Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Domains and Hacking


Published on

An introduction to Windows domains and their attack surface.

Published in: Technology
  • Be the first to comment

Introduction to Domains and Hacking

  1. 1. Introduction to Domains and Hacking March 7th, 2018
  2. 2. Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - Slack - #csg on Email -
  3. 3. Announcements Lab Hangouts - ECSS 4.619 - Every Thursday at 4 PM State Farm CTF Sign Up - March 5th - 12th
  4. 4. Introduction to Domains and Hacking 1. Intro to domains (w/ focus on windows) a. The problem: complex network, lots of services, securing credentials on every node b. The solution: centralized access control system c. AD: LDAP, Kerberos, NTLM d. Visualizing architecture e. Other handy AD features i. OUs, GPOs, other things to make sysadmin lives easier 2. Attacking domains a. Methods i. Pass the hash/ticket ii. Exploits a. Tools i. Mimikatz ii. Kerberoast 3. Defending against these attacks a. Harden privileged groups, users, GPOs, etc b. Patch those exploits c. Future technologies
  5. 5. Why do domains exist? Because we said so For most organizations, there are too many services and users accessing those services to manually configure everything Necessary to have centralized control of all components ● Format user groups and system organization in a way that mimics real-life layout That’s where domains come in
  6. 6. Domains and their contents Domain controllers - where admins can control/regulate domain functionality DNS - used to locate domain controllers and other systems within domain User authentication - using Kerberos, NTLM Sometimes includes managing systems like: ● Mail (Outlook through Windows AD) ● File servers (SMB) ● Printers
  7. 7. Active Directory Windows domain solution Essential tools/protocols: ● LDAP (Lightweight Directory Access Protocol) ● Kerberos - User/service authentication ● NTLM (NT LAN Manager) - Secondary user authentication, usually
  8. 8. LDAP ● Open application protocol for accessing and maintaining distributed directory information services over a network ○ If you are looking for a particular service or user, quick lookup through LDAP (granted that you have correct permissions) ● Allowed operations: ○ Search — search for and/or retrieve directory entries ○ Compare — test if a named entry contains a given attribute value ○ Add a new entry ○ Delete an entry ○ Modify an entry
  9. 9. LDAP - Add dn: uid=johnnyboy,ou=Hackers,dc=example,dc=local changetype: add objectClass: top objectClass: person objectClass: orgPerson objectClass : inetOrgPerson uid: johnnyboy cn: leetHacker
  10. 10. OU vs Active Directory Groups ● Groups: less restrictive with regards to permissions; especially useful for regulating access to resources ○ Ex) Administrator group could include users with administrative authority from a variety of organizations within the company (Marketing, Finance, IT, etc) ○ Give Administrators the ability to access database A ● Organizational Units are typically used more for more intricate permissions ○ Map group policy settings to a subset of users/groups/systems ○ Possible to have OU that contains only subset of users in an Active Directory group Ex) To allow marketing manager to be able to reset passwords for other marketing employees, delegate administration privs for the Marketing OU to that specific user
  11. 11. Kerberos Created by MIT in the late 1980’s Kerberos is a network authentication protocol that uses the concepts of tickets to authenticate users to services AND services to users Tickets - special messages encrypted with keys generated with keys from client/ticket-granting server, client/service server
  12. 12. Kerberos Source: Oracle Help Center
  13. 13. NTLM ● Authenticate only with centralized Domain Controller ● Challenge-response ○ Don’t send cleartext credentials over the wire ● You end up with an “NTLM hash”, which is used to authenticate with other objects in Active Directory ● Provides single sign-on ● But… those hashes are stored locally on machines that use them, which leaves you vulnerable to “Pash The Hash” attacks ○ Which is fine! Just don’t let your users have local admin rights, and they won’t be able to look at them! ○ “Stupid users” can’t escalate privileges, right?
  14. 14. Attacking Domains
  15. 15. Domain-Related Exploits ● MS14-068 ○ Privilege escalation from domain user to domain admin ○ “Hey Mr. KDC, I’m a domain admin, trust me!” ○ “Hey Mr. Flight Steward, I’m the pilot, trust me!” ○ Patched with KB3011780
  16. 16. Domain-Related Exploits ● Group Policy Preferences & Decrypting Passwords in SYSVOL ○ The problem: updating local administrator passwords en masse ○ Just use that handy dandy group policy stuff, right? ○ Group policy stuff is stored in “SYSVOL” shared directory ■ Readable by everyone; it’s for deploying GPOs ■ Bad sysadmins may end up putting cleartext local admin credentials
  17. 17. Domain-Related Exploits ● Well that’s no good. Microsoft’s solution? Group Policy Preferences (GPP) ○ We’ll AES-256 bit encrypt those passwords for you! ○ ...With this private key!
  18. 18. The Harder Stuff ● Go for the low-hanging fruit, when you can. ● Slightly more complicated attacks… ○ Pass the Hash (NTLM) ○ Pass the Ticket (Kerberos)
  19. 19. Pass the Hash ● As mentioned before, NTLM hashes are stored locally, and are used to authenticate with other parts of the network ● So if you have local admin privileges, you can grab the NTLM hashes of anyone who has logged onto that machine ● Send it to other machines and you gucci ● Demo
  20. 20. Pass the Ticket ● Similar idea. Grab tickets/hashes stored locally. ○ But knowing Kerberos, that doesn’t get you as far ● Silver Tickets - Forged TGSs ○ Requires target service’s hash; potential for escalation ■ People give services more privileges than they ought to ● Golden Tickets - Forged TGTs ○ Requires the KDC’s hash; really more of a persistence thing ● Kerberoast - cracking tickets to get credentials ○ Decent option if you have a gucci password cracking rig
  21. 21. Defenses ● Patch those exploits ○ Don’t leave the low hanging fruit ● Harden, harden, harden. ○ Users, groups, GPOs, etc ○ Strong passwords! ● Future technologies ○ Windows Advanced Threat Protection ■ Machine learning to detect anomalous behavior ■ Gee, why is my webserver logging into the DC? Hmmm…. ■ Restricting tools (cough, powershell) that mimikatz and other tools use