Aug 13 2015

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

At Black Hat USA 2015 this summer (2015), I spoke about the danger in having Kerberos Unconstrained Delegation configured in the environment.

When Active Directory was first released with Windows 2000 Server, Microsoft had to provide a simple mechanism to support scenarios where a user authenticates to a Web Server via Kerberos and needs to update records on a back-end database server on behalf of the user. This is typically referred to as the “Kerberos double-hop issue” and requires delegation in order for the Web Server to impersonate the user when modifying database records.

Visio-KerberosDoubleHop-Visio
Graphic: Kerberos “double-hop issue”

 

Kerberos Unconstrained Delegation:

Microsoft implemented Kerberos “unconstrained delegation” in Windows 2000 that enables this level of delegation. A Domain Admin can enable this delegation level by checking the middle box. The third box is for “constrained delegation” which requires listing of specific Kerberos services on computers to which delegation is enabled.

KerberosUnConstrainedDelegation-Delegation-Config
Graphic: Computer configured with Kerberos Unconstrained Delegation

 

Discovering computers with Kerberos unconstrained delegation is fairly easy using the Active Directory PowerShell module cmdlet, Get-ADComputer.

  • Unconstrained Delegation: TrustedForDelegation = True
  • Constrained Delegation: TrustedToAuthForDelegation = True

KerberosUnConstrainedDelegation-PowerShell-DiscoverServers2
Graphic: PowerShell to find Kerberos Unconstrained Delegation

 

How does Kerberos Unconstrained Delegation really work?

Continue reading

Aug 09 2015

Black Hat USA 2015 & DEF CON 23 (2015) Presentation Slides Posted!

Slides from both of my talks this week in Vegas are now posted. There are some differences between the talks, though the primary content is similar/same.

Note that while some of the content is the same (mainly Blue Team information), I describe exploiting Kerberos Unconstrained Delegation in the Black Hat talk and the DEF CON talk covers some “sneaky AD persistence tricks” that are not well known.

AD Security Presentations

Aug 07 2015

Kerberos Golden Tickets are Now More Golden

At my talk at Black Hat USA 2015, I highlighted new Golden Ticket capability in Mimikatz (“Enhanced Golden Tickets”). This post provides additional detailed on “enhanced” Golden Tickets.

Over the past few months, I researched how SID History can be abused in modern enterprises. As part of this research, I reached out to Benjamin Delpy, author of Mimkatz, and requested he add “SID History” to Mimikatz forged Kerberos tickets. The June 28th version of Mimikatz now includes the capability to include arbitrary SIDs in SID History on forged tickets.

Continue reading

Aug 02 2015

DEF CON 23 (2015) Red vs Blue: Modern Active Directory Attacks & Defense Talk Detail

This week at DEF CON 23, I will be speaking about Active Directory attack & defense in my talk “Red vs Blue: Modern Active Directory Attacks & Defense”. This is the 4th iteration of this talk and includes the latest updates to attack methods and defensive strategies.This DEF CON version has a new segment I call “Sneaky AD Persistence” which covers difficult to detect methods an attacker could retain Domain Admin level access after having admin rights on a Domain Controller for 5 minutes.

On Friday, August 7th, 2015, I have a Track Three talk from 1:00pm to 1:50pm.

Here’s my talk description from the DEF CON website:

Kerberos “Golden Tickets” were unveiled by Alva “Skip” Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can’t be detected, right?

This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage.

Skip the fluff and dive right into the technical detail describing the latest methods for gaining and maintaining administrative access in Active Directory, including some sneaky AD persistence methods. Also covered are traditional security measures that work (and ones that don’t) as well as the mitigation strategies that disrupts the attacker’s preferred game-plan. Prepare to go beyond “Pass-the-Hash” and down the rabbit hole.

Some of the topics covered:

  • Sneaky persistence methods attackers use to maintain admin rights.
  • How attackers go from zero to (Domain) Admin
  • MS14-068: the vulnerability, the exploit, and the danger.
  • “SPN Scanning” with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.).
  • Exploiting weak service account passwords as a regular AD user.
  • Mimikatz, the attacker’s multi-tool.
  • Using Silver Tickets for stealthy persistence that won’t be detected (until now).
  • Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network.
  • Detecting offensive PowerShell tools like Invoke-Mimikatz.
  • Active Directory attack mitigation.

Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members.

While the primary components of this talk are similar to my Black Hat presentation two days earlier, key differences are in bold.

Continue reading

Jul 26 2015

Black Hat USA 2015 Red vs Blue Active Directory Attack & Defense Talk Detail

Next week at Black Hat USA 2015, I will be speaking about Active Directory attack & defense in my talk “Red vs Blue: Modern Active Directory Attacks Detection and Protection”. This is the 3rd iteration of this talk and includes the latest updates to attack methods and defensive strategies. I’m including lots of updates and now has at least two brand new attack methods and additional defense strategies.

I put this talk together because I saw that the conversation around breaches and compromises focuses on the malware and there seems to be an information gap. This gap exists between what happens after an attacker gains a foothold on a system inside the network (spear-phishing to get malware installed) to when they gain full Domain Admin rights. Approaching the subject from both an attack and defense perspective, I walk through the latest attack methods that the best ways to detect and defend against them. There are ways to mitigate and defend against these attacks which can prevent a full Active Directory compromise.

On Wednesday, August 5th, 2015, I am speaking at the Mandalay Bay room EF from 1:50pm to 2:40pm .

BHUSA2015-RedVsBlue-Schedule

 

 

 

 

 

 

Here’s my talk description from the Black Hat website:

Continue reading

Jul 15 2015

It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts

In early 2015, I theorized that it’s possible to forge inter-realm (inter-trust) Kerberos tickets in a similar manner to how intra-domain TGTs (Golden Tickets) and TGSs (Silver Tickets) are forged. Around the same time, Benjamin Delpy updated Mimikatz to dump trust keys from a Domain Controller. Soon after, Mimikatz gained capability to forge inter-realm trust tickets. Benjamin Delpy added “Kekeo” to Github which includes “AskTGS” which provides the capability to request TGS service tickets for targeted services in the destination domain and save them to file. With the tools enabling further research, I was able to explore what is possible with forged cross-trust Kerberos tickets.

Note that forging a Kerberos Trust Ticket is similar to forging a Golden Ticket or a Silver Ticket.

The key to the power of a Kerberos Trust Ticket within a multi-domain Active Directory forest is Enterprise Admins membership which easily crosses domain boundaries providing effective Domain Admin rights in every domain in the AD forest.

I presented on “Trust Tickets” at Shakacon in Hawaii last week. Simply put, Trust Tickets are forged inter-realm Kerberos tickets. When there are two Active Directory domains connected via trust, there is a password which is shared between them used to keep the trust active. This trust password is also used as the shared secret in Kerberos.

I also presented at Black Hat USA 2015 how I enabled Golden Tickets to work across domains in the same forest (aka Enhanced Golden Tickets).

Update 9/2/2015: I updated the screenshots to accurately show how the intra-forest trust is exploited using the current version of Mimikatz.

Continue reading

Jun 24 2015

Microsoft Advanced Threat Analytics (ATA) Overview

Introduction

There are several methods for identifying unusual or anomalous user activity. Traditionally these methods have required certain events be logged to the Windows event logs on workstations, servers, and Domain Controllers (DCs) and these events need to be forwarded to a central collection system. The drawback to this approach is numerous: the data logged may not catch certain “known bad” behavior, the sheer number of events that require logging is numerous, and the log data requires large amounts of storage for processing and recall.

Microsoft announced a new product at the Microsoft Ignite conference in May 2015. Microsoft Advanced Threat Analytics (ATA) provides real-time analysis of user activity and identifies and flags any activity considered anomalous.

Microsoft Advanced Threat Analytics (ATA) is now generally available.
If your organization has Software Assurance with Enterprise CALs, ATA may be included. Contact your Microsoft rep for details.

 

Microsoft Advanced Threat Analytics (ATA)

In 2014, Microsoft purchased a company called Aorato and the technology acquired from this purchase is now a new product Microsoft Advanced Threat Analytics (ATA) which is currently in beta. Microsoft Advanced Threat Analytics is unique among most security products in that it is placed on the network with a feed of traffic destined for Domain Controllers forwarded to ATA Gateways (sensors). The ATA Gateway parses the network traffic involving the Domain Controllers and from this builds a user activity profile for every user in Active Directory, including the computers the user typically logs onto and resources the user accesses. From this activity profile, ATA can identify when user activity falls outside of the baseline.

 

How ATA Works

The Microsoft Advanced Threat Analytics architecture is comprised of two components. The ATA Gateway uses deep packet inspection technology to review user activity data off of the network and forwards relevant data to the ATA Center (about 3% of all network data reviewed). The ATA Center receives the activity data from the ATA Gateway over a secure connection and the ATA Center builds an “Organizational Security Graph” which is a map of entity (users, computers, resources, etc) interactions and represents the context of the related activities. This data effectively includes activity profiles for every user and leverages this to alert on anomalous user behavior. Note that only “known bad” activity is alerted on and only suspicious activity (outliers from normal) are flagged.

Continue reading

May 25 2015

Summer Speaking Engagements

I am thrilled to announce I will be speaking about Active Directory security at the following security conferences:

Each talk will cover current AD attack techniques and the latest defensive methods. Additionally, I will be sharing some exciting new information at each conference!

May 11 2015

Detecting Mimikatz Use

Benjamin Delpy published some YARA rules in detecting Mimikatz use in your environment.
More information on Mimikatz capability is in the Unofficial Mimikatz Guide & Command Reference” on this site.

YARA is described as:

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Based on the published data, this data enables detection of the Mimikatz exe, dll, and artifacts such as kirbi ticket files, as well as WCE.
Here’s the data:

Continue reading

May 08 2015

Microsoft Ignite 2015 Security Sessions

Microsoft retired several conferences this year (TechEd, MEC, MMC, etc) and merged them into a single mega-conference called Microsoft Ignite 2015. About 23,000 people (~29k including all staff and support personnel) converged on the McCormick Place Conference Center in Chicago, IL during the week of May 4th (May the Fourth be With You!).

I recently posted on the new Windows 10 credential system, Microsoft Passport & Microsoft Hello.

Note: Session content is still being uploaded.

Windows Security Sessions:

How to Protect Your Corporate Resources from Advanced Attacks (Microsoft Advanced Threat Analytics, formerly Aorato)
https://channel9.msdn.com/Events/Ignite/2015/BRK3870
Demi Albuz, Michael Dubinsky, Benny Lakunishok, Idan Plotnik
Slides (view online)

How You Can Hack-Proof Your Clients and Servers in a Day
Hasain Alshakarti, Marcus Murray
https://channel9.msdn.com/Events/Ignite/2015/BRK2346

Hacker Tools for Ethical Hackers to Protect Windows Clients
Raymond Comvalius, Erdal Ozkaya
https://channel9.msdn.com/Events/Ignite/2015/BRK2332
Slides (view online)

Detecting the Undetectable
Roger Grimes
https://channel9.msdn.com/Events/Ignite/2015/BRK2344
Slides (view online)

Continue reading