm?
• Does the KDC have a hash for that user of the requested type?
• Using that user’s hash, can the KDC decrypt that encrypted timestamp?
• Is that encrypted timestamp within the past 5 min?
• If KDC answered YES to all the above, success! We can get a TGT
• If KDC answered NO to any, we get a KRB_ERROR reply with why
• Many legit reasons for this*
26. STAGE 3 – AS-REP
WITH TGT
• AS-REP repeats a lot of our
request information
• The protocol is stateless, so it
repeats a lot
• Element 5 is the TGT
• That contains our information
encrypted with the krbtgt hash
• Element 6 is special
• That contains a blob encrypted
with our shared secret
27. STAGE 3 – AS-REP
WITH TGT
• Decrypted section contains
valuable information:
• New session key
• Lifetime of TGT
• TGT usage flags
• Renewable, forwardable, etc
28. STAGE 3.25 – WHERE DOES THE
TGT GO?
• macOS stores tickets in a format called ccache (credential cache)
• By default, these ccache entries are managed by a KCM
• In normal Kerberos land this is referred to as API storage
• We transparently interface with a daemon process to access the tickets
• Each ccache is assigned a random UUID
• There’s one principal (the client)
• There can be multiple tickets
• You can have multiple ccaches and swap between them
• You can also force save these ccaches to files on disk (yikes!)
29. STAGE 3.25 – WHERE DOES THE
TGT GO?
• [[ Bifrost ticket dump ]]
30. STAGE 3.5 – TICKET PORTABILITY
• What if you want to take a ticket from one computer and use it on
another?
• No worries! Kerberos is stateless and doesn’t track where tickets are
used or generated
• We can use the Kirbi format to save all the necessary info
• Stores information from the AS-REP
• I.E. the TGT and that special encrypted data
• Saves it in a new Application 22 in ASN.1
32. STAGE 3.75 –
PASSING TICKETS
• How do we import these tickets
we’ve converted to Kirbi?
• We convert them to krb5 cred
entries (i.e. ccache)
• We need to resolve the desired
ccache name
• Or create a new ccache entry
• Add them to list within the
ccache
34. STAGE 3 – ATTACKS
• If the krbtgt hash is stolen, create your own AS-REP (i.e. TGT)
• The ‘Golden Ticket’
• Dump user’s tickets from KCM and impersonate them
• Ticket Theft
• Request Tickets for another user and crack the response
• AS-REP Roast
35. STAGE 4 –
TGS-REQ FOR
SERVICE TICKET
• Similar process to Stage 2, just
different material
• Requesting a ticket to a service
(not krbtgt)
• Usually something like CIFS
for access to the file system
• Using our TGT as proof of
identity instead of encrypted
timestamp
• More encrypted timestamps and
checksums, but with session
key
36. STAGE 4 – TGS-REQ FOR
SERVICE TICKET
• Any user with a valid TGT can request a Service Ticket to any
service
• Remember, there’s no authorization checks happening here, only
authentication
• Services must have a backing Service Principal Name (SPN) in
Kerberos
• i.e. cifs/spooky.test.lab.local is a SPN
• These must be requested exactly as they are registered within
Kerberos, otherwise they won’t be found
• Can request a service ticket and specify any encryption scheme
37. STAGE 5 – TGS-REP WITH
SERVICE TICKET
• TGS and KDC validate what was sent:
• Can the krbtgt hash decrypt the embedded TGT?
• Was that TGT created with the past 20 min?
• if so, assume still valid
• If not, validate the information in it, since it might have changed
• Does the requested SPN exist?
• Is there an associated account and shared secret the KDC knows?
• If yes to all of the above, success! You get a service ticket!
• If no to any, you get a KRB_ERROR and a reason why
38. STAGE 5 – TGS-REP WITH
SERVICE TICKET
• Almost the same structure as the AS-REP
• Element 5 is special:
• This is the Service Ticket
• Notice the enctype here is RC4 when we requested
AES256
• The last piece in this element is a blob encrypted
with the service account’s shared secret
• It contains information about the client requesting
access
• Element 6 is special:
• This is data about the Service Ticket
• This is encrypted with our session key
39. STAGE 5 – TGS-REP
WITH
SERVICE TICKET
• Decrypted section contains
valuable information:
• The lifetime of the ticket
• New session key
• This matches the encryption
type used with the Service’s
shared secret
• Usage flags
40. STAGE 5.25 – WHERE DOES THE
SERVICE TICKET GO?
• All tickets are automatically saved to the default ccache
• This means Service Tickets and the TGT are in the same place
• [[ ticket dump with service tickets ]]
41. STAGE 5 - ATTACKS
• If you know the shared secret of the service account, you can make
your own Service Tickets to that service
• i.e. ‘Silver Tickets’
• If you use a valid TGT and request Service Tickets in RC4, then you
can try to crack the associated account’s password
• i.e. ‘Kerberoasting’
43. I DON’T HAVE AD, WHAT NOW?
• Fear not! You’re still using
Heimdal
• Starting with OSX 10.5,
Apple introduced “Back To
My Mac (BTMM)”
• The goal was to allow users
to directly connect to other
mac devices to share
screens, mount volumes, or
perform remote
management
• You can see these options
in the “Sharing” settings
44. HOW?
• Apple said that starting in 10.14 Mojave that BTMM is no longer
included, but the components are still there and leveraged
• So, when you remotely connect to a mac with a local account, what’s
happening?
• You’re using Heimdal to authenticate, get tickets, and access resources
• Select services open the Kerberos port (88)
• But there’s no AD and no “Domain”, so what’s happening?
45. LOCAL KEY DISTRIBUTION
CENTER
• On your computer’s first boot, the system
generates a self-signed certificate
• com.apple.kerberos.kdc
• This certificate is stored in the System Keychain
• The “realm” for this Heimdal instance is based on
the SHA-1 hash of this certificate
LKDC:SHA1.B58C56AD77898DE69AAEFD22A538D6EDDE
FF8D47
47. LKDC - SERVICES
• /etc/krb5.keytab
• Stores the keys for the various system services offered by Kerberos (must be root)
• 4 default services with LKDC:
• afpserver
• cifs
• vnc
• Host
• SPNs of the form:
• Service/realm
• Service Tickets use this shared
secret!!
48. LKDC – _KRBTGT HASHES
• /usr/libexec/configureLocalKDC
• Generates a new com.apple.kerberos.kdc certificate (idempotent)
• If a new one is generated, updates the /etc/krb5.keytab with new Realms
• This also updates the _krbtgt hashes stored in the local Open Directory Node
• dscl . read /Users/_krbtgt KerberosKeys
AES256 Salted Hash
AES128 Salted Hash
des3-cbc-sha1-kd
49. LKDC – AS-REQ1
• Now let’s say we want to mount a volume on another mac, but we
don’t know that mac’s LKDC realm and we don’t know the full shared
secret, just the plaintext password
• Make an AS-REQ for a generic
realm:
• WELLKNOWN:COM.APPLE.LKDC
• Kerberos responds with generic
error specifically to call out real
realm
50. LKDC – PA-FX-COOKIE
• We now know the realm, we still don’t know the shared secret
• The LKDC uses the Secure Remote Protocol (SRP) for this
• It’s a method of key exchange based on crypto
• It’s integrated into the Kerberos implementation
• Kerberos is stateless though?
• RFC613 added a way to manage state within Kerberos:
• PA-FX-COOKIE (133) can be passed with other PADATA fields
• Same area as our PA-ENC-TIMESTAMP
• We need to capture and relay this with every request to keep state
51. LKDC – USER PASSWORDS
• Ok, we have a way to keep state and we know the realm, but we still
need to get that shared secret
• Passwords on macOS aren’t saved in plaintext, instead they’re passed
through a PBKDF2 function to generate a new, longer password
• You can see your ShadowHashData by looking into your Open
Directory Local Node as root – Using Orchard (OSS) or built in:
dscl . read /Users/itsafeature ShadowHashData
52. LKDC –
SHADOWHASHDATA
• Salted-SHA512-PBKDF2
• Many iterations (80k+) with a
salt.
• Designed to be slow and unique
• Used when you sign in
• SRP-RFC5054-4096-
SHA512-PBKDF2
• This is the server-side shared
secret for Kerberos traffic
• This is called the “Verifier”
Verifier is based on user’s password
V=gx
where x = H(s | H( I | “:” | P ) )
53. LKDC – AS-REQ2
• We can make a slightly modified
AS-REQ again, this time
specifying the real realm of the
remote LKDC
• Notice that we still aren’t doing
anything to prove we are who we
say we are
54. LKDC – AS-REP2
• To generate the client-side secret, need to pass the plaintext user
password, this 16-Byte salt, and the number of iterations into a PBKDF2
function with SHA512 to generate a 4096Bit key
• This comes from the group: SRP-RFC5054-4096-SHA512-PBKDF2
• We finally we’re starting the
SRP process
• We need to track that we’ve
started, so we’ll start getting
those PA-FX-COOKIES
55. LKDC – TICKETS AND STORAGE
• With a few more requests back-and-forth AS-REQ requests, we can
successfully generate a new shared key between both parties
without transmitting any credential material (just sending big
numbers)
• We can then treat this TGT like any other normal TGT and use it to
request Service Tickets like normal for the remote mac
• What gets stored in our credential cache though?
56. LKDC – CCACHE ENTRIES
Normal Kerberos
So What’s this??
58. LKDC - ATTACKS
• If you get the user’s password
• You can do everything manually / normally and impersonate the user
• If you get the _krbtgt hash
• You can generate your own TGT as anybody to the LKDC
• Same as a ‘Golden Ticket’, but just to that Mac
• If you get the hashes from /etc/krb5.keytab
• You can impersonate anybody to those services
• Same as ‘Silver Ticket’, but in this case it might as well be a ‘Golden Ticket’
• Stealing the user’s SRP Verifier
• You can brute-force try to crack the user’s password
59. LKDC - ATTACKS
• If you get the user’s KerberosKeys Open Directory Attribute
• dscl . read /Users/itsafeature KerberosKeys
• You can try to decrypt the AES256, AES128, or des3-cbc-sha1 (INTEGER 16 in
ASN.1 encoding) keys to get the user’s plaintext password
AES256 Salted Hash
Salt
60. LKDC - SUMMARY
• You’re running Heimdal on your macOS computer.
• How often do you change your password?
What about your _krbtgt password?
What about your computer’s password?
• LKDC should not come into play if you’re AD joined
• Realistically, it just doesn’t come into play with AD users
• Still comes into play with local user accounts
• The tickets in your ccache are flushed periodically
• LKDC tickets are flushed when you’re no longer using the them
• i.e. unmount that shared drive, disconnect VNC, etc
61. THANK YOU – QUESTIONS?
• Bifrost
• https://github.com/its-a-feature/bifrost
• Will release updated code for LKDC interaction
• Still need to add in Silver/Golden ticket generation
• Blog on the topic with video demo:
• https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
• Using a captured hash to get a TGT, inject ticket, get a CIFS service ticket, then
mounting a remote share with those tickets