This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
This document provides an overview of attacking Active Directory Federation Services (AD FS). It begins with an introduction to AD FS and how it works, allowing single sign-on for applications outside of Active Directory. It then discusses how to find AD FS servers on a network and potential vulnerabilities in default configurations. The document focuses on attacking identity provider adapters and the signing certificate as ways to impersonate the AD FS server and issue unauthorized tokens. It provides technical details on decrypting the signing certificate stored in the Windows Internal Database using the Distributed Key Manager.
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
The document summarizes the work of three pentesters who use tools like BloodHound and PowerView to analyze attack paths within Active Directory environments. It describes how they use these tools to hunt for logged-in users, enumerate administrative privileges, discover group memberships, and analyze object ACLs to escalate privileges and compromise systems. It also discusses defenses organizations can implement and how increased endpoint telemetry could help detect and prevent their techniques.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
This document discusses bypassing alerts from Microsoft Defender for Identity (MDI). It begins with an introduction to MDI and the types of alerts it generates. It then explores techniques for bypassing alerts during different phases of an attack like reconnaissance, credential compromise, and lateral movement. These include using alternative tools, limiting interactions with domain controllers, and complying with Kerberos policies. The document also notes techniques like silver tickets that are not detected by MDI. It concludes by acknowledging limitations of only testing alerts and not coupled defenses.
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
This document provides an overview of attacking Active Directory Federation Services (AD FS). It begins with an introduction to AD FS and how it works, allowing single sign-on for applications outside of Active Directory. It then discusses how to find AD FS servers on a network and potential vulnerabilities in default configurations. The document focuses on attacking identity provider adapters and the signing certificate as ways to impersonate the AD FS server and issue unauthorized tokens. It provides technical details on decrypting the signing certificate stored in the Windows Internal Database using the Distributed Key Manager.
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
The document summarizes the work of three pentesters who use tools like BloodHound and PowerView to analyze attack paths within Active Directory environments. It describes how they use these tools to hunt for logged-in users, enumerate administrative privileges, discover group memberships, and analyze object ACLs to escalate privileges and compromise systems. It also discusses defenses organizations can implement and how increased endpoint telemetry could help detect and prevent their techniques.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
This document discusses bypassing alerts from Microsoft Defender for Identity (MDI). It begins with an introduction to MDI and the types of alerts it generates. It then explores techniques for bypassing alerts during different phases of an attack like reconnaissance, credential compromise, and lateral movement. These include using alternative tools, limiting interactions with domain controllers, and complying with Kerberos policies. The document also notes techniques like silver tickets that are not detected by MDI. It concludes by acknowledging limitations of only testing alerts and not coupled defenses.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
Things like Infrastructure as Code, Service Discovery and Config Management can and have helped us to quickly build and rebuild infrastructure but we haven't nearly spend enough time to train our self to review, monitor and respond to outages. Does our platform degrade in a graceful way or what does a high cpu load really mean? What can we learn from level 1 outages to be able to run our platforms more reliably.
This talk will focus on on setting up a CICD pipeline using Jenkins. We start by configuring Jenkins to use our Nomad platform to autoscale job runners. After which we ll look at using the newly released nomad-pack tool to convert, deploy and test and existing nomad job.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This document provides techniques for escalating privileges on Windows systems. It begins with an overview of tricks that can grant escalated privileges to users or administrators. Specific techniques discussed include exploiting misconfigurations, using keyloggers, searching for credentials on systems, exploiting Group Policy Preferences files, unattended installation files, Windows Deployment Services, binary path modifications, service configuration issues, and registry permissions problems. The document then covers methods for escalating from an administrative user to SYSTEM level privileges like using Metasploit exploits, Sysinternals tools, binary replacement, and WMIC. It concludes with sections on achieving persistence and bypassing authentication.
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
This document discusses how to secure a Kubernetes platform. It covers setting up authentication and authorization using RBAC and certificates. It also discusses implementing network policies and pod security policies to restrict traffic and resources. Additional topics include integrating Vault for secrets management and using admission controllers and auditing to intercept and modify API requests for security purposes.
The document describes the FIDO2 specification which includes WebAuthn and CTAP. WebAuthn introduces a new JavaScript API for browser-based authentication and CTAP introduces a new API for platform-based authentication. It provides an overview of the registration and authentication flows including the use of public key credentials on servers to authenticate users. It also describes extensions, attestations, credential management and the goals of convenience and strong security in the FIDO standards.
This document provides an overview of the BloodHound tool for analyzing Active Directory environments. It describes what BloodHound is, how it works, its history and updates. It also covers various ingestors for collecting AD data, the Cypher query language, and tips for using BloodHound including finding high value principals, attacking groups and computers, and common post-exploitation techniques.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
This document provides an introduction and overview of Open Policy Agent (OPA). It discusses how OPA can be used to add fine-grained policy controls to other projects. Key points include:
- OPA allows integrating policy decisions from a project into OPA and offloading policy logic. Policies can be authored in OPA and decisions retrieved.
- Policies are invoked by sending decision requests to OPA APIs. The input is JSON and the response is also JSON.
- Simple policies involve looking up values, comparing values, assigning variables, and creating rules with heads and bodies. Rules with the same head are OR'd together.
- Policies can handle arrays and iteration by using an
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
Learn how to load balance your applications following best practices with NGINX and NGINX Plus.
Join this webinar to learn:
- How to configure basic HTTP load balancing features
- The essential elements of load balancing: session persistence, health checks, and SSL termination
- How to load balance MySQL, DNS, and other common TCP/UDP applications
- How to have NGINX Plus automatically discover new service instances in an auto-scaling or microservices environment
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
네트워크 엔지니어에게 왜 쿠버네티스가 필요한지 설명하는 내용입니다.
영상은 아래의 링크에서 제공됩니다. https://www.inflearn.com/course/%EC%BF%A0%EB%B2%84%EB%84%A4%ED%8B%B0%EC%8A%A4-%EC%89%BD%EA%B2%8C%EC%8B%9C%EC%9E%91/lecture/97562
The document provides an overview of penetration testing techniques and strategies. It discusses initial reconnaissance activities like scanning and enumeration. It then covers exploitation, maintaining access, and post-exploitation tactics like credential dumping, privilege escalation, and pivoting. Defense strategies are also mentioned such as disabling unnecessary services, requiring strong passwords, and limiting local administrator rights.
The document provides an outline for hacking different systems including performing internet footprinting, hacking Windows systems, hacking Unix/Linux systems, and hacking networks. It discusses techniques for scanning systems, enumerating services and users, penetrating targets by exploiting services or escalating privileges, gaining interactive access, and maintaining influence. It provides examples of tools that can be used for reconnaissance, attacks, and privilege escalation on the different system types. The document also covers vulnerabilities in systems like SNMP, HTTP, TFTP, and routing protocols that can be exploited, and techniques for dealing with firewalls like port scanning and redirection.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
Things like Infrastructure as Code, Service Discovery and Config Management can and have helped us to quickly build and rebuild infrastructure but we haven't nearly spend enough time to train our self to review, monitor and respond to outages. Does our platform degrade in a graceful way or what does a high cpu load really mean? What can we learn from level 1 outages to be able to run our platforms more reliably.
This talk will focus on on setting up a CICD pipeline using Jenkins. We start by configuring Jenkins to use our Nomad platform to autoscale job runners. After which we ll look at using the newly released nomad-pack tool to convert, deploy and test and existing nomad job.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This document provides techniques for escalating privileges on Windows systems. It begins with an overview of tricks that can grant escalated privileges to users or administrators. Specific techniques discussed include exploiting misconfigurations, using keyloggers, searching for credentials on systems, exploiting Group Policy Preferences files, unattended installation files, Windows Deployment Services, binary path modifications, service configuration issues, and registry permissions problems. The document then covers methods for escalating from an administrative user to SYSTEM level privileges like using Metasploit exploits, Sysinternals tools, binary replacement, and WMIC. It concludes with sections on achieving persistence and bypassing authentication.
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
This document discusses how to secure a Kubernetes platform. It covers setting up authentication and authorization using RBAC and certificates. It also discusses implementing network policies and pod security policies to restrict traffic and resources. Additional topics include integrating Vault for secrets management and using admission controllers and auditing to intercept and modify API requests for security purposes.
The document describes the FIDO2 specification which includes WebAuthn and CTAP. WebAuthn introduces a new JavaScript API for browser-based authentication and CTAP introduces a new API for platform-based authentication. It provides an overview of the registration and authentication flows including the use of public key credentials on servers to authenticate users. It also describes extensions, attestations, credential management and the goals of convenience and strong security in the FIDO standards.
This document provides an overview of the BloodHound tool for analyzing Active Directory environments. It describes what BloodHound is, how it works, its history and updates. It also covers various ingestors for collecting AD data, the Cypher query language, and tips for using BloodHound including finding high value principals, attacking groups and computers, and common post-exploitation techniques.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
This document provides an introduction and overview of Open Policy Agent (OPA). It discusses how OPA can be used to add fine-grained policy controls to other projects. Key points include:
- OPA allows integrating policy decisions from a project into OPA and offloading policy logic. Policies can be authored in OPA and decisions retrieved.
- Policies are invoked by sending decision requests to OPA APIs. The input is JSON and the response is also JSON.
- Simple policies involve looking up values, comparing values, assigning variables, and creating rules with heads and bodies. Rules with the same head are OR'd together.
- Policies can handle arrays and iteration by using an
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
Learn how to load balance your applications following best practices with NGINX and NGINX Plus.
Join this webinar to learn:
- How to configure basic HTTP load balancing features
- The essential elements of load balancing: session persistence, health checks, and SSL termination
- How to load balance MySQL, DNS, and other common TCP/UDP applications
- How to have NGINX Plus automatically discover new service instances in an auto-scaling or microservices environment
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
네트워크 엔지니어에게 왜 쿠버네티스가 필요한지 설명하는 내용입니다.
영상은 아래의 링크에서 제공됩니다. https://www.inflearn.com/course/%EC%BF%A0%EB%B2%84%EB%84%A4%ED%8B%B0%EC%8A%A4-%EC%89%BD%EA%B2%8C%EC%8B%9C%EC%9E%91/lecture/97562
The document provides an overview of penetration testing techniques and strategies. It discusses initial reconnaissance activities like scanning and enumeration. It then covers exploitation, maintaining access, and post-exploitation tactics like credential dumping, privilege escalation, and pivoting. Defense strategies are also mentioned such as disabling unnecessary services, requiring strong passwords, and limiting local administrator rights.
The document provides an outline for hacking different systems including performing internet footprinting, hacking Windows systems, hacking Unix/Linux systems, and hacking networks. It discusses techniques for scanning systems, enumerating services and users, penetrating targets by exploiting services or escalating privileges, gaining interactive access, and maintaining influence. It provides examples of tools that can be used for reconnaissance, attacks, and privilege escalation on the different system types. The document also covers vulnerabilities in systems like SNMP, HTTP, TFTP, and routing protocols that can be exploited, and techniques for dealing with firewalls like port scanning and redirection.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
The document discusses various techniques for hacking systems, including password cracking, privilege escalation, executing applications remotely, and using keyloggers and spyware. It provides an overview of tools that can perform functions like password cracking, sniffing network traffic, capturing credentials, escalating privileges, executing code remotely, and logging keystrokes covertly. Countermeasures to these techniques, like disabling LM hashes, changing passwords regularly, and using antivirus software, are also covered.
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
This document provides an overview of modern Active Directory attacks and defenses. It discusses how red teams use tools like Mimikatz and Kerberoasting to escalate privileges by cracking service account passwords and dumping domain credentials from Domain Controllers. It also outlines blue team defenses like LAPS, advanced auditing, and tools like Microsoft Advanced Threat Analytics to detect these attacks. The goal is to help security professionals understand both offensive techniques and defensive best practices for securing Active Directory environments.
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
- The document discusses remote operations and credential exposure during remote management. It highlights the use of various living off the land techniques like RPC, WMI, PSRemoting and RDP.
- It provides tips for preventing lateral movement without dedicated security products by leveraging configurations like LogonWorkstations to restrict where accounts can logon.
- The key takeaways are to embrace a living off the land mindset, be aware of credential exposure risks during remote operations, and that single configurations can be effective for preventing issues like lateral movement when properly configured and monitored.
Do The Right Thing! How LDAP servers should help LDAP clientsLDAPCon
This document discusses how LDAP servers can help guide LDAP clients and users through the use of server-side information without enforcing strict rules. It provides examples of how the web2ldap application utilizes rootDSE, subschema, and other server data to populate user interfaces and handle requests. The document also covers issues around interoperability, access control, and recommendations for client developers, server developers, and IT administrators.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
Building Open Source Identity Management with FreeIPALDAPCon
FreeIPA is an open source identity management solution that integrates authentication, authorization, policies and other identity management features in a centralized manner. It aims to simplify identity management for Linux and Unix systems in a similar way that Active Directory does for Windows. FreeIPA also allows for integration with Active Directory domains through cross-realm Kerberos trusts, allowing single sign-on for users between Linux and Windows systems.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
The document provides information on enhancements in FreeRADIUS versions 3.0.0 through 3.2.0. Key updates include improved security with RADSEC and DTLS support, expanded testing, and new features like password changing and caching. EAP-TLS is discussed as a more secure authentication method than PEAP. The Trust Router was added to allow cross-federation authentication by distributing identity provider information.
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Where there is Active Directory, there are SQL Servers. In dynamic enterprise environments it’s common to see both platforms suffer from misconfigurations that lead to unauthorized system and sensitive data access. During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers:
- The key phases and activities of the vulnerability management lifecycle
- The tools you need for an effective vulnerability management program
- How to prioritize your VM needs
- How an effective VM program can help you measurably reduce risk and meet compliance objectives
You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
All companies should build with security and protection of customer data as the number one priority. This talk will cover a wide range of best practices from MFA, root accounts, encrypting laptops, inventory management, MDM, and incident response. You'll learn key principles of how to build a secure organization to protect your data. Don't wait until your first security incident before putting these best practices in place.
Will St. Clair: AWS San Francisco Startup Day, 9/7/17
Operations: Security Crash Course & Best Practices! All companies should build with security and protection of customer data as the number one priority. This talk will cover a wide range of best practices from MFA, root accounts, encrypting laptops, inventory management, MDM, and incident response. You'll learn key principles of how to build a secure organization to protect your data. Don't wait until your first security incident before putting these best practices in place.
The document discusses content network navigation and DNS. It defines navigation, switching, routing and explains how DNS translates hostnames to IP addresses. It describes the components of DNS including the domain name space, name servers, resource records, and resolvers. It explains DNS requests, resolution process and tools like nslookup. It also summarizes load balancing techniques for switches including policies for best available server, persistence and differentiated services.
Mimikatz is a tool that enables extracting plain text passwords, hashes, and Kerberos tickets from memory. It can be used to perform pass-the-hash, over-pass-the-hash, and pass-the-ticket authentication attacks. Mimikatz uses the Sekurlsa module to dump credentials stored in the Local Security Authority Subsystem Service (LSASS) process memory. It decrypts encrypted credentials using the same functions LSASS uses, allowing extraction of passwords in plain text. Pass-the-hash allows authenticating with only the NTLM hash by replacing the hash used in authentication with the target user's hash.
Santhosh Kumar Routhu is a system engineer with over 4 years of experience in Linux, VMware, networking, VCS, Hadoop, SQL Server and WAS application server. He has an MCA with 70% and certifications in RHCE and MCP. His experience includes providing administration support, monitoring systems, performing maintenance, supporting applications, and issue resolution. He is proficient in technologies such as Linux, Windows, VMware, Java, networking and databases.
This document provides an overview of the Domain Name System (DNS) including how DNS works, the record types stored in DNS, caching and authoritative servers, and delegation. It discusses how DNS queries work by recursively searching through the DNS hierarchy from the root servers down. Key record types like A, AAAA, NS, MX and SOA are described. The roles of caching servers, which forward queries on behalf of clients, and authoritative servers, which serve data from their own zone files, are compared. Delegation allows separate administration of different domains through the hierarchical structure of DNS.
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?
This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
How attackers go from zero to (Domain) Admin
MS14-068: the vulnerability, the exploit, and the danger
"SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
Exploiting weak service account passwords as a regular AD user
Mimikatz, the attacker's multi-tool
Using Silver Tickets for stealthy persistence that won’t be detected (until now)
Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
Detecting offensive PowerShell tools like Invoke-Mimikatz
Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.
Similaire à Understanding Active Directory Enumeration (20)
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
5. The purpose of this talk:
Where is the information
How to access that information
Why is valuable that information
If you want details on any attack/technique, go to the corresponding links
I might not have enough time to tell the entire talk
Anyways, hope you enjoy it and learn something new (we’ve learnt tons of things doing it
)
9. We will focus on having domain creds
However, a lot of information can be enumerated without them
(exposed services, open shares, network traffic, unauth information…)
Platinum Sponsor
11. But Domain Credentials are not only USER accounts
NTSystem in domain-joined systems corresponds to the domain
computer account in the network
Domain Service Accounts are essentially user accounts, so can also be
used to enumerate
e.g. Kerberoasting or BloodHound
15. Simplifying it in the following topics
MS-RPC
Local Privileges
who is a local admin and where?
Logons and Sessions
where are authenticated those juicy users?
LDAP
objects and relationships
16. As long as we have visibility and credentials, we can access tons of
GOODIES
REMEMBER
19. Who is a local admin and where?
Who can access with RDP and where?
Who can access with WinRM and where?
Who…. and where?
20. Privileged local groups
Administrators
Remote Desktop Users
Distributed COM Users
Remote Management Users
We want to know which users are members of those local groups in each system
21. We mostly care about two things
1. Local privileged accounts that may share the same password on different
systems (watchout UAC degrading the access token)
2. Domain users or groups being members of local privileged groups
24. Restrictions – SAM Enumeration
Controlled by the following policy:
Network access: Restrict clients allowed to make remote calls to SAM
An administrator can edit the policy to enforce or relax restrictions
Manually or with SAMRi10 https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
By default newer systems allow only Administrators (beginning with Windows 10
version 1607 and Windows Server 2016)
Older systems allow any Domain User by default
29. Logons
Querying for users logged on in a system is useful for hunting purposes (where are
the Domain Admins?)
However these techniques require your user to be administrator on the target (not
very practical)
Can be done using Win32 API calls or enumerating the registry remotely
32. Is there a way to identify logons as a low priv user?
YES *
33. Sessions
Although commonly called “sessions”, they mean to be network sessions
A network session is created – on the target – when a resource is accessed
through the network (i.e a shared folder)
The Win32 API has the NetSessionEnum function which allows to query a
system for network sessions
34. By checking network sessions, we can correlate which users are connected and
from where
Thus, the system that originated the network session should have an interactive user logon
Best locations to check sessions are servers (DCs, fileservers…) as they are highly
accessed through the network
e.g. querying WS04 for network sessions
36. Controlled by the following registry key
HKLM:SYSTEMCurrentControlSetServicesLanmanServerDefaultSecuritySrvsvcSessionInfo
By default newer systems only allow Administrators (beginning with Windows
10 version 1607 and Windows Server 2016)
An administrator can edit the registry key to enforce or relax restrictions
Manually or using Net Cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
Older systems allow any Authenticated User!
37. Tools on Linux
Easy impersonation (as opposed to Windows SSO)
--user USER --password PASSWD --domain DOMAIN
Multiple choices
Impacket, Rpcclient, enum4linux, nmap…
39. LDAP
By default, any low privileged domain account can query information about
almost anything through LDAP
You just need something to interact with LDAP!
40. General Offensive Approaches
Builtin or developed tools that leverage Win32 API (net.exe)
LDAP tools (dsquery, dsget…)
.NET (PowerView, SharpView, AD module)
.NET DirectorySearcher class [adsisearcher]
.NET DirectoryEntry class [adsi]
.NET RPC classes
41. Pentest approach – my recommendation
Install RSAT and feel at home
If we are already joined to the domain, we are ready to go
50. Tools on Linux
Easy impersonation (as opposed to Windows SSO)
--user USER --password PASSWD --domain DOMAIN
As always make sure of DNS and point your actions to the targeted domain /
domain controller
Multiple choices
Ldapsearch, JXExplorer, Pywerview, Bloodhound.py…
53. User Account Control
Password never expires
same password for years
Account is sensitive
does not delegate credentials
Do not require Kerberos Preauthentication
can be As-Reproasted
Store password using reversible encryption
plaintext password stored in NTDS
Kerberos Delegation
TRUSTED_FOR_DELEGATION = Unconstrained
TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained
Protocol Transition
…
54. Attributes
servicePrincipalName not null
can be Kerberoasted
adminCount = 1
member of one of the administrative groups
lastLogon / logonCount …
logon information
msDS-AllowedToActOnBehalfOfOtherIdentity / msDS-AllowedToDelegateTo
Kerberos Delegation related
userPassword / unixUserPassword / unicodePwd
sometimes plaintext passwords
…
55. Checks
Check out group memberships
Domain Admin? Local admin somewhere? …
Check out User Account Control settings
Kerberos Delegation? As-Reproastable? …
Check out those attributes
Passwords? Kerberoastable? …
57. User Account Control
Trust this computer for delegation to any service
TRUSTED_FOR_DELEGATION = Unconstrained
Trust this computer for delegation to specific services
only – use any authentication
TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol
Transition
58. Attributes
servicePrincipalName
enumerate Kerberos services on the machine! (a.k.a SPN
scanning)
adminCount = 1
member of one of the administrative groups
msDS-AllowedToActOnBehalfOfOtherIdentity / msDS-
AllowedToDelegateTo
Kerberos Delegation related
ms-Mcs-AdmPwd
LAPS password
operatingSystem
…
59.
60. Checks (same as users)
Check out group memberships
Domain Admin? Any interesting group? …
Check out User Account Control settings
Kerberos Delegation? …
Check out those attributes
Operating system? SPN Scanning? …
61. Sean Metcalf - SPN Scanning – Service Discovery without Network Port Scanning
https://adsecurity.org/?p=1508
Sean Metcalf - Cracking Kerberos TGS Tickets Using Kerberoast
https://adsecurity.org/?p=2293
Will Schroeder - Kerberoasting Revisited
https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/
Will Schroeder - Roasting AS-REPs
https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
Sean Metcalf - Active Directory Security Risk #101: Kerberos Unconstrained Delegation
https://adsecurity.org/?p=1667
Elad Shamir - Wagging the Dog: Abusing Resource-Based Constrained Delegation
http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/
Will Schroeder – Another Word on Delegation
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
63. Domain Admins: full admin rights by default on all domain-joined servers and workstations, Domain
Controllers, and Active Directory
Enterprise Admins: full AD rights to every domain in the AD forest
Administrators: default admin rights to Active Directory and Domain Controllers
Schema Admins: modify the Active Directory forest schema
Backup Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers
(Default GPO)
Print Operators: manage printers and load/unload device drivers on Domain Controllers
Server Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers
(Default GPO)
Account Operators: modify accounts and groups in the domain (Default GPO)
DNSAdmins: administrative access to Microsoft Active Directory DNS and is often granted the ability to logon
to Domain Controllers
Group Policy Creator Owners: create, modify, and delete Group Policies in the domain
https://adsecurity.org/?p=3700
65. 1. Group1 is a member of Domain Admins
2. Group2 is a member of Group1
3. Puar is a member of Group2
4. Puar is a Domain Admin
66. Checks
Find explicit privileged groups and their members
DA’s, EA’s, Schema Admins, DNSAdmins…
Find those nested groups
Group1 is member of Group2 and blablablaDOMAINADMIN!
67. Will Schroeder - A Pentester’s Guide to Group Scoping
https://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/
SS64 - Understand the different types of Active Directory group
https://ss64.com/nt/syntax-groups.html
68. OUs & GPOs
By default any domain user can read all the GPO settings
stored in the SYSVOL share
Lot of information can be enumerated
Local group memberships (Restricted Groups, GPP)
User rights assignment (SeDebugPrivilege,
SeEnableDelegation…)
Local admin passwords (GPP!!)
LAPS settings
Registry entries
Scheduled tasks
Scripts
…
69.
70. Checks
Check out all the GPOs and their settings
Firewall, local admin configurations…
Find where they are applied!!
Computers, users, OUs, sites…
71. Andrew Robbins - A Red Teamer’s Guide to GPOs and OUs
https://wald0.com/?p=179
Rastamouse - GPO Abuse
https://rastamouse.me/2019/01/gpo-abuse-part-1/
https://rastamouse.me/2019/01/gpo-abuse-part-2/
Will Schroeder - Where My Admins At? (GPO Edition)
https://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/
72. Forest/Domain Trusts
Compromising one domain is just the start of
the journey
One forest can have multiple domains
One root domain (Ent. Admins here)
Probably multiple child domains
One forest may have trust relationships with
other forests
73. Map all the trust relationships between your current domain and all the
trusted domains
External Child/Parent Forest
74.
75.
76. Child/Parent Trusts
Domains inside a forest trust each other
Once a single domain is compromised, any domain in the forest is
vulnerable to the SIDHistory technique by creating Golden Tickets
If you compromise BADABING.SOPRANO.SL, you can compromise
SOPRANO.SL through that technique
77.
78.
79. Forest/External Trusts
When a domain from other forest trusts you, you can query information
about it
A Forest/External trust does not imply any kind of privilege against the
targeted domain (by default)
Privileges across trusts must be configured by administrators
e.g.
This user from DomainA can access this resource in DomainB
This user from DomainA is a member of this group in DomainB
80. TWINDCooper from TWIN.PKS is a member of the Satriales group in SOPRANO.SL
TWINDcooper is a Foreign Security Principal
We want to identify this kind of objects that could allow us to hop between forests
81. Checks
Find relationships between your domain and other domains
I’m in a child domain? Root domain?
Find if there are external relationships and
Forest trusts? external trusts?
Look for accounts who can potentially jump from your forest to another
ForestAPaco has sysdb privileges on ForestBSqlserver01
82. Sean Metcalf - Security Considerations for Active Directory (AD) Trusts
https://adsecurity.org/?p=282
Sean Metcalf - Kerberos Golden Tickets are Now More Golden
https://adsecurity.org/?p=1640
Will Schroeder - A Guide to Attacking Domain Trusts
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
Will Schroeder - The Trustpocalypse
http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/
Dirk-jan Mollema - Active Directory forest trusts part 1 - How does SID filtering work?
https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/
Will Schroeder – Not a Security Boundary: Breaking Forest Trusts
https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/
Carlos García – Pentesting Active Directory Forests
https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-
%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0
83. ACLs
Access controls in Active Directory are mostly managed through the use of ACLs
(Access Control Lists)
Each object has its own ACLs (Users, Groups, Computers, OUs, GPOs,
Domains…)
An ACL consists in a list of rules that grant or deny rights to a user/group over
the object that holds the ACL
84. e.g.
If you check the Domain
Admins’ ACL, you will see
which objects have rights
over the Domain Admins
group
85. Depending on the privileges…
Over Users
Reset password
Set ServicePrincipalName then
Kerberoast
Set No-Kerb Preauth
then As-Reproast
Over Groups
Adding new members
Over GPOs
Link them
Edit them
Over Computers
Set Kerberos RBCD
Read/modify LAPS password
Over Domains
DCSync
86.
87. Checks
Check the ACL’s of interesting objects
Has anyone DCSync privs on the domain? Reset password on user OU’s?
88. Andrew Robbins / Will Schroeder – An ACE Up the Sleeve
https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-
Designing-Active-Directory-DACL-Backdoors-wp.pdf
Will Schroeder - Abusing Active Directory Permissions with PowerView
http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-
powerview/
Will Schroeder – The Unintended Risks of Trusting Active Directory
https://www.slideshare.net/harmj0y/the-unintended-risks-of-trusting-active-directory