Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Advanced Domain Hacking


Published on

An overview of advanced domain attacks, focusing on what an attacker would do after gaining an initial foothold. Includes internal enumeration, attack routing, and process injection.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Advanced Domain Hacking

  1. 1. Advanced Domain Hacking and Pivoting March 28th 2018
  2. 2. Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - Slack - #csg on Email -
  3. 3. Announcements Lab Hangouts - ECSS 4.619 - Every Thursday at 4 PM State Farm CTF - Join competition and create team
  4. 4. Advance Techniques 1. Recon a. Looking for information b. What information to look for 2. Enumerating the Network a. Finding other Computers b. Enumerated Users and Groups c. Enumerated Services 3. Attack Routing a. Routing attacks b. Pivoting to different segments 4. Process Injection a. Migrating b. Privilege Escalation 5. Token Impersonation 6. Defense
  5. 5. Recon
  6. 6. Looking for Information ● Look for as much data on the computer as possible ○ Find Plain text passwords ○ Maintenance Schedules ○ Browser Activity ○ Cached Browser Passwords
  7. 7. Persistence ● If you can't find something now thats not saying you wont later ○ Drop a Keylogger and wait ○ Wait for admin to login to capture data ○ Intercept Traffic for more information
  8. 8. Attack Routing
  9. 9. Routing Attack ● After breaking into a box you should route most attack through that computer ○ Scan internally to find other computers ○ Find exploits to try and get access to other computers if no direct path to domain controller is visible ○ Attempt PSexec to login to other boxes (may have vulnerabilities) ● Route all future attacks through this computer
  10. 10. Possible routing
  11. 11. Enumeration
  12. 12. Enumerating the Network ● After Routing attacks, Scan for other computers and other services ● Find Domain Controller and the services running ● Try to connect to controller with found passwords
  13. 13. Enumerating Domain Information ● Find List of domain users to password guess against ● Enumerate password and security policy ● Enumerate User Groups (Try to get into those groups) ● Enumerate Services that may have user accounts to exploit ○ Service accounts may have admin access with cached and stored passwords
  14. 14. Exploitation Techniques
  15. 15. Process Injection ● If the user has a administrative process running that is unprotected to migrate to ● Migrating to an administrative process might cause a crash so make sure you have persistence (session passing)
  16. 16. Token Impersonation ● If a administrative token has been active or placed on the computer you are on, and you have local admin you may be able to impersonate tokens ● Impersonating a token allows for you to create a session as the user using the cached token. ● You can forge the token by looking at the past token and past session token authentication
  17. 17. Defense
  18. 18. General Defense ● Obvious Defenses is ○ Don’t leave passwords plain text ○ Clear cached admin passwords ○ Don’t leave open administrative sessions open ○ Lock down each service so it can only be used by the service itself ○ Encrypt traffic so data interception is useless ● Less Obvious ○ Segment Different Groups to be on different IP ranges so people don’t have access to what they don’t need to ○ Disable CMD and Powershell by users that don’t need it(hard to exploit with no command line or powershell) ○ Disable RDP on users that don’t need to rdp outbound