ActiveDirectory – Page 3 – Active Directory Security

Jan 14 2015

Windows Server 2012 & Windows Server 2012 R2 Complete Documentation

By Sean Metcalf in Technical Reference

Microsoft took all the Windows Server 2012 (& 2012 R2) documentation and posted it as a single PDF! Version: 1.0 File Name: WS12_R2_and_WS12_TechNet.pdf Date Published: 2/18/2014 File Size: 125.9 MB This download is an Adobe® PDF of the entire contents of the Windows Server 2012 R2 and Windows Server 2012 section of the Microsoft TechNet …

ActiveDirectory, Microsoft Documentation, ServerFeatures, ServerRoles, WindowsServer, WindowsServer2012, WindowsServer2012R2

Dec 15 2014

Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) This post shows the packet captures I performed using WireShark on the Domain Controllers during stage 1 and …

ActiveDirectory, CVE-2014-6324POC, DomainController, KaliLinux, KB3011780, KDC, Kerberos, KerberosChecksumVulnerability, KerberosHacking, KerberosPacketCapture, mimikatz, MS14068, MS14068Exploit, MS14068ExploitCode, MS14068ExploitPacketCapture, PAC, PoC, PowerShellCode, PyKEK, PyKEKPackets, PythonKerberosExploitationKit, WireShark

Dec 07 2014

Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Detecting PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works After re-working my lab a bit, I set about testing the MS14-068 POC that Sylvain Monné posted to …

Dec 06 2014

MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)

By Sean Metcalf in Microsoft Security, Technical Reference

As noted in previous posts on MS14-068, including a detailed description, a Kerberos ticket with an invalid PAC checksum causes an unpatched Domain Controller to accept invalid group membership claims as valid for Active Directory resources. The MS14-068 patch modifies KDC Kerberos signature validation processing on the Domain Controller. This issue is FAR worse than …

ActiveDirectory, CVE-2014-6324POC, KB3011780, KDC, Kerberos, KerberosChecksumVulnerability, KerberosHacking, MetaSploit, MS14068, MS14068ExploitCode, PAC, PoC, PyKEK, PythonKerberosExploitationKit

Dec 05 2014

Windows Computer Primary Group IDs

By Sean Metcalf in PowerShell, Technical Reference

Primary Group IDs are the RIDs for the Domain groups. The full list is here: Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs). 515 – Domain Computers 516 – Domain Controllers (writable) 521 – Domain Controllers (Read-Only) This information helps filter computer objects to return only the desired computer type. Domain Computers (Workstation …

ActiveDirectory, DomainControllers, FindingDCs, FindingDomainComputer, FindingRODCs, PowerShellCode, PrimaryGroupID, ReadOnlyDomainController, WindowsComputer

Nov 21 2014

MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works The folks at BeyondTrust have …

ActiveDirectory, KB3011780, Kerberos, KerberosHacking, KerberosInvalidChecksum, KerberosVulnerability, MS14-068, MS14068, MS14068Patch, PACValidation

Nov 18 2014

MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege

By Sean Metcalf in Microsoft Security, Technical Reference

Active Directory leverages the Kerberos protocol for authentication. The vulnerability patches an issue with how the Domain Controller validates group membership in Kerberos tickets (hint: the ticket is always validated by the DC if the checksum is set to certain values). Microsoft KB3011780 patches this issue. According to Microsoft: “When this security bulletin was issued, …

ActiveDirectory, CVE-2014-6324POC, DomainController, HackingKerberos, KB3011780, KDC, KDCVulnerability, Kerberos, KerberosAttack, KerberosGoldentTicket, KerberosSilverTicket, KerberosVulnerability, MicrosoftPatch, mimikatz, MS14-068, MS14068, MS14068Exploit, MS14068POC, PAC, SPN

Nov 17 2014

PowerShell: Discover Active Directory Forest Domain Controllers

By Sean Metcalf in PowerShell

Recently I needed to find all Domain Controllers in a large Active Directory forest (and see the AD Domain Functional Level for each domain). Here’s the PowerShell code which leverages the Active Directory PowerShell module cmdlets. import-module ActiveDirectory $ADForestInfo = Get-ADForest $ADForestInfoName = $ADForestInfo.Name $ADForestInfoDomains = $ADForestInfo.Domains $ADForestInfoForestMode = $ADForestInfo.ForestMode $AllDCs = $Null ForEach …

ActiveDirectory, DomainFunctionalLevel, ForestDomainControllers, PowerShellAD, PowerShellCode

Nov 15 2014

Active Directory Replication Overview & USN Rollback: What It Is & How It Happens

By Sean Metcalf in Technical Reference

If you have experienced event id #2095, then you understand how a USN Rollback can negatively affect AD consistency. What is a USN? The USN (Update Sequence Number) is an Active Directory database instance counter that increments every time a single change is committed to the AD database on a Domain Controller. The USN is …

ActiveDirectory, ADReplication, Configuration, Deployment, DomainController, HighWaterMarkVector, PowerShell, up-to-datenessVector, WindowsServer

Nov 10 2014

Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account

By Sean Metcalf in Microsoft Security, PowerShell

Every Domain Controller in an Active Directory domain runs a KDC (Kerberos Distribution Center) service which handles all Kerberos ticket requests. AD uses the KRBTGT account in the AD domain for Kerberos tickets. The KRBTGT account is one that has been lurking in your Active Directory environment since it was first stood up. Each Active …

ActiveDirectory, ADKerberos, ChangeKRBTGTPasswordTwice, GoldenTicket, KRBTGT, KRBTGTAccount, KRBTGTAccountInfo, KRBTGTPasswordHash

Tag: ActiveDirectory