00:00:00.234-->00:00:05.105
>>Alright let's go twelve o
clock. This is Beyond the MCSE
Red Teaming Active Directory I

00:00:05.105-->00:00:09.309
am Sean Metcalf otherwise you're
in the wrong room but since it's
single track today I think

00:00:09.309-->00:00:14.314
you're in the right room
[cheering] I am the founder
Trimarc a security company a

00:00:16.450-->00:00:20.420
microsoft certified master in
active directory one of about a
hundred in the world. And a

00:00:20.420-->00:00:26.727
Microsoft MVP. I've spoken at
Blackhat last year and this year
and Defcon last year and this

00:00:26.727-->00:00:30.397
year and I'm very excited to
talk to you about some AD
Security stuff. I'm a security

00:00:30.397-->00:00:34.434
consultant and researcher and I
own and operate ADSecurity dot
org which hopefully you're all

00:00:34.434-->00:00:39.740
aware of. So we're going to talk
about some key AD Components
from a security perspective

00:00:39.740-->00:00:44.144
things I think the security
professional should know about.
Some offensive PowerShell stuff

00:00:44.144-->00:00:48.348
basically how you can bypass
some of the new PowerShell
version 5 security features.

00:00:48.348-->00:00:53.720
Effective AD recon and then some
of the defenses you'll run into
as a red teamer and how to

00:00:53.720-->00:00:59.359
bypass them. And then we'll wrap
up with a checklist. So for the
red teamers in the room, this is

00:00:59.359-->00:01:05.899
what hacking looks like, right?
Get full access. [laughter]
Score! love hackers right? Or

00:01:05.899-->00:01:10.504
maybe you've done this, of
course you've you've repelled
from the top of the warehouse

00:01:10.504-->00:01:15.275
over the server and you have
extracted the information,
right? And of course everyone

00:01:15.275-->00:01:19.713
has done the Tom Cruise move
when hacking a system [laughter]
you're hanging over the computer

00:01:19.713-->00:01:24.785
and typing stuff in.. ehh close
to it right? More looks more
like this like PowerShell

00:01:24.785-->00:01:29.790
empire, Mimkatz. Oh so close. Um
but there's differing views of
active directory. The

00:01:34.761-->00:01:38.765
administrator the security
professional and the attacker
have different perspectives of

00:01:38.765-->00:01:43.737
what active directory looks
like. None of them have the
complete picture of what it is.

00:01:43.737-->00:01:47.074
The active directory
administrator and engineer their
perspective of active directory

00:01:47.074-->00:01:52.379
is through their tools. AD user
computers, domains and trusts
through policy sights and

00:01:52.379-->00:01:59.219
services and PowerShell and the
security professional's view of
of active directory is through

00:01:59.219-->00:02:05.959
their sim tool the vulnerability
scanner the events the event log
the attacker's perspective is

00:02:05.959-->00:02:09.296
much different. They're getting
a lot of information about
what's going on in the

00:02:09.296-->00:02:14.568
environment. When you red team
an active directory you do recon
grab some credentials go from

00:02:14.568-->00:02:21.208
there go from there grab some
credentials and then DA pop the
champagne right? Okay that's

00:02:21.208-->00:02:27.781
interesting. Wow thanks lady. So
note to future speakers when you
send your slides to someone and

00:02:27.781-->00:02:32.786
they send them back to you make
sure you check them before you
go to Defcon. Thank you Lee

00:02:35.222-->00:02:40.227
Holmes [applause] alright, let's
get [laughter] okay let's talk
about active directory security

00:02:49.102-->00:02:53.907
again, I'm going to try to
recover from that so an active
directory forest is like the UFP

00:02:53.907-->00:02:57.944
from Star Trek you've got the
united federation of planets
you've got a lot of starships

00:02:57.944-->00:03:02.582
they're all one part of one
happy family right? And in this
analogy every starship is a

00:03:02.582-->00:03:08.655
domain joined to the UFP forest.
The executive officers on the
ship are the domain admins for

00:03:08.655-->00:03:15.595
their ship. Domain. And if a
ship's executive officer domain
admin is compromised then so is

00:03:15.595-->00:03:20.600
the ship. In the instance of the
USS Reliant. Khan was able to
compromise one of the executive

00:03:23.036-->00:03:28.975
officers and own that ship and
all the systems on it. And then
since two ships come together

00:03:28.975-->00:03:34.815
they're all part of one happy
federation and one forest.
They're all implicitly trusted

00:03:34.815-->00:03:40.253
which can lead to some really
interesting scenarios where one
officer on one ship can control

00:03:40.253-->00:03:45.258
systems on another like shields.
So Khan was a bit dismayed that
admins in one domain can control

00:03:48.395-->00:03:54.134
domain resources in another and
effectively become a domain
admin on that other domain. So

00:03:54.134-->00:03:58.004
if you're a blue team member
don't be like Khan [laughter].
If you're a red team member

00:03:58.004-->00:04:01.374
that's awesome because that
means that in a multi domain
forest environment you

00:04:01.374-->00:04:06.613
compromise one domain you
compromise the entire forest. So
let's talk about domain

00:04:06.613-->00:04:11.485
controller for a moment. We know
that you take a member server
you run Dcpromo it promos up to

00:04:11.485-->00:04:16.490
domain controller right? You
have, there's a template
NTDS.dit active directory

00:04:16.490-->00:04:22.429
database file on every member
server that is used to see that
initial database. And that

00:04:22.429-->00:04:25.899
domain controllers being
promoted will pull the domain
data from other domain

00:04:25.899-->00:04:31.438
controllers in that domain to
then fill that active directory
database with the domain

00:04:31.438-->00:04:36.443
information such as usernames
passwords computers have
passwords their passwords in

00:04:36.443-->00:04:42.082
there also trusts have passwords
it's in there also. And so the
users connect to these domain

00:04:42.082-->00:04:47.220
controllers for authentication
and directory services as do
applications. So these are the

00:04:47.220-->00:04:50.724
critical servers in active
directory they host the global
catalogue. The global catalogue

00:04:50.724-->00:04:55.128
can be thought of as a partition
that goes across and crosses all
the domains in the active

00:04:55.128-->00:05:00.901
directory forest where it has
information about every object
in the act directory forest but

00:05:00.901-->00:05:05.272
a subset of the attributes. This
means if you're doing some recon
and you want to know about all

00:05:05.272-->00:05:10.443
the users in the whole AD forest
you just connect to the GC Port
on the domain controller and

00:05:10.443-->00:05:15.448
query that instead of connecting
to every domain controller. So
if DNS is used on a domain

00:05:17.784-->00:05:22.589
controller and the domain
controller hosts it often times
when you have AD integrated uh

00:05:22.589-->00:05:27.093
DNS this means the DNS
information is stored in active
directory and replicated through

00:05:27.093-->00:05:31.331
active directory. So then we
have Read-Only Domain
Controllers which is this really

00:05:31.331-->00:05:37.370
weird animal that Microsoft came
up with in 2008. So it's read
only DC services, read only DNS,

00:05:37.370-->00:05:42.142
read only SYSVOL, this means
that when you run into a read
only domain controller in an

00:05:42.142-->00:05:47.147
environment it cannot replicate
or send modifications to active
directory to domain controllers

00:05:49.316-->00:05:56.156
it's not allowed to. And it has
it's own curve TDT account which
means the cerberus is

00:05:56.156-->00:06:01.962
cryptographically isolated from
the rest of the domain. And the
read only domain controller does

00:06:01.962-->00:06:08.001
not have any passwords on it
relating to that domain by
default. You have to actually

00:06:08.001-->00:06:12.505
add them to a group so that
their passwords can be cached
there. So when a user logs onto

00:06:12.505-->00:06:17.944
a sight that has a read only
domain controller their password
isn't on that read only. So the

00:06:17.944-->00:06:22.182
read only sends their
authentication request to a
writeable and then the writeable

00:06:22.182-->00:06:26.152
services that authentication
request at which point the read
only says well give me the

00:06:26.152-->00:06:30.257
password for this user and the
writeable will check to see if
that's allowed or disallowed

00:06:30.257-->00:06:35.161
based on group membership and
then either send the password
down to the read only or not.

00:06:35.161-->00:06:39.032
This means that there are
certain passwords that will be
on read onlys read onlys are not

00:06:39.032-->00:06:44.838
trusted at the same level as
regular domain controllers. So
what this means is that if you

00:06:44.838-->00:06:49.743
find an administrator of a read
only uh read only domain
controller which you can find by

00:06:49.743-->00:06:54.614
looking at the manage of
attribute for that read only you
can compromise that and then you

00:06:54.614-->00:06:58.852
can compromise the passwords of
the accounts that are stored on
the read only. There's two

00:06:58.852-->00:07:03.923
really interesting attributes
with read onlys, authenticated
to account list these are all of

00:07:03.923-->00:07:07.060
the accounts that have
authenticated to the read only
domain controller. Doesn't mean

00:07:07.060-->00:07:11.498
their passwords on it. That's
the reveal list. So if you run
into an environment with read

00:07:11.498-->00:07:16.670
only domain controllers
enumerate the membership or the
values that are in the reveal

00:07:16.670-->00:07:21.808
list attribute for the read
onlys. And then you'll know all
the passwords that are on there.

00:07:21.808-->00:07:27.781
Technically the environment and
the administrators are supposed
to add admins to the denied RODC

00:07:27.781-->00:07:31.818
replication group they don't
often do that. An admin groups
account can end up on read

00:07:31.818-->00:07:36.823
onlys. So how do clients
discover DNS or I'm sorry domain
controllers? Well DNS, we run

00:07:39.693-->00:07:46.099
DNS query we get the SRV records
for domain controllers. Or we
can use ADSI if we have

00:07:46.099-->00:07:52.272
PowerShell which is highly
recommended. But how do clients
do this? Well we have networks

00:07:52.272-->00:07:57.377
subnets in the real world right?
That's how stuff talks to each
other. We take those network

00:07:57.377-->00:08:01.915
subnets and you put them in
active directory and you
associate them with sites. And

00:08:01.915-->00:08:06.853
this maps AD to the physical
world. This enables the client
in one location to communicate

00:08:06.853-->00:08:10.857
with the domain controller in
that same location or at least
nearby as well as resources like

00:08:10.857-->00:08:17.497
DFS shares. The interesting
thing is that if a client asks a
domain controller what site I'm

00:08:17.497-->00:08:23.169
in and the domain controller
can't map that client's IP
address to a subnet DC goes I

00:08:23.169-->00:08:27.974
have no idea. Try again. That
client goes hey domain
controller what site am I in? It

00:08:27.974-->00:08:31.144
says I don't know try again. And
it happens several times and
finally the client gives up and

00:08:31.144-->00:08:35.448
just picks a domain controller.
So this is interesting because
that means logs may actually be

00:08:35.448-->00:08:40.620
on a totally different domain
controller for that activity for
that computer than what the IR

00:08:40.620-->00:08:46.192
team or what the blue team is
looking for. If they haven't
configured size correctly. So

00:08:46.192-->00:08:52.098
group policy is a way to manage
user and group sorry user and
computer policy and security

00:08:52.098-->00:08:55.869
settings. You create a group
policy you configure the
settings on it you link it to an

00:08:55.869-->00:09:02.542
OU or domain and you have the
group policy object which is in
AD the computer boots up it

00:09:02.542-->00:09:06.513
identifies what OU it's in what
group policies are applied
There's a link in that group

00:09:06.513-->00:09:11.017
policy object in SYSVOL to say
these are where those files are
those group policy files in

00:09:11.017-->00:09:15.488
settings that need to be applied
so it copies down those files
and applies them. The

00:09:15.488-->00:09:19.793
interesting thing here and it
works the same for users the
interesting thing here is if you

00:09:19.793-->00:09:24.731
can insert yourself between that
domain controller SYSVOL share
and that client and get the

00:09:24.731-->00:09:29.869
client to connect to your SYSVOL
share you can actually have that
client run your own version of

00:09:29.869-->00:09:34.808
that group policy. Also if you
can modify the group policy
object in active directory or

00:09:34.808-->00:09:40.413
those setting files in SYSVOL
then you can have that uh
computer apply this policy

00:09:40.413-->00:09:46.386
settings. Well group policy has
a lot of capabilities this could
be adding local administrators

00:09:46.386-->00:09:51.124
adding update service so you can
add or update services deploy
and schedule tasks and so on

00:09:51.124-->00:09:56.629
software etcetera. So let's talk
about some of the more fun
stuff. PowerShell, everyone uses

00:09:56.629-->00:10:01.301
PowerShell know as an attack
tool it's awesome. Run code
memory without touching disc,

00:10:01.301-->00:10:06.239
download and execute code from
another system. Interface with
dot net and the window APIs

00:10:06.239-->00:10:12.312
there's been nothing like it on
the Windows platform before. And
about six years ago at Defcon18

00:10:12.312-->00:10:17.317
Dave Kennedy and Josh Kelly
talked about PowerShell OMFG I
mean it was amazing and they

00:10:19.919-->00:10:25.024
talked about a lot of the great
features that PowerShell has for
attackers and for red teamers

00:10:25.024-->00:10:29.629
and guess what Ransomware I
think the Ransomware authors
have just viewed that because

00:10:29.629-->00:10:34.334
they're starting to use these
techniques and in 2012 just a
couple years later Matt Graeber

00:10:34.334-->00:10:38.938
released PowerSploit which is
effectively the foundational
PowerShell attack tool framework

00:10:38.938-->00:10:42.742
that just about all of the
PowerShell attack tools
leveredge which includes

00:10:42.742-->00:10:47.747
Invoke-Mimkatz. PowerShell
version 5 great for blue teamers
red teamers you have to tiptoe a

00:10:50.083-->00:10:54.487
little more carefully once
PowerSHell version 5 security's
enables because what this means

00:10:54.487-->00:11:01.161
is if they have script block
logging enabled. Even if you've
obfuscated your PowerSHell code

00:11:01.161-->00:11:05.465
before it's executed by the
PowerShell engine Whatever that
final code is that's been

00:11:05.465-->00:11:11.671
deobfuscated it gets logged to
the event log in 4104 and if
they've enabled system wide

00:11:11.671-->00:11:16.943
transcript files this is really
interesting because they'll have
set up a right one share on the

00:11:16.943-->00:11:21.981
network where everything you
type into PowerShell on the
computer that has version five

00:11:21.981-->00:11:26.386
with this enables that
transcript file will be sent
strained effectively to that

00:11:26.386-->00:11:31.457
network share. So it's per
computer per user which means
they'll have an over the

00:11:31.457-->00:11:35.728
shoulder transcript of
everything that was typed
including any typos which is

00:11:35.728-->00:11:40.733
always interesting. Constrained
language mode is a conversion of
PowerShell or a language mode

00:11:43.336-->00:11:48.908
for PowerShell which locks
PowerShell down to the base
elements. So no dot net no API

00:11:48.908-->00:11:55.315
calls Invoke-Mimkatz will not
work in constrained language
mode. If a environment has

00:11:55.315-->00:11:59.986
PowerShell version five an app
blocker in allow mode PowerShell
locks down in constrained

00:11:59.986-->00:12:05.825
language mode automatically. And
in Windows 10 it gets even more
interesting because WIndows 10

00:12:05.825-->00:12:11.798
introduces the AMSI the anti
malware scan interface where any
PowerShell code or VB script

00:12:11.798-->00:12:18.238
code before it's executed by the
PowerShell engine it's kicked
over to the AMSI which sends it

00:12:18.238-->00:12:22.308
over to the antimalware
solution. And the antimalware
solution will give a thumbs up

00:12:22.308-->00:12:27.680
or a thumbs down if its a thumbs
down Powershell will not execute
that code be it downloaded from

00:12:27.680-->00:12:33.586
the internet and run in memory
or run from a script Now there's
only a couple of vendors that

00:12:33.586-->00:12:39.692
support AMSI so red teamers
you're still in good shape
Microsoft supports it and AVG I

00:12:39.692-->00:12:44.631
don't know why, we're still
waiting on Mcafee and Symantec
to catch up I guess. But there's

00:12:44.631-->00:12:50.670
also ways to bypass AMSI if
you're using an an executable
that's calling PowerShell code

00:12:50.670-->00:12:55.575
and you drop your custom AMSI
dot DLL file in that same
location you can effectively

00:12:55.575-->00:13:01.481
hijack the AMSI calls and just
say no no no this codes okay
don't worry about it or Matt

00:13:01.481-->00:13:08.254
Graeber PowerSploit author he
figured out how to fit into a
tweet the powershell command

00:13:08.254-->00:13:13.259
that bypasses AMSI [laughter]
pretty awesome Microsoft is
working on it I mean this is a

00:13:16.262-->00:13:21.267
year later. Not the tweet the
tweets only a couple months old
the anniversary update for

00:13:24.604-->00:13:29.876
Windows 10 is out so maybe
that'll fix it. So Lee
Christensen released unmanaged

00:13:29.876-->00:13:34.681
PowerShell not that long ago
it's been rolled into Metasploit
and basically this allows you to

00:13:34.681-->00:13:39.252
call a lot of PowerShell
commands and run PowerShell code
without calling PowerShell dot

00:13:39.252-->00:13:45.391
AXE among other things and one
of my favorite Powershell attack
tools PS Attack is a single

00:13:45.391-->00:13:51.064
executable which contains some
of the popular and best
PowerShell attack tools that are

00:13:51.064-->00:13:56.335
out there. It encrypts them into
the executable and there's a
bill tool so you can custom

00:13:56.335-->00:14:02.341
encrypt your own. And when it
runs it decrypts these files or
these PowerShell functions in

00:14:02.341-->00:14:08.281
the memory where you can run
them and guess what? Constrained
language mode is no longer a

00:14:08.281-->00:14:13.586
problem because when you run
PowerShell code from an
executable it bypasses the

00:14:13.586-->00:14:18.191
standard mechanism that that
handles constrained and language
mode because Microsoft wanted to

00:14:18.191-->00:14:23.730
makes sure it was compatible for
all the applications that may be
calling PowerShell what about

00:14:23.730-->00:14:30.570
PowerShell Version 5 Login? It
bypasses that also. Why does
this happen? Well in Windows 7

00:14:30.570-->00:14:33.940
you have PowerShell version 2 as
your base level Powershell
version and then when you

00:14:33.940-->00:14:39.912
install PowerShell level 5 or
version 5 it kind of layers on
top of that so PS attack through

00:14:39.912-->00:14:45.518
unmanaged PowerShell and some
other fun trickery actually
calls the system dot management

00:14:45.518-->00:14:51.257
dot automation dot DLL that is
PowerShell at that lower level
version which is version 2 which

00:14:51.257-->00:14:57.630
enables it to bypass and make
sure that those that all of that
ah information the script code

00:14:57.630-->00:15:03.469
and the result are not logged.
Now smarter organizations will
remove PowerShell version two

00:15:03.469-->00:15:08.474
from Windows 10 which you can
uncheck the box and when that
happens this log just flows with

00:15:10.910-->00:15:15.915
data when you run PS attack. So
let's talk about some fun
effective active directory recon

00:15:18.384-->00:15:23.589
ideally getting more information
about the environment than the
AD admins so I'm going to talk a

00:15:23.589-->00:15:29.195
lot about PowerView written by
my friend Will Harmjoy so
PowerView has a lot of great

00:15:29.195-->00:15:33.366
tools in order to get
information about active
directory and i'm going to call

00:15:33.366-->00:15:36.803
a bunch of them out so that way
hopefully you can start adding
this to your tool kit. At the

00:15:36.803-->00:15:41.340
top of the graphics is the
PowerView command I'm also
comparing that with the active

00:15:41.340-->00:15:45.444
directory PowerShell module
which is available on the
Windows servers and the

00:15:45.444-->00:15:48.948
computers uh the work stations
if it's installed and configured
so that way you can do some

00:15:48.948-->00:15:53.219
comparison. But we get
information about the act
directory forest we can get the

00:15:53.219-->00:15:56.956
name of the forest the sites
that are in the forest so that
we can map out what's in that

00:15:56.956-->00:16:00.726
environment in fact a really
effective way to get information
about an active directory

00:16:00.726-->00:16:05.731
environment or enterprise is to
pull the site information and
the submit information and you

00:16:05.731-->00:16:11.304
can effectively map out the
entire network just with active
directory. You can get

00:16:11.304-->00:16:15.608
information about the domains
that are stored in that forest
the global catalogues Microsoft

00:16:15.608-->00:16:19.679
recommends that every domain
controller is a global catalogue
so this means that with one

00:16:19.679-->00:16:24.050
command you've hit a list of
pretty much all the domain
controllers in the organization.

00:16:24.050-->00:16:29.088
Application partition so this
will show you for example in the
graphic right here you can see

00:16:29.088-->00:16:32.792
that there's DNS that's
integrated in an active
directory because they're an

00:16:32.792-->00:16:38.231
application partitions. The
forest mode here it says
2008-R2-forest that tells me

00:16:38.231-->00:16:42.301
what security enhancements are
not available to those admins in
this active directory

00:16:42.301-->00:16:48.641
environment and then of course
we see what the uh schema and
the domain naming FSMO are. We

00:16:48.641-->00:16:53.579
look at the domain information
what forest is it in all of the
domain controllers any child

00:16:53.579-->00:16:58.551
domains the domain mode again
telling us what kind of security
is is available. The PDC

00:16:58.551-->00:17:02.555
emulator so if you're a red
teamer and you want to know what
domain controller to connect to

00:17:02.555-->00:17:07.727
when you do all your activity
you might want to target the PDC
emulator why is that? It is the

00:17:07.727-->00:17:12.265
busiest domain controller on the
network it is also the mo- the
best connected by Microsoft

00:17:12.265-->00:17:18.371
recommendations you could also
target one that's alway- you
know gotta branch off somewhere

00:17:18.371-->00:17:23.709
but the logs on the PDC are
going to be super busy and it's
also typically a best practice

00:17:23.709-->00:17:30.116
to co host all of the FSMO on
the same domain controller so
it's going to be extra busy. So

00:17:30.116-->00:17:35.187
we have forests we have domains
we've talked about Star Trek and
how awesome it is but let's talk

00:17:35.187-->00:17:41.994
about trusts for a minute. If an
organization has trust to other
business de- business units in

00:17:41.994-->00:17:48.234
their environment they may have
actually and accidentally
compromised their environment

00:17:48.234-->00:17:53.406
because a lot of times they
create another domain or another
forest because of trust issues

00:17:53.406-->00:17:57.076
right? They're like I don't
really trust that business unit
RND they kind of do their own

00:17:57.076-->00:18:00.947
thing they're kinda cowboys
cowgirls we'll let them do their
thing but then they create a

00:18:00.947-->00:18:06.419
trust and say we trust everyone
in that domain and then they'll
do a two way trust and Will

00:18:06.419-->00:18:12.425
Harmjoy has covered a lot of
good information about
exploiting across trusts. So

00:18:12.425-->00:18:15.595
when you dig for joy in active
directory you're looking for
default and weak passwords

00:18:15.595-->00:18:21.033
right? I've found passwords
stored in user attributes so
check the description fields for

00:18:21.033-->00:18:26.372
accounts check for the extension
attributes those custom
attributes. Sensitive data can

00:18:26.372-->00:18:30.676
be stored in active directory
because the administrator
doesn't realize all of these

00:18:30.676-->00:18:36.449
attributes or at least most of
them are available for
authenticated users to read

00:18:36.449-->00:18:41.087
there is an attribute called a
confidential attribute which by
default only domain admins can

00:18:41.087-->00:18:45.091
view that's where sensitive
stuff should be stored that's
where bitlocker keys are stored

00:18:45.091-->00:18:50.096
by default that's where the LAPS
passwords are stored by default.
Deleted Objects so when an

00:18:53.232-->00:18:58.237
active directory admin deletes
an object in active directory is
it gone? No no let me hear no no

00:19:01.540-->00:19:08.047
there you go exactly you know
right? It's not deleted its
marked is deleted its hidden but

00:19:08.047-->00:19:13.052
the data is still there and so
sometimes admins will create an
account for I don't know a CEO

00:19:13.052-->00:19:15.921
and put some information in
there like a home phone number
like Oh I shouldn't have done

00:19:15.921-->00:19:21.427
that delete, guess what it's
still on active directory you
can search for objects that have

00:19:21.427-->00:19:24.997
the is deleted flag and pull
that and look at it and you
might find some very interesting

00:19:24.997-->00:19:30.002
information. So I'm going to
refer to Will Harmjoy on most of
the user and admin hunting

00:19:33.139-->00:19:37.376
activities because he covers it
far better than I do and he has
a lot of sessions on it but

00:19:37.376-->00:19:42.481
effectively using invoke user
hunter as part of PowerView to
go through and identify user

00:19:42.481-->00:19:48.020
home directory servers and
shares profile path servers and
shares logon script paths run

00:19:48.020-->00:19:52.692
Get Net session against each of
them and get information about
where they're logged on and then

00:19:52.692-->00:19:57.696
you can start mapping out who is
where and uh what rights they
have. But even better than that

00:20:00.199-->00:20:05.304
go to the Veris Group session on
Saturday at one o clock on
Bloodhound which they announced

00:20:05.304-->00:20:12.011
at B-Sides Las Vegas just a
couple days ago. Bloodhound
enables you to use PowerView to

00:20:12.011-->00:20:18.184
eng- to query and get
information put it ah get
information about the active

00:20:18.184-->00:20:23.622
directory environment put it
into a graph database and graph
out all of the connection points

00:20:23.622-->00:20:29.895
between users and groups and
computers and very quickly and
easily identify that this user

00:20:29.895-->00:20:33.899
can go to this crew can have
access have admin access to this
computer has admin access to

00:20:33.899-->00:20:40.039
this computer where this domain
admins logged on to and now I
have domain admin access. So the

00:20:40.039-->00:20:45.411
initial gathering information
takes a little while but that
graphing is very quick so I

00:20:45.411-->00:20:50.316
highly recommend you check that
out it's called Bloodhound. So
there's some interesting user

00:20:50.316-->00:20:55.321
properties on the user objects
last log on day password last
set admin count is a really

00:20:57.756-->00:21:02.595
interesting one because if admin
count is set to one it's very
likely that user account is a

00:21:02.595-->00:21:07.867
member of domain admins or
another privileged group because
there's a process that actually

00:21:07.867-->00:21:12.938
runs every sixty minutes to
protect privileged groups in
active directory and it stamps

00:21:12.938-->00:21:16.909
them with admin count equals one
it doesn't go back later and
remove it so you could have some

00:21:16.909-->00:21:20.880
false positives here but it can
provide some really interesting
information. SID history is

00:21:20.880-->00:21:25.317
another interesting one. SID
history attribute can contain a
SID from another user And

00:21:25.317-->00:21:29.955
provide the same level access as
that user it's effectively
permission cloning so if you

00:21:29.955-->00:21:35.027
find user accounts with SID
history and that SID history is
for another user that has some

00:21:35.027-->00:21:40.032
really interesting capabilities
and rights you could probably
clone that or use that um

00:21:40.032-->00:21:45.237
account. Custom attributes
contain some interesting
information a lot of times

00:21:45.237-->00:21:51.243
organizations code or categorize
users using custom attributes
and if there's data in the

00:21:51.243-->00:21:55.114
service principal name that
means that this user account is
a service account is a

00:21:55.114-->00:22:01.887
Kerberoast service account Same
thing for computer objects ah
let me just call out that these

00:22:01.887-->00:22:07.059
attribute names are specific to
the active directory PowerShell
module ah command lense so they

00:22:07.059-->00:22:12.398
may not translate exactly. Last
log on date so this was
effectively when that computer

00:22:12.398-->00:22:16.869
was last rebooted so what you
can do is you can get a list of
all the computers find out when

00:22:16.869-->00:22:20.673
they last rebooted look at
password last set to see if
they're still active on the

00:22:20.673-->00:22:26.512
network if a computer hasn't
updated their password last set
attribute in say sixty days

00:22:26.512-->00:22:33.285
because by default they should
all the Windows computers should
update in around thirty then if

00:22:33.285-->00:22:36.488
they haven't updated in that
time that computer may not be on
the network but they if they

00:22:36.488-->00:22:42.127
have updated within that time
frame and the last log on date
is six months or eight months

00:22:42.127-->00:22:46.966
that system hasn't been patched
in a long time so that may be
something you want to look more

00:22:46.966-->00:22:51.403
closely at. And Windows
computers by default register
their operating system and

00:22:51.403-->00:22:57.142
information related information
in active directory but so does
linux so does Mac so do some

00:22:57.142-->00:23:03.449
storage devices like Netapp and
EMC so you can find information
about what's in active directory

00:23:03.449-->00:23:08.120
just by asking active directory
for it. Service principal name
you can get the information

00:23:08.120-->00:23:13.292
about the Kerberoast enterprise
services on these computers and
then the last two are related to

00:23:13.292-->00:23:16.795
Kerberoast delegation and I
spoken about how to leverage
Kerberoast unconstrained

00:23:16.795-->00:23:22.801
delegation to compromise a
domain last year at Blackhat.
Did you know that you can do DNS

00:23:22.801-->00:23:29.041
lookups via LDAP? It's pretty
cool right? I don't have to ask
DNS where it's probably logged

00:23:29.041-->00:23:32.544
and there's some information
about what people are querying
for I can just look at active

00:23:32.544-->00:23:36.615
directory and say okay give me a
list of these computers all of
the domain controllers and all

00:23:36.615-->00:23:41.620
their IP addresses and denell
that call sure here you go. Or I
can get I can do a reverse

00:23:43.889-->00:23:49.728
lookups what's the site what's
this computer related to this IP
address. Even if there's not a

00:23:49.728-->00:23:55.567
pointer records configured in
DNS because this is all through
active directory. So in the old

00:23:55.567-->00:24:00.873
days we had to actually do port
scanning to find enterprise
services nowadays we can use

00:24:00.873-->00:24:04.643
something that I call SPN
scanning which is much more
efficient because Kerberoast

00:24:04.643-->00:24:09.281
services have to have a service
principal name associated in
active directory and registered

00:24:09.281-->00:24:15.321
in active directory so there's a
number of SPN types like
MSSQLSvc, TERMSER, WSMAN,

00:24:15.321-->00:24:21.961
FIMService, exchangeMDB we can
search for these we can ask
active directory for this

00:24:21.961-->00:24:27.199
information and it will give it
to us. So we can find all the
SQL servers very easily and the

00:24:27.199-->00:24:34.206
format has the SPN type server
name and sequel often has a port
number or an instance at the end

00:24:34.206-->00:24:37.343
so we can get this information
by just asking the active
directory and the main

00:24:37.343-->00:24:41.113
controller and we can get a list
of all of the servers their port
number the service accounts

00:24:41.113-->00:24:45.751
associated with them and some
additional information we can
also request all of the user

00:24:45.751-->00:24:50.956
accounts that have service
principal names associated with
them which are service accounts.

00:24:50.956-->00:24:54.827
And we can leverage a tool
called Kerberoast that takes
advantage of how Kerberoast

00:24:54.827-->00:25:00.299
works where we can request a
service ticket for a specific
service principal name or

00:25:00.299-->00:25:05.838
service principal names and then
the domain controller is going
to look at that user account

00:25:05.838-->00:25:10.843
associate it with that SPN and
it's going to encrypt that using
that password hash for that user

00:25:13.011-->00:25:18.016
account. And then send it back
to us and if we've request RC4
encryption guess what? That

00:25:21.320-->00:25:25.958
password hash is the NT LAN
password hash so we can take
that service ticket encrypt it

00:25:25.958-->00:25:30.129
with RC4 encrypt it with that
service account and NT LAN
password hash take it offline to

00:25:30.129-->00:25:35.134
our attacker machine and we can
run Kerberoast against it which
takes a dictionary list goes

00:25:37.970-->00:25:44.843
through each of those words does
a one way hash function then
gets the NT LAN password hash

00:25:44.843-->00:25:50.482
and then attempts to decrypt
that service ticket using that.
And if it's right if it can open

00:25:50.482-->00:25:53.886
it then it's guessed the
password for that service
account offline without any

00:25:53.886-->00:25:58.857
admin access without it ever
touching the target or
communicating with the target.

00:25:58.857-->00:26:03.362
So the old school way for group
enumeration finding your domain
admins is what? Right group name

00:26:03.362-->00:26:09.234
domain admin we have two luke
skywalker ADS administrator we
can also enumerate the

00:26:09.234-->00:26:15.374
membership of the RODC groups
denied RODC password replication
group because enterprises should

00:26:15.374-->00:26:20.879
be configuring this so that way
these admins are not storing
their passwords on RODCs

00:26:20.879-->00:26:25.284
especially if they have RODCs in
the environment. But remember
when I mentioned admin count

00:26:25.284-->00:26:30.289
equals one gets stamped for
privileged groups in the count
well there's four here krbtgt is

00:26:30.289-->00:26:34.460
one of those special groups so
we'll put that to the side but
there were two members of domain

00:26:34.460-->00:26:38.497
admins ADS Administrator and
Luke Skywalker when we look for
admin count equals one we have

00:26:38.497-->00:26:44.636
another one, Kylo Ren where did
he come from? He's a member of
the administrator's group in the

00:26:44.636-->00:26:48.707
domain so by looking for admin
count equals one we can get a
lot of information about

00:26:48.707-->00:26:53.278
potentially privileged accounts
remember there could be some
false positives without any

00:26:53.278-->00:26:59.451
group enumeration and then one
of my favorite components of
PowerView is the ability to

00:26:59.451-->00:27:05.157
identify what active directory
groups have local administrator
rights in the environment

00:27:05.157-->00:27:09.328
because when you have a large
environment it's very difficult
to manage all of these work

00:27:09.328-->00:27:12.798
stations so what what are you
going to do? You're going to
create a group policy say that

00:27:12.798-->00:27:18.237
your workstation admins group
back directory it should be a
member of local administrators

00:27:18.237-->00:27:21.874
for all of my work stations so
we're going to take that group
policy configure it and apply it

00:27:21.874-->00:27:26.345
to the OU that has all of the
work stations. Well PowerView
can pull that information out

00:27:26.345-->00:27:32.684
and identify which AD admin
groups or AD groups have admin
access to which computers and we

00:27:32.684-->00:27:38.290
can do that by targeting a
specific OU and then we can get
a list of what group policies

00:27:38.290-->00:27:42.895
apply and here is the work
stations admin group, And then
the second command that we run

00:27:42.895-->00:27:47.099
will give us a list of all of
the computers in that OU and
then of course all we need to do

00:27:47.099-->00:27:52.104
is enumerate the membership
workstation admins and then we
know who to target. So the I

00:27:54.406-->00:27:58.810
tried to work in the uh Defcon
theme this year attack of the
machines so computers with admin

00:27:58.810-->00:28:02.681
rights. Why are people putting
computer accounts in admin
groups I don't know I keep

00:28:02.681-->00:28:06.818
finding it what does this mean
if you find computer accounts
they have a dollar sign at the

00:28:06.818-->00:28:13.058
end in an admin group all you
have to do is compromise that
computer account and get system

00:28:13.058-->00:28:18.063
on it and that point that system
account has those admin rights
and active directory so in this

00:28:20.399-->00:28:26.972
case they added a regular
computer to workstation admins
we can discover regular users

00:28:26.972-->00:28:31.376
with admin rights so users
typically have an email address
especially if you're running

00:28:31.376-->00:28:37.182
exchange in the organization or
they have a specific naming
format like first name dot last

00:28:37.182-->00:28:43.221
name we can look for admin
accounts or user account and
admin groups this way. Now

00:28:43.221-->00:28:47.559
exchange admins often will have
an email address associated with
them so you have to filter some

00:28:47.559-->00:28:52.331
of those out but it's a nice way
to find regular user accounts
that have more rights than they

00:28:52.331-->00:28:56.835
should. We can also look for
virtual admins hyper-V admins
VMWare Admins that are often

00:28:56.835-->00:29:01.373
groups in active directory that
have full admin access to the
virtualization platform.

00:29:01.373-->00:29:07.546
Compromise those accounts you
own the infrastructure. BUt we
can also follow the delegation

00:29:07.546-->00:29:12.384
and act directory what
delegation has been configured
on the OUs in the domain these

00:29:12.384-->00:29:17.723
are permissions that have been
configured directly on the OUs
and here we can see that someone

00:29:17.723-->00:29:23.061
has delegated to the account's
OU help desk level 2 and help
desk level 3 but they made a

00:29:23.061-->00:29:29.868
mistake both of those tiered
levels have full rights on all
objects an obvious mistake

00:29:29.868-->00:29:35.941
except for the fact that ACLs
are very difficult to parse
through and look at and identify

00:29:35.941-->00:29:39.144
so this means level 3 has far
more rights than they should
because they probably should

00:29:39.144-->00:29:44.716
just have reset password access.
So we enumerate that group we
see C3PO is the user account

00:29:44.716-->00:29:50.255
that's a member of that group so
we target his account we tell
him we speak Bocce and we're in

00:29:50.255-->00:29:55.260
good shape right? We can also
use the PowerSploy tool to get
GPP password to identify

00:29:57.362-->00:30:03.535
credentials in SYSVOL. It scans
the SYSVOL ah share in the
demand controller it identifies

00:30:03.535-->00:30:09.775
xml files that have a c password
attribute and that gobbledygook
that you see is that encrypted

00:30:09.775-->00:30:14.546
password strain which we can
decrypt because Microsoft
published the decryption key.

00:30:14.546-->00:30:19.551
Thank you. [laughter] When an
organization has exchange we can
also get information about who

00:30:21.920-->00:30:27.926
they commonly email. In outlook
you have your contacts people
should be putting their most

00:30:27.926-->00:30:34.566
commonly emailed people in the
contacts fields in the contacts
component but we can add

00:30:34.566-->00:30:38.003
contacts to active directories
so they show up in the gow but
there are objects in active

00:30:38.003-->00:30:44.242
directory now which means we can
get a list of all the contacts
in the in the organization which

00:30:44.242-->00:30:49.915
is moderately interesting much
more interesting than me is
actually parsing through that

00:30:49.915-->00:30:55.053
and identifying what domains
they associate with and what
they email with. And as we can

00:30:55.053-->00:30:58.824
see here it's empire, rebel
alliance, rebel fleet, star
killer, the alliance first

00:30:58.824-->00:31:03.829
order, I think they're playing
both sides it's really
interesting [laughter] we can

00:31:03.829-->00:31:08.266
also get information about the
domain password policies again
at the top using Powerview which

00:31:08.266-->00:31:13.138
also gives us the Kerberoast
policy the bottom using the
active directory PowerShell

00:31:13.138-->00:31:18.276
module and this is the default
password policy so if you see
that the min password length is

00:31:18.276-->00:31:22.347
seven in an organization write
it up and say please don't do
that. If you need to do

00:31:22.347-->00:31:25.884
something like that use
fine-grained password policies
which of course we can pull as a

00:31:25.884-->00:31:31.156
domain user and often times the
best way to manage passwords for
administrators and service

00:31:31.156-->00:31:35.293
accounts is to create a
fine-grained password policy
that says that they have to have

00:31:35.293-->00:31:40.298
longer passwords than the rest
of the domain. So we can also
discover all the group policies

00:31:43.502-->00:31:47.472
in the organization that
authenticated users have read
access which is all of them by

00:31:47.472-->00:31:52.844
default and so we took a look at
them we can see alright there's
a domain Powershell login policy

00:31:52.844-->00:31:57.983
a full auditing policy, prevent
local account logon that's
interesting. Add server admins

00:31:57.983-->00:32:02.921
to local administrator groups,
add works, okay. EMET config,
applocker config, and LAPS,

00:32:05.957-->00:32:10.962
that's interesting. So we can
actually pull the Applocker
whitelisting policy from active

00:32:13.131-->00:32:18.336
directory now I cheated it's in
binary format I just converted
it to text and parsed it but I

00:32:18.336-->00:32:22.607
got enough information here that
tells me that they're running
Applocker in the default

00:32:22.607-->00:32:27.546
configuration settings so now I
know where I can drop
executables and run them from.

00:32:27.546-->00:32:31.850
These policies should be locked
down so authenticated users
don't have read access. EMET

00:32:31.850-->00:32:37.389
configuration now I know how
they're protecting their files
their executables. Again I

00:32:37.389-->00:32:41.426
cheated it's a binary file in
SYSVOL but i converted it to
text but I can get amount of

00:32:41.426-->00:32:45.797
information from there. And
there's a LAPS policy but it's
not that interesting because

00:32:45.797-->00:32:50.168
it's just going to say how long
that password is and how often
they change it. More interesting

00:32:50.168-->00:32:55.173
is using PowerView to pull the
permissions for who has rights
to the LAPS password attribute

00:32:58.243-->00:33:04.482
where that clear text password
is stored which is MSMCSADMPODB
and with this information we can

00:33:04.482-->00:33:09.955
identify who has the ability to
view the LAPS passwords so we
can go after those accounts

00:33:09.955-->00:33:15.594
because once we have that we can
then pull from active directory
a list of all of the local admin

00:33:15.594-->00:33:20.599
accounts on all the computers
that those users have radio
access to. So I wrote my own

00:33:23.635-->00:33:29.674
which has a very nice list of
the groups that actually have
LAPS delegation and where they

00:33:29.674-->00:33:33.745
apply to and I'll be working
with Will Harmjoy to get this
into PowerView so that way you

00:33:33.745-->00:33:38.083
have some good information as
well because otherwise you need
some crazy command food to type

00:33:38.083-->00:33:45.090
all that in. So let's talk about
active directory defenses and
bypasses. Organizations say you

00:33:45.090-->00:33:50.095
shall not pass are they right?
No didn't know Captain john luke
picard was Gandalf but whatever

00:33:54.933-->00:33:58.670
[laughter] so Fleurian Roth
posted a really great graphic
that shows the common exploit

00:33:58.670-->00:34:04.709
paths for Windows they posted
this on Twitter. I'm not going
to cover this but it's there for

00:34:04.709-->00:34:08.980
reference so you run through the
same process you always have
when you run into these defenses

00:34:08.980-->00:34:13.618
when they're actually setting up
good quality defenses in the
organization. One thing that's

00:34:13.618-->00:34:17.455
been popped around a lot in the
last year on Twitter is the
concept of Honey Tokens or Honey

00:34:17.455-->00:34:22.193
Credentials which for the
instance of this talk are
credentials injected into memory

00:34:22.193-->00:34:28.300
deployed somehow often using the
run as net only but these may or
may not be real on the net work

00:34:28.300-->00:34:33.571
so if you drop on a box and you
dump credentials and you're like
wow this looks great I got all

00:34:33.571-->00:34:38.910
these credentials check AD to
see if it's a valid account
check to see if it makes sense

00:34:38.910-->00:34:43.915
does it pass the sniff test or
is it a trap? >>It's a trap >>So
if they're using the Microsoft

00:34:47.686-->00:34:52.190
local admin password solution or
LAPS they're randomizing all of
those local administrator

00:34:52.190-->00:34:55.894
passwords on the computer which
is great! In fact in your red
team report at the end when you

00:34:55.894-->00:34:59.898
own them completely you should
say yeah use LAPS or something
like that because I used your

00:34:59.898-->00:35:03.668
local admin accounts to jump
from one to one to the other and
I like my job to have some

00:35:03.668-->00:35:09.240
challenge and some mystery in it
[laughter] so if they have LAPS
configured you can use PowerUp

00:35:09.240-->00:35:12.978
to get local admin rights
obviously dump the credentials
look for service accounts the

00:35:12.978-->00:35:19.451
usual stuff You can find AD
accounts that have local admin
rights you can find AD accounts

00:35:19.451-->00:35:26.091
with LAPS password view rights
or a lot of organizations deploy
LAPS but LAPS only controls one

00:35:26.091-->00:35:30.695
password one account's password
which is usually the default
admin account and a lot of

00:35:30.695-->00:35:34.332
organizations still have a lot
of additional local admin
accounts which may be spread

00:35:34.332-->00:35:40.038
across the same systems so look
for those. Network segmentation
has become very popular admin

00:35:40.038-->00:35:45.176
systems are placed in a separate
network segment where you can't
easily get to them but there's

00:35:45.176-->00:35:50.615
always a way. Find the admin
accounts figure out where they
log on. Compromise the patching

00:35:50.615-->00:35:55.286
system because they may have
isolated those admin computers
and workstations and servers but

00:35:55.286-->00:35:59.090
they're still using the same
messy SCCM to patch the
workstations their servers their

00:35:59.090-->00:36:03.194
domain controllers stop patching
domain controllers with the same
system you use to patch

00:36:03.194-->00:36:08.767
everything else blue teamers. Or
maybe there's no members in
domain admins but everyone

00:36:08.767-->00:36:12.470
forgets about the
administrator's account. Domain
admins gets there active

00:36:12.470-->00:36:16.441
directory rights through being a
member of the domain
administrator's group. Domain

00:36:16.441-->00:36:21.246
administrator's a full right to
AD domain admins have full
rights to workstations and

00:36:21.246-->00:36:26.851
servers by default in addition.
So look for custom delegation
like tier or level or

00:36:26.851-->00:36:31.556
workstation or server admins
because someone has rights
somewhere. Microsoft has a great

00:36:31.556-->00:36:35.360
whitepaper about the privilege
admin workstation which is
really the baseline for what

00:36:35.360-->00:36:40.698
should be an admin workstation
environment but organizations
cheat and it's very difficult to

00:36:40.698-->00:36:44.703
get this right it's difficult to
go through the whole the whole
list of steps and configure it

00:36:44.703-->00:36:48.940
properly so if you compromise
the install media or the
patching system then you can get

00:36:48.940-->00:36:53.211
admin rights on their local
admins workstations or you
compromise the communication

00:36:53.211-->00:36:58.983
you're supposed to be encrypted
using IPsec or something similar
which may not be. Jump or admin

00:36:58.983-->00:37:03.822
servers are very popular right?
We have this one server all our
admins go to it they log on to

00:37:03.822-->00:37:10.061
that but if they're not using an
admin workstation they're using
their regular user workstation

00:37:10.061-->00:37:14.766
all we need to do is drop a
keylogger on there. PowerSploit
has a great PowerShell based

00:37:14.766-->00:37:19.337
keylogger we can get those
credentials when they type them
into their RDP session. Or if

00:37:19.337-->00:37:24.876
they have two factor enabled on
RDP two factor often isn't
enabled or possible to my

00:37:24.876-->00:37:29.447
knowledge for WMI or
WinRM/PowerShell Remoting.
PSExec or NamedPipe. And if you

00:37:29.447-->00:37:34.752
compromise their Jump Server you
own the domain and if the
organization has not separated

00:37:34.752-->00:37:40.091
their ad- their admin tiers into
tier zero a active directory
administrators tier one server

00:37:40.091-->00:37:44.395
admins, application admins, and
tier three workstation admins
where they're not supposed to

00:37:44.395-->00:37:49.768
login to each other and maybe
they have one admin server for
all of these? Ah that's easy

00:37:49.768-->00:37:55.907
compromise the workstation admin
and then jump up to domain
admin. So Microsoft's goal is to

00:37:55.907-->00:38:00.779
get everyone to put their active
directory admins or domain
admins into an admin forest a

00:38:00.779-->00:38:07.552
red forest and ultimately their
admin accounts that are at lower
tiers into another forest that

00:38:07.552-->00:38:12.190
way they're protected by the uh
from the protection forest and
all of the legacy stuff that's

00:38:12.190-->00:38:17.428
there. Most organizations can't
get up to 2012-R2 across all of
their servers and computers

00:38:17.428-->00:38:21.633
can't get up to Windows 10 on
their workstations. You can do
that in an admin forest it's a

00:38:21.633-->00:38:25.770
nice recommendation and
Microsoft has a great write up
on it so you can point them to

00:38:25.770-->00:38:29.841
that it will make it a lot more
difficult to act for the red
teams in the future and the

00:38:29.841-->00:38:33.444
attacker's to actually get full
active directory to the domain
admin because again you want

00:38:33.444-->00:38:38.449
your job to be interesting not
easy. So there is a universal
bypass for most offenses get

00:38:40.852-->00:38:46.624
full access from my first slide,
remember that? No I'm just
kidding. It's service accounts.

00:38:46.624-->00:38:50.762
Service accounts are the
universal bypass for most
offenses. So even if they put

00:38:50.762-->00:38:54.732
all of their active directory
admins or domain admin user
accounts into that admin forest

00:38:54.732-->00:39:00.238
usually their service accounts
that have rights, why? Because
they're over permissioned.

00:39:00.238-->00:39:04.776
They're not protected like
admins. They're weak passwords.
No two factor and limited

00:39:04.776-->00:39:08.313
visibility and understanding.
There are service accounts that
have been in that organization

00:39:08.313-->00:39:11.816
longer than the people that
administering the server and
they have no idea why those

00:39:11.816-->00:39:17.855
accounts are still there or why
they have that access. So some
interesting active directory

00:39:17.855-->00:39:23.127
facts. All authenticated users
have read access to most if not
all objects and their

00:39:23.127-->00:39:29.734
attributes. All authenticated
users have read access to most
if not all contents of SYSVOL

00:39:29.734-->00:39:34.372
which includes group policy and
scripts and other things that AD
admins just put in there because

00:39:34.372-->00:39:39.077
they never think anyone will
find them including files with
passwords in them. You're

00:39:39.077-->00:39:45.149
kidding me. Standard users can
have elevated rights through the
magic of SID history even if

00:39:45.149-->00:39:51.489
they're not a member of any
group at all. They could even
modify a user or group without

00:39:51.489-->00:39:57.395
elevated rights with through
custom OU ACLs custom
permissions. Or if they have

00:39:57.395-->00:40:02.133
access to modify group policy
that's linked to the domain or
an OU could take over that group

00:40:02.133-->00:40:07.405
policy and control the
organization. So you're a red
teamer you got domain admin in

00:40:07.405-->00:40:13.878
the organization pop the
champagne woohoo we won right?
That was a nice day's work. So

00:40:13.878-->00:40:19.350
we pull the domain admin account
hashes well there's a few other
things that you want to get. You

00:40:19.350-->00:40:23.488
want to get the Krbtgt hashes we
know that we can create golden
tickets with it right? You also

00:40:23.488-->00:40:27.558
want to grab the domain
controller computer account
password hashes because even if

00:40:27.558-->00:40:32.330
the organization changes the
first two you could actually
create a silver ticket using

00:40:32.330-->00:40:38.102
that domain controller hash to
recompromise the organization
and run Mimkatz DC sync to pull

00:40:38.102-->00:40:43.107
all the credentials and I talked
about this at Defcon last year.
Interesting fun fact NetApp by

00:40:46.678-->00:40:51.849
default does not change their
computer account passwords in
active directory unless you se-

00:40:51.849-->00:40:56.220
unless the admin goes in and
schedules it document it on
NetApp site. What does this

00:40:56.220-->00:41:00.892
mean? I pulled those device
password hashes for NetApps and
other storage devices and I'm

00:41:00.892-->00:41:06.497
sure it's the same on others and
once I have that I can create
silver tickets and have read

00:41:06.497-->00:41:11.502
access to all the files on those
shares and I learned recently
from a red teaming friend of in

00:41:11.502-->00:41:16.274
that NetApps often by default
also share out on NFS in a
Windows environment so you want

00:41:16.274-->00:41:20.978
to check to make sure that these
other file sharing services are
not enabled when they're not

00:41:20.978-->00:41:27.618
needed. DSRM account password
hashes are the default
administrator account on the

00:41:27.618-->00:41:33.191
domain controller the rid500
account if you pull these and
they have a DSRM registry key

00:41:33.191-->00:41:37.729
set to two you can actually pass
the hash to the domain
controller run Mimkatz and run

00:41:37.729-->00:41:43.801
DCsync off of it and I talked
about this at DerbyCon last
year. So security pro's AD

00:41:43.801-->00:41:49.640
checklist identify who has AD
admin rights in the a- domain
forest, identify who has the

00:41:49.640-->00:41:53.878
rights to logon to the domain
controllers this includes
account operators, backup

00:41:53.878-->00:41:58.816
operators, print operators,
server operators, by default. If
they haven't changed that a help

00:41:58.816-->00:42:02.920
desk user may have the ability
to logon to a domain controller
because they put their help desk

00:42:02.920-->00:42:09.160
groups into account operators.
Identify the virtual host admins
they may be in active directory

00:42:09.160-->00:42:13.264
they're probably in active
directory and they're probably
not well protected. Scan the

00:42:13.264-->00:42:17.435
domains, the OUs, the admin SD
holder, and group policies for
inappropriate group policy

00:42:17.435-->00:42:23.508
permissions. And in your report
say please protect your active
directory domain admins make

00:42:23.508-->00:42:28.513
sure they only log on to admin
workstations, admin servers
don't make my job easy. And

00:42:30.581-->00:42:34.018
limit the service account rights
go through all of them and
figure out what accounts they

00:42:34.018-->00:42:39.590
need go to that vendor and try
to figure out what accounts they
need. So quick PowerView AD

00:42:39.590-->00:42:44.462
Recon cheat sheet ah these
slides will be posting on AD
Security dot org in about 15 or

00:42:44.462-->00:42:48.466
20 minutes automatically so
you'll have all of this but
these are all the commandments I

00:42:48.466-->00:42:53.471
er functions I ran from
PowerView so you can look at
them later. So in summary active

00:42:55.540-->00:43:00.878
directory stores the history of
the organization, why is this?
Because they've deployed active

00:43:00.878-->00:43:06.517
directory they've updated,
they've modernized it, it's,
their organization paradigm for

00:43:06.517-->00:43:10.621
support and business, is changed
so they've shifted things
they've moved things in they've

00:43:10.621-->00:43:15.126
created new delegation, new
delegation groups, guess what,
most of that old stuff is still

00:43:15.126-->00:43:20.731
there hiding. If you can find it
you can exploit and you can help
them fix it. If you ask the

00:43:20.731-->00:43:24.135
right questions of active
directory you can map the active
directory environment and the

00:43:24.135-->00:43:29.340
enterprise far better than what
the admins know about you can
update their documentation for

00:43:29.340-->00:43:34.111
them [laughter] if they pay you
for it. But you can quickly
recon the environment hours if

00:43:34.111-->00:43:38.916
not sooner depending on the size
of the organization But the
business requirements ultimately

00:43:38.916-->00:43:44.322
subversive security every time.
So in your reports make sure
that you highlight this and say

00:43:44.322-->00:43:48.793
look if you want to fix this
you're going to have to spend
some money, fix the resources,

00:43:48.793-->00:43:54.198
do what needs to be done. If you
identify the proper leverage and
apply it you will own active

00:43:54.198-->00:43:58.870
directory and you will help the
organization fix it because as a
red teamer your job is to make

00:43:58.870-->00:44:03.174
the blue team better and help
them level up their defenses so
that next time when you get

00:44:03.174-->00:44:08.513
brought in you run through your
playbook and you go wow, nice
job! And you tell them that, and

00:44:08.513-->00:44:12.383
they'll love that. Say hey,
great job on fixing these things
we talked about later, we

00:44:12.383-->00:44:19.090
checked it, you did a great job.
And you'll probably get hired
again. So that's my time, thank

00:44:19.090-->00:44:24.095
you very much for yours. Any
questions? [applause]