Nov 03 2014

Virtualization Updates to Active Directory 2012

As part of the many updates to Active Directory, one of the most interesting is virtualization safeguarding in Windows Server 2012.

Active Directory Domain Controllers running Windows Server 2012 can now identify if they are virtualized and have been improperly restored or cloned (copied). Windows Server 2012 introduces a new feature called the VM Generation ID which is used to track the virtual machine (VM) on which the OS is running. When a new VM is created in a hypervisor that supports the feature (Hyper-V 2012 & VMWare vSphere 5.1), a VM Generation ID is created by the hypervisor and associated with the VM as the unique VM guest identifier. The VM Generation ID is a 128-bit cryptographically random  integer that changes when the VM’s configuration file changes. The virtual machine’s BIOS provides the VM Generation ID to the OS in an 8-byte aligned buffer in guest RAM, ROM, or device memory space which can be queried via ACPI namspace with a compatible ID of “VM Gen Counter” (also a DOS Device Name of “VM_Gen_Counter”. When the generation ID changes, there is an ACPI Notify operation on the generation ID device ID device using notification code 0x80 (an ACPI GPE can triger this notification).

Continue reading

Nov 03 2014

PowerShell for Pentesters

PowerShell is extremely useful for admins. This power is also extremely useful for attackers.

There are several PowerShell tools specifically for increasing access on a network:

PowerSploit

PowerSploit – PowerShell based pentest tool set developed by Mattifestation.

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment.

PowerSploit is comprised of the following major components:

CodeExecution
ScriptModification
Persistence
PETools
Capstone
ReverseEngineering
AntivirusBypass
Recon
Exfiltration

The last one listed, Exfiltration, includes the following useful PowerShell pentest scripts.

Invoke-TokenManipulation
Invoke-CredentialInjection
Invoke-Mimikatz
Get-GPPPassword
Get-VaultCredential

Continue reading

Nov 02 2014

Domain Controller Virtual Cloning

One of the best new features of Windows Server 2012 is virtual cloning.

The ASKPFE blog has an excellent article covering this new feature:

Tom Moser here with a post on one of the new ADDS features in Windows Server 2012; Virtual Domain Controller Cloning.

Until now, cloning, snapshotting, copying, or pretty much doing anything but rebuilding from scratch to a virtual domain controller wasn’t just unsupported; it had the potential to be really bad for your directory. Cloning or restoring snapshots of DCs could result in USN rollbacks or lingering objects, just to name a couple of problems.

Starting in Windows Server 2012, we now support DC cloning as well as snapshot restoration of domain controllers. With the RTM bits available, I found myself rebuilding my lab and took the opportunity to document the process to demonstrate just how easy it is to clone virtual domain controllers with Windows Server 2012.

Requirements

There are a few base infrastructure requirements to take advantage of DC cloning.

  • The hypervisor must support VM-GenerationID. Hyper-V running on Windows Server 2012 supports this feature. Other virtualization vendors will have the ability to implement this as well, so check with your vendor to see if it’s supported.
  • The source virtual DC must be running Windows Server 2012.
  • The PDC emulator role holder must be online and available to the cloned DC and must be running Windows Server 2012.

There are a few other steps and requirements and I’ll take you through those now.

Read the rest of the article here.

Nov 02 2014

Windows 8: Using PowerShell to Decrypt Wireless SSID Passwords with NetSH

Show the saved password for SSID named “SSID_NAME” in Windows 8.

((netsh wlan show profiles name="SSID_NAME" key=clear | select-string "Key Content" ) -split(" Key Content : "))[1]

 

 

 

Nov 01 2014

Active Directory Domain Trusts & Trust Password Management

Recently a customer asked me about Active Directory Domain Trusts and how the passwords were managed. I replied with some educated guesses based on how AD manages a variety of passwords. After stating how I thought it worked (and mentioned that I wasn’t sure), I decided to look it up. I was mostly correct.

Every trust a domain maintains is represented by a Trusted Domain Object (TDO) in the Domain partition’s System container. The TDO contains the following attributes for a domain trust:

  • DNS domain name
  • Domain SID
  • Trust type
  • Trust transitivity
  • Reciprocal domain name

Forest trusts store the following attributes:

  • DNS domain name
  • Domain SID
  • Trust type
  • Trust transitivity
  • Reciprocal domain name
  • Domain tree names
  • User Principal Name (UPN) suffixes
  • Service Principal Name (SPN) suffixes
  • Security ID (SID) namespaces

Since trust information is stored in Active Directory, all domains in the forest know about all of the trusts in place with all forest domains. External NT 4 trusts are not stored as TDOs and therefore are not in Active Directory.

Continue reading

Oct 31 2014

PowerShell Data Types

Useful table with Powershell’s data types and descriptions:

[string]  Fixed-length string of Unicode characters
 [array] Array of values
 [xml] Xml object
 [int] 32-bit signed integer
 [DateTime] Date and Time
 [long] 64-bit signed integer
 [decimal] 128-bit decimal value
 [single]  Single-precision 32-bit floating point number
 [double] Double-precision 64-bit floating point number
 [char] A Unicode 16-bit character
 [byte] An 8-bit unsigned character
 [bool] Boolean True/False value
 [hashtable]  Hashtable object
[void] Sends the datat to Null (same as piping to out-Null)

Oct 30 2014

BlueHat 2014 Slides: Reality Bites – The Attacker’s View of Windows Authentication and Post-exploitation

Each year, Microsoft invites security researchers (aka hackers) to speak to Microsoft employees about security issues.

One of the most interesting talks listed at “BlueHat” 2014 was the one by the “Pass-the-Hash” experts, Chris Campbell, Bejamin Delpy, and Skip Duckwall.

This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

BlueHat 2014 Slides: Reality Bites: The Attacker’s View of Windows Authentication and Post-exploitation – Chris Campbell, Benjamin Delpy, & Skip Duckwall

 

Oct 29 2014

Active Directory (and other) Security Resources

I just posted a “Security Resources” page that is a tab at the top of the site. This page contains useful security resources I have found over the years and plan on updating the content as needed.

Active Directory (and other) Security Resources

Oct 29 2014

Windows Server 2012 R2 deprecates FRS (File Replication Service)

Microsoft’s Tip of the Day has the following useful information on Domain Controller File Replication Service (FRS) depercation:

FRS (File Replication Service) has been deprecated in Windows Server 2012 R2.  The deprecation of FRS has been accomplished by enforcing a minimum domain functional level of Windows Server 2008.  This enforcement is present only if the new domain is created using Server Manager or PowerShell.  DCPromo still exists and is used by unattended installations.  Such domains can still be created at a lower domain functional level.

 

 

Oct 28 2014

PowerShell Code: Convert Integer8 to Date

There are several Active Directory attributes where the value is stored as an Integer8 value.
These include:

  • accountExpires
  • badPasswordTime
  • lastlogon
  • lastlogontimestamp
  • pwdLastSet

Here’s information on what Integer8 is:

Many attributes in Active Directory have a data type (syntax) called Integer8. These 64-bit numbers (8 bytes) often represent time in 100-nanosecond intervals. If the Integer8 attribute is a date, the value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. Any leap seconds are ignored.

In .NET Framework (and PowerShell) these 100-nanosecond intervals are called ticks, equal to one ten-millionth of a second. There are 10,000 ticks per millisecond. In addition, .NET Framework and PowerShell DateTime values represent dates as the number of ticks since 12:00 AM January 1, 0001.

Quick PowerShell code for converting Integer8 into a date/time value:

$Integer8 = “130567517440984934”
[datetime]::FromFileTimeUTC($Integer8)

Load more