Black Hat 2014 Presentation Video Play List

Attending Black Hat USA 2014 was a sobering and exciting experience.

Here’s a playlist of interesting presentations from Black Hat conferences in 2014:

 

 

 

BackupExec Service Account Security FAIL

Yes. It actually says that if the BackupExec account is a member of Schema Admins, do not remove!
To be fair, it starts off with this Solution which covers the rights required:
From Symantec (http://www.symantec.com/business/support/index?page=content&id=TECH88242)

Continue reading

PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name

Convert Domain Distinguished Name to Fully Qualified Domain Name:
$ADObjectDN = “CN=Object1,OU=OrgUnit1,DC=child,DC=domain,DC=com”
[array]$ADObjectDNArray = $ADObjectDN -Split(“,DC=”)
        [int]$DomainNameFECount = 0
        ForEach ($ADObjectDNArrayItem in $ADObjectDNArray)
            {
                IF ($DomainNameFECount -gt 0)
                { [string]$ADObjectDNArrayItemDomainName += $ADObjectDNArrayItem + “.” }
                $DomainNameFECount++
            }
$ADObjectDNDomainName = $ADObjectDNArrayItemDomainName.Substring(0,$ADObjectDNArrayItemDomainName.Length-1)
Convert Domain Fully Qualified Domain Name to Distinguished Name:
$DomainFullyQualifiedDomainName = “child.domain.com”
$DomainFullyQualifiedDomainNameArray = $DomainFullyQualifiedDomainName -Split(“\.”)
[int]$DomainNameFECount = 0
ForEach ($DomainFullyQualifiedDomainNameArrayItem in $DomainFullyQualifiedDomainNameArray)
    IF ($DomainNameFECount -eq 0)
        { [string]$ADObjectDNArrayItemDomainName += “DC=” +$DomainFullyQualifiedDomainNameArrayItem }
    ELSE 
        { [string]$ADObjectDNArrayItemDomainName += “,DC=” +$DomainFullyQualifiedDomainNameArrayItem }
    $DomainNameFECount++
}
$ADObjectDNArrayItemDomainName
OR
$Domain=”Child1.Root.com”
$DomainDN = “DC=$($Domain.replace(“.”, “,DC=”))”
$DomainDN
(thanks Bill!)
Extract the Domain Distinguished Name From an Active Directory Distinguished Name:
$ADObjectDN = “CN=Object1,OU=OrgUnit1,DC=child,DC=domain,DC=com”
[array]$ADObjectDNArray = $ADObjectDN -Split(“,DC=”)
        [int]$DomainNameFECount = 0
        ForEach ($ADObjectDNArrayItem in $ADObjectDNArray)
            {
                IF ($DomainNameFECount -gt 0)
                { [string]$ADObjectDNArrayItemDomainName += $ADObjectDNArrayItem + “.” }
                $DomainNameFECount++
            }
$ADObjectDNDomainName = $ADObjectDNArrayItemDomainName.Substring(0,$ADObjectDNArrayItemDomainName.Length-1)

Virtualization Updates to Active Directory 2012

As part of the many updates to Active Directory, one of the most interesting is virtualization safeguarding in Windows Server 2012.

Active Directory Domain Controllers running Windows Server 2012 can now identify if they are virtualized and have been improperly restored or cloned (copied). Windows Server 2012 introduces a new feature called the VM Generation ID which is used to track the virtual machine (VM) on which the OS is running. When a new VM is created in a hypervisor that supports the feature (Hyper-V 2012 & VMWare vSphere 5.1), a VM Generation ID is created by the hypervisor and associated with the VM as the unique VM guest identifier. The VM Generation ID is a 128-bit cryptographically random  integer that changes when the VM’s configuration file changes. The virtual machine’s BIOS provides the VM Generation ID to the OS in an 8-byte aligned buffer in guest RAM, ROM, or device memory space which can be queried via ACPI namspace with a compatible ID of “VM Gen Counter” (also a DOS Device Name of “VM_Gen_Counter”. When the generation ID changes, there is an ACPI Notify operation on the generation ID device ID device using notification code 0x80 (an ACPI GPE can triger this notification).

Continue reading

PowerShell for Pentesters

PowerShell is extremely useful for admins. This power is also extremely useful for attackers.

There are several PowerShell tools specifically for increasing access on a network:

PowerSploit

PowerSploit – PowerShell based pentest tool set developed by Mattifestation.

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment.

PowerSploit is comprised of the following major components:

CodeExecution
ScriptModification
Persistence
PETools
Capstone
ReverseEngineering
AntivirusBypass
Recon
Exfiltration

The last one listed, Exfiltration, includes the following useful PowerShell pentest scripts.

Invoke-TokenManipulation
Invoke-CredentialInjection
Invoke-Mimikatz
Get-GPPPassword
Get-VaultCredential

Continue reading

Domain Controller Virtual Cloning

One of the best new features of Windows Server 2012 is virtual cloning.

The ASKPFE blog has an excellent article covering this new feature:

Tom Moser here with a post on one of the new ADDS features in Windows Server 2012; Virtual Domain Controller Cloning.

Until now, cloning, snapshotting, copying, or pretty much doing anything but rebuilding from scratch to a virtual domain controller wasn’t just unsupported; it had the potential to be really bad for your directory. Cloning or restoring snapshots of DCs could result in USN rollbacks or lingering objects, just to name a couple of problems.

Starting in Windows Server 2012, we now support DC cloning as well as snapshot restoration of domain controllers. With the RTM bits available, I found myself rebuilding my lab and took the opportunity to document the process to demonstrate just how easy it is to clone virtual domain controllers with Windows Server 2012.

Requirements

There are a few base infrastructure requirements to take advantage of DC cloning.

  • The hypervisor must support VM-GenerationID. Hyper-V running on Windows Server 2012 supports this feature. Other virtualization vendors will have the ability to implement this as well, so check with your vendor to see if it’s supported.
  • The source virtual DC must be running Windows Server 2012.
  • The PDC emulator role holder must be online and available to the cloned DC and must be running Windows Server 2012.

There are a few other steps and requirements and I’ll take you through those now.

Read the rest of the article here.

Windows 8: Using PowerShell to Decrypt Wireless SSID Passwords with NetSH

Show the saved password for SSID named “SSID_NAME” in Windows 8.

((netsh wlan show profiles name="SSID_NAME" key=clear | select-string "Key Content" ) -split(" Key Content : "))[1]

 

 

 

Active Directory Domain Trusts & Trust Password Management

Recently a customer asked me about Active Directory Domain Trusts and how the passwords were managed. I replied with some educated guesses based on how AD manages a variety of passwords. After stating how I thought it worked (and mentioned that I wasn’t sure), I decided to look it up. I was mostly correct.

Every trust a domain maintains is represented by a Trusted Domain Object (TDO) in the Domain partition’s System container. The TDO contains the following attributes for a domain trust:

  • DNS domain name
  • Domain SID
  • Trust type
  • Trust transitivity
  • Reciprocal domain name

Forest trusts store the following attributes:

  • DNS domain name
  • Domain SID
  • Trust type
  • Trust transitivity
  • Reciprocal domain name
  • Domain tree names
  • User Principal Name (UPN) suffixes
  • Service Principal Name (SPN) suffixes
  • Security ID (SID) namespaces

Since trust information is stored in Active Directory, all domains in the forest know about all of the trusts in place with all forest domains. External NT 4 trusts are not stored as TDOs and therefore are not in Active Directory.

Continue reading

PowerShell Data Types

Useful table with Powershell’s data types and descriptions:

[string]  Fixed-length string of Unicode characters
 [array] Array of values
 [xml] Xml object
 [int] 32-bit signed integer
 [DateTime] Date and Time
 [long] 64-bit signed integer
 [decimal] 128-bit decimal value
 [single]  Single-precision 32-bit floating point number
 [double] Double-precision 64-bit floating point number
 [char] A Unicode 16-bit character
 [byte] An 8-bit unsigned character
 [bool] Boolean True/False value
 [hashtable]  Hashtable object
[void] Sends the datat to Null (same as piping to out-Null)

BlueHat 2014 Slides: Reality Bites – The Attacker’s View of Windows Authentication and Post-exploitation

Each year, Microsoft invites security researchers (aka hackers) to speak to Microsoft employees about security issues.

One of the most interesting talks listed at “BlueHat” 2014 was the one by the “Pass-the-Hash” experts, Chris Campbell, Bejamin Delpy, and Skip Duckwall.

This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

BlueHat 2014 Slides: Reality Bites: The Attacker’s View of Windows Authentication and Post-exploitation – Chris Campbell, Benjamin Delpy, & Skip Duckwall