What would a real hacker do to your AD GOPAS: info@gopas,cz | | Ing. Ondřej Ševeček | GOPAS...
-
Upload
gabriel-oconnor -
Category
Documents
-
view
215 -
download
1
Transcript of What would a real hacker do to your AD GOPAS: info@gopas,cz | | Ing. Ondřej Ševeček | GOPAS...
What would a real hacker do to your AD
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |
[email protected] | www.sevecek.com |
Intro
What happens when they take one of your DCs? You are doomed
• must reinstall the whole forest from scratch• may be able to restore the whole forest from last clean
backup provided you are sure the intrusion will not happen again
Why do I show these things
Secure machines physically Do not use domain admin credentials on insecure
machines Separate administrative accounts Never use admin accounts to access services Stress on strong passwords or rather use smart cards
Agenda
Physical DC security Password filters Hidden accounts Hidden scheduled tasks Forest is a security boundary Exploiting Kerberos delegation Logon without passwords
Physical DC security
Having physical access means you have full power over data, settings and binaries• partially substitute physical security with BitLocker and TPM• use RODCs at insecure locations
Hardware keyloggers Reboot and offline modifications
Password filters
Password change/reset after an attack means nothing
HKYE_LOCAL_MACHINESystem
CurrentControlSetControl
LSANotificationPackages = MULTI_SZ
Hidden accounts
You are never able to do a 100% security audit after an attack
Not even Domain Admins can see everything
Hidden scheduled tasks
You are never able to do a 100% security audit after an attack
Not even the prominent audit tools know everything• root\subscription• ActiveScriptEventConsumer
Name = ScriptEngine = VBScript ScriptText =
set fso = CreateObject("Scripting.FileSystemObject") : fileName = "c:\showit" & "-" & Year(Now) & "-" & Month(Now) & "-" & Day(Now) & "-" & Hour(Now) & "-" & Minute(Now) & "-" & Second(Now) & ".txt" : set newFile = fso.CreateTextFile(fileName) : newFile.WriteLine("I will be here for ever!") : newFile.Close()
Hidden scheduled tasks
You are never able to do a 100% security audit after an attack
… continuing …• __EventFilter
Name = QueryLanguage = WQL EventNamespace = root\cimv2 Query =
SELECT * FROM __InstanceModificationEvent WHERE TargetInstance ISA "Win32_LocalTime" AND TargetInstance.Second = 9
Second, Minute, Hour, DayOfWeek, Month, Quarter, Year, WeekInMonth
Forest is a security boundary
Domain Admins from any domain of a forest are also Domain Admins in any other domain as well
Site level GPOs No SID filtering inside forest NTAuth CAs Stealing KDC passwords (krbtgt account) …
DE.gopas.virtualDE.
gopas.virtual
Subdomain scenario
gopas.virtual
CZ.gopas.virtual
DE.gopas.virtual
Kerberos delegation with protocol transition
Password is not the only means how to log on to network services• no credentials necessary at all
Trust this computer to specified services only• Any authentication protocol
Kerberos delegation
ClientApp
Server
DB
LDAP
FS
Kamil
Kamil
App Server
DB
LDAP
FS
Kamil
Kerberos delegation with protocol transition
Delegation with PowerShell
Adjust-Privilege 7 $true
$winId = New-Object System.Security.Principal.WindowsIdentity '[email protected]'
[Security.Principal.WindowsIdentity]::GetCurrent()
$winId.Impersonate()
[Security.Principal.WindowsIdentity]::GetCurrent()
$domainAdmins = [ADSI] 'LDAP://CN=Domain Admins,CN=Users,DC=gopas,DC=virtual'$domainAdmins.Add('LDAP://CN=Leos,OU=People,OU=Company,DC=gopas,DC=virtual')
Smart card logon
Password is not the only means how to log on to computers
NTAuth CA• forest wide trust• do not need to consult AD or touch LDAP at all
Notes• ldap:///CN=GOPAS%20Root%20Online
%20CA,CN=DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=gopas,DC=virtual?certificateRevocationList?base?objectClass=cRLDistributionPoint
Fake Microsoft CA
Something must always be trusted Root CA
• CN=Microsoft Root Authority,OU=Microsoft Corporation,OU=Copyright (c) 1997 Microsoft Corp.
Code signing cert• CN=Microsoft Corporation,OU=MOPR,O=Microsoft
Corporation,L=Redmond,S=Washington,C=US
Fake Microsoft CA
Longer validity for issued certificates• CERTUTIL -setreg CA\ValidityPeriodUnits 5
No certificate template name extension• CERTUTIL -setreg policy\DisableExtensionList
+1.3.6.1.4.1.311.21.7
No CRL paths into issued certificates• certutil -setreg DBFlags
+DBFLAGS_ENABLEVOLATILEREQUESTS
NASHLEDANOU
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
na kurzech v počítačové škole GOPAS, a.s.
GOC171 - Active Directory Troubleshooting
GOC172 - Kerberos Troubleshooting
GOC173 - Enterprise PKI Deployment
GOC175 - Administering Security