Sep 16 2015

Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes.

I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015).

Complete list of Sneaky Active Directory Persistence Tricks posts

 

The Security Support Provider Interface (SSPI) enables Windows authentication methods to be easily extended allowing new Security Support Providers (SSPs) to be added without additional coding.

Some of the standard Windows authentication SSPs:

Mimikatz supports DLL/registry (scenario 1) & in-memory updating of SSPs (scenario 2).

Continue reading

Sep 15 2015

Microsoft Local Administrator Password Solution (LAPS)

The Issue
The real problem with local accounts on a computer in an enterprise environment is that the term “local” is a misnomer. If 50 computers on a network have the local administrator account of “Administrator” and a password of “P@55w0rd1!”, first of all that’s a HORRIBLE password. Second of all and more to the point, if one of those computers is compromised, they will all be compromised. Windows is very helpful. So helpful that if you pass the local admin credentials to another computer with the same local credentials, access is granted as if you logged on with the target system credentials. Dump administrator credentials on one to get admin on all! The best way to mitigate this issue is to ensure every computer has a different local administrator account password that is long, complex, and random and that changes on a regular basis.

The earlier attempt to provide a method for regularly changing the local administrator password from Microsoft was less than ideal (see Group Policy Preferences password storage security issue). You should also never, ever use a script that includes a clear-text password to change the local admin password since these scripts tend to be placed in easily accessible locations like SYSVOL (to leverage Group Policy).

Even if you deploy LAPS or some other local Administrator account password management solution, it’s still recommended to install KB2871997 (if required) and configure a Group Policy to block local accounts from authenticating across the network. KB2871997 adds two new local SIDs including LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP (S-1-5-114) for any local account that is a member of the administrators group. Configuring this SID in a Group Policy with the settings “Deny access to this computer from the network” and “Deny log on through Remote Desktop Services” prevents local accounts from connecting over the network (for workstations, test carefully before deploying to servers).

I also posted about “Microsoft LAPS Security & Active Directory LAPS Configuration Recon” in August 2016 which covers some of the more interesting LAPS security scenarios.

 

Microsoft Local Administrator Password Solution (LAPS) Overview
Microsoft Local Administrator Password Solution (LAPS) provides automated local administrator account management for every computer in Active Directory (LAPS is best for workstation local admin passwords). A client-side component installed on every computer generates a random password, updates the (new) LAPS password attribute on the associated AD computer account, and sets the password locally. LAPS configuration is managed through Group Policy which provides the values for password complexity, password length, local account name for password change, password change frequency, etc.

Continue reading

Sep 10 2015

DerbyCon V (2015): Red vs. Blue: Modern Active Directory Attacks & Defense Talk Detail

In a couple of weeks, I will be speaking at DerbyCon about Active Directory attack & defense in my talk Red vs. Blue: Modern Active Directory Attacks & Defense”. This is the 5th iteration of this talk and includes the latest updates to attack methods and defensive strategies. This DerbyCon version is a blend of my Black Hat & DEF CON talks and includes several new updates including new “Sneaky AD Persistence” which covers difficult to detect methods an attacker could retain Domain Admin level access after having admin rights on a Domain Controller for 5 minutes.

On Friday, September 25th, 2015, I have a Track 1 (Break Me) talk from 3:00pm to 3:50pm.

Here’s my talk description:

This talk explores the latest Active Directory attack vectors including useful Red Team recon tactics and provides effective defensive techniques for the Blue Team.
Dive right into the technical detail describing the latest methods for gaining and maintaining administrative access in Active Directory, including some sneaky AD persistence methods. Also covered are traditional security measures that work (and some that don’t) as well as the mitigation strategies that disrupts the attacker’s preferred game-plan.
Some of the topics covered:
– “SPN Scanning” with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.).
– Exploiting weak service account passwords as a regular AD user.
– How attackers go from zero to (Domain) Admin.
– MS14-068: the vulnerability, the exploit, and the danger.
– Mimikatz, the attacker’s multi-tool.
– Using Silver Tickets for stealthy persistence.
– Sneaky persistence methods attackers use to maintain admin rights.
– Detecting offensive PowerShell tools like Invoke-Mimikatz.
– Active Directory attack mitigation.

While the primary components of this talk are similar to my Black Hat & DEF CON presentations, key differences/updates are in bold.

DerbyCon talk outline:

  • Advanced Red Team Recon Tactics
  • From PowerSploit to Empire: modern PowerShell attack tools.
  • Red Team Remote Execution Methods
  • SPN Scanning: service discovery without network port scanning
  • Cracking service account passwords as a domain user (with no elevated permissions).
  • Group Policy Preferences – detecting credential theft from GPP
  • Several methods showing how attackers go from domain user to Domain Admin.
  • Mimikatz DC Sync Usage & Detection
  • Converting an NTLM password hash to a Kerberos ticket (no need to Pass-the-Hash).
  • The one vulnerability to rule them all! (AD domains).
  • Sneaky AD Persistence Tricks
  • How my security research made Golden Tickets more powerful.
  • Silver Tickets can be more dangerous than Golden Tickets.
  • Forging Trust Tickets to expand access.
  • Detecting offensive PowerShell tools including Invoke-Mimikatz
  • Mitigating PowerShell attacks.
  • PowerShell v5 security enhancements
  • Active Directory defense and mitigation techniques that work.
DerbyCon Edition – “Red vs. Blue: Modern Active Directory Attacks & Defense” (v5)
  – New Sneaky Active Directory Persistence Methods, Advanced Red Team Recon Tactics, Remote Execution Methods, Mimikatz DC Sync Usage & Detection, & Detecting offensive PowerShell tools including Invoke-Mimikatz
DerbyCon V (September 2015)
DerbyCon V Slides (PDF)
DerbyCon Presentation Video (YouTube)

 

Sep 10 2015

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes.

I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015).

Complete list of Sneaky Active Directory Persistence Tricks posts

 

The Directory Restore Mode Account

Every Domain Controller has an internal “Break glass” local administrator account to DC called the Directory Services Restore Mode (DSRM) account. The DSRM password set when DC is promoted and is rarely changed. The primary method to change the DSRM password on a Domain Controller involves running the ntdsutil command line tool.

Beginning with hotfix KB961320 on Windows Server 2008, there is now the option to synchronize the DSRM password on a DC with a specific domain account. Note that this must be performed every time the password is changed; it does not create an automatic sync partnership.

Continue reading

Sep 02 2015

Windows Server 2016 Technical Preview 3 Download & Release Information

Looks like we are getting closer to Windows Server 2016 RTM!

Microsoft released Windows Server 2016 Technical Preview 3 in late August (Download & Release Notes).
Continue reading

Aug 19 2015

Great Active Directory Attack & Defense Resources

I have found the following resources to be excellent when it comes to attacking & defending an enterprise with Microsoft products (Active Directory, Windows, etc). This was created in response to the many questions regarding who to follow (Twitter) or what blogs to read. 🙂

Microsoft Platform Security Resources:

Continue reading

Aug 13 2015

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

At Black Hat USA 2015 this summer (2015), I spoke about the danger in having Kerberos Unconstrained Delegation configured in the environment.

When Active Directory was first released with Windows 2000 Server, Microsoft had to provide a simple mechanism to support scenarios where a user authenticates to a Web Server via Kerberos and needs to update records on a back-end database server on behalf of the user. This is typically referred to as the “Kerberos double-hop issue” and requires delegation in order for the Web Server to impersonate the user when modifying database records.

Visio-KerberosDoubleHop-Visio
Graphic: Kerberos “double-hop issue”

 

Kerberos Unconstrained Delegation:

Microsoft implemented Kerberos “unconstrained delegation” in Windows 2000 that enables this level of delegation. A Domain Admin can enable this delegation level by checking the middle box. The third box is for “constrained delegation” which requires listing of specific Kerberos services on computers to which delegation is enabled.

KerberosUnConstrainedDelegation-Delegation-Config
Graphic: Computer configured with Kerberos Unconstrained Delegation

 

Discovering computers with Kerberos unconstrained delegation is fairly easy using the Active Directory PowerShell module cmdlet, Get-ADComputer.

  • Unconstrained Delegation: TrustedForDelegation = True
  • Constrained Delegation: TrustedToAuthForDelegation = True

KerberosUnConstrainedDelegation-PowerShell-DiscoverServers2
Graphic: PowerShell to find Kerberos Unconstrained Delegation

 

How does Kerberos Unconstrained Delegation really work?

Continue reading

Aug 09 2015

Black Hat USA 2015 & DEF CON 23 (2015) Presentation Slides Posted!

Slides from both of my talks this week in Vegas are now posted. There are some differences between the talks, though the primary content is similar/same.

Note that while some of the content is the same (mainly Blue Team information), I describe exploiting Kerberos Unconstrained Delegation in the Black Hat talk and the DEF CON talk covers some “sneaky AD persistence tricks” that are not well known.

AD Security Presentations

Aug 07 2015

Kerberos Golden Tickets are Now More Golden

At my talk at Black Hat USA 2015, I highlighted new Golden Ticket capability in Mimikatz (“Enhanced Golden Tickets”). This post provides additional detailed on “enhanced” Golden Tickets.

Over the past few months, I researched how SID History can be abused in modern enterprises. As part of this research, I reached out to Benjamin Delpy, author of Mimkatz, and requested he add “SID History” to Mimikatz forged Kerberos tickets. The June 28th version of Mimikatz now includes the capability to include arbitrary SIDs in SID History on forged tickets.

Continue reading

Aug 02 2015

DEF CON 23 (2015) Red vs Blue: Modern Active Directory Attacks & Defense Talk Detail

This week at DEF CON 23, I will be speaking about Active Directory attack & defense in my talk “Red vs Blue: Modern Active Directory Attacks & Defense”. This is the 4th iteration of this talk and includes the latest updates to attack methods and defensive strategies.This DEF CON version has a new segment I call “Sneaky AD Persistence” which covers difficult to detect methods an attacker could retain Domain Admin level access after having admin rights on a Domain Controller for 5 minutes.

On Friday, August 7th, 2015, I have a Track Three talk from 1:00pm to 1:50pm.

Here’s my talk description from the DEF CON website:

Kerberos “Golden Tickets” were unveiled by Alva “Skip” Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can’t be detected, right?

This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage.

Skip the fluff and dive right into the technical detail describing the latest methods for gaining and maintaining administrative access in Active Directory, including some sneaky AD persistence methods. Also covered are traditional security measures that work (and ones that don’t) as well as the mitigation strategies that disrupts the attacker’s preferred game-plan. Prepare to go beyond “Pass-the-Hash” and down the rabbit hole.

Some of the topics covered:

  • Sneaky persistence methods attackers use to maintain admin rights.
  • How attackers go from zero to (Domain) Admin
  • MS14-068: the vulnerability, the exploit, and the danger.
  • “SPN Scanning” with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.).
  • Exploiting weak service account passwords as a regular AD user.
  • Mimikatz, the attacker’s multi-tool.
  • Using Silver Tickets for stealthy persistence that won’t be detected (until now).
  • Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network.
  • Detecting offensive PowerShell tools like Invoke-Mimikatz.
  • Active Directory attack mitigation.

Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members.

While the primary components of this talk are similar to my Black Hat presentation two days earlier, key differences are in bold.

Continue reading