SlideShare une entreprise Scribd logo

Understanding Active Directory Enumeration

Télécharger en tant que PPTX, PDF
D
Daniel López Jiménez

This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.

Technologie
1  sur  89
Understanding Active Directory Enumeration ATTL4S & WINT3R
www.crummie5.club
 The purpose of this talk:  Where is the information  How to access that information  Why is valuable that information  If you want details on any attack/technique, go to the corresponding links  I might not have enough time to tell the entire talk  Anyways, hope you enjoy it and learn something new (we’ve learnt tons of things doing it )
AGENDA 1. Introduction 2. Offensive Enumeration  Local Privileges  Logons and Sessions  LDAP
INTRODUCTION
CAPSULE.CORP Domain Internal Network
We will focus on having domain creds However, a lot of information can be enumerated without them (exposed services, open shares, network traffic, unauth information…) Platinum Sponsor
Credentials  By default, authenticated accounts can access a lot of information
But Domain Credentials are not only USER accounts  NTSystem in domain-joined systems corresponds to the domain computer account in the network  Domain Service Accounts are essentially user accounts, so can also be used to enumerate e.g. Kerberoasting or BloodHound
Enumeration Approach
NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP
NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP
Simplifying it in the following topics  MS-RPC  Local Privileges  who is a local admin and where?  Logons and Sessions  where are authenticated those juicy users?  LDAP  objects and relationships
 As long as we have visibility and credentials, we can access tons of GOODIES REMEMBER
OFFENSIVE AD ENUMERATION
LOCAL PRIVILEGES (MS-RPC)
 Who is a local admin and where?  Who can access with RDP and where?  Who can access with WinRM and where? Who…. and where?
 Privileged local groups  Administrators  Remote Desktop Users  Distributed COM Users  Remote Management Users  We want to know which users are members of those local groups in each system
We mostly care about two things 1. Local privileged accounts that may share the same password on different systems (watchout UAC degrading the access token) 2. Domain users or groups being members of local privileged groups
NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP Domain ? ? ? ? ? ? ? ? GPO Enum SAM SAM SAM SAM SAM SAM SAM SAM1 2
Remote SAM Enumeration  Win32 API Functions (PowerView)  NetLocalGroupGetMembers  NetLocalGroupEnum  NetUserEnum  …  ADSI WinNT Provider (PowerView)  MS-RPC (Impacket, Rpcclient)
Restrictions – SAM Enumeration  Controlled by the following policy:  Network access: Restrict clients allowed to make remote calls to SAM  An administrator can edit the policy to enforce or relax restrictions  Manually or with SAMRi10 https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b  By default newer systems allow only Administrators (beginning with Windows 10 version 1607 and Windows Server 2016)  Older systems allow any Domain User by default
Restricted Groups (and the old GPP)*
LOGONS AND SESSIONS (MS-RPC)
NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP Domain ? ? ? ? ? ? ? ?
Logons  Querying for users logged on in a system is useful for hunting purposes (where are the Domain Admins?)  However these techniques require your user to be administrator on the target (not very practical)  Can be done using Win32 API calls or enumerating the registry remotely
Get-NetLoggedon from PowerView uses NetWkstaUserEnum
PsLoggedOn from Sysinternals uses the Registry Remotely
Is there a way to identify logons as a low priv user? YES *
Sessions  Although commonly called “sessions”, they mean to be network sessions  A network session is created – on the target – when a resource is accessed through the network (i.e a shared folder)  The Win32 API has the NetSessionEnum function which allows to query a system for network sessions
 By checking network sessions, we can correlate which users are connected and from where  Thus, the system that originated the network session should have an interactive user logon  Best locations to check sessions are servers (DCs, fileservers…) as they are highly accessed through the network e.g. querying WS04 for network sessions
Another example with Goku and Yamcha
 Controlled by the following registry key  HKLM:SYSTEMCurrentControlSetServicesLanmanServerDefaultSecuritySrvsvcSessionInfo  By default newer systems only allow Administrators (beginning with Windows 10 version 1607 and Windows Server 2016)  An administrator can edit the registry key to enforce or relax restrictions  Manually or using Net Cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b  Older systems allow any Authenticated User!
Tools on Linux  Easy impersonation (as opposed to Windows SSO)  --user USER --password PASSWD --domain DOMAIN  Multiple choices  Impacket, Rpcclient, enum4linux, nmap…
Objects and Relationships (LDAP)
LDAP  By default, any low privileged domain account can query information about almost anything through LDAP  You just need something to interact with LDAP!
General Offensive Approaches  Builtin or developed tools that leverage Win32 API (net.exe)  LDAP tools (dsquery, dsget…)  .NET (PowerView, SharpView, AD module)  .NET DirectorySearcher class [adsisearcher]  .NET DirectoryEntry class [adsi]  .NET RPC classes
Pentest approach – my recommendation  Install RSAT and feel at home  If we are already joined to the domain, we are ready to go
What if we are not part of the domain?
CAPSULE.CORP Domain LDAP Internal Network
1. take care of DNS! (hosts file also works)
2. Impersonate!
3. Enumerate!
https://serverfault.com/questions/349262/using-administrative-tools-on-non-domain-computer-to-manage-domain-servers/349266
Tools on Linux  Easy impersonation (as opposed to Windows SSO)  --user USER --password PASSWD --domain DOMAIN  As always make sure of DNS and point your actions to the targeted domain / domain controller  Multiple choices  Ldapsearch, JXExplorer, Pywerview, Bloodhound.py…
Interesting Things  Domain Users  Domain Computers  Domain Groups  OUs / GPOs  Forest / Domain Trusts  Relationships (ACLs)
Domain Users
User Account Control  Password never expires  same password for years  Account is sensitive  does not delegate credentials  Do not require Kerberos Preauthentication  can be As-Reproasted  Store password using reversible encryption  plaintext password stored in NTDS  Kerberos Delegation  TRUSTED_FOR_DELEGATION = Unconstrained  TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol Transition  …
Attributes  servicePrincipalName not null  can be Kerberoasted  adminCount = 1  member of one of the administrative groups  lastLogon / logonCount …  logon information  msDS-AllowedToActOnBehalfOfOtherIdentity / msDS-AllowedToDelegateTo  Kerberos Delegation related  userPassword / unixUserPassword / unicodePwd  sometimes plaintext passwords  …
Checks  Check out group memberships  Domain Admin? Local admin somewhere? …  Check out User Account Control settings  Kerberos Delegation? As-Reproastable? …  Check out those attributes  Passwords? Kerberoastable? …
Domain Computers
User Account Control  Trust this computer for delegation to any service  TRUSTED_FOR_DELEGATION = Unconstrained  Trust this computer for delegation to specific services only – use any authentication  TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol Transition
Attributes  servicePrincipalName  enumerate Kerberos services on the machine! (a.k.a SPN scanning)  adminCount = 1  member of one of the administrative groups  msDS-AllowedToActOnBehalfOfOtherIdentity / msDS- AllowedToDelegateTo  Kerberos Delegation related  ms-Mcs-AdmPwd  LAPS password  operatingSystem  …
Checks (same as users)  Check out group memberships  Domain Admin? Any interesting group? …  Check out User Account Control settings  Kerberos Delegation? …  Check out those attributes  Operating system? SPN Scanning? …
 Sean Metcalf - SPN Scanning – Service Discovery without Network Port Scanning  https://adsecurity.org/?p=1508  Sean Metcalf - Cracking Kerberos TGS Tickets Using Kerberoast  https://adsecurity.org/?p=2293  Will Schroeder - Kerberoasting Revisited  https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/  Will Schroeder - Roasting AS-REPs  https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/  Sean Metcalf - Active Directory Security Risk #101: Kerberos Unconstrained Delegation  https://adsecurity.org/?p=1667  Elad Shamir - Wagging the Dog: Abusing Resource-Based Constrained Delegation  http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/  Will Schroeder – Another Word on Delegation  https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
Domain Groups
 Domain Admins: full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory  Enterprise Admins: full AD rights to every domain in the AD forest  Administrators: default admin rights to Active Directory and Domain Controllers  Schema Admins: modify the Active Directory forest schema  Backup Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers (Default GPO)  Print Operators: manage printers and load/unload device drivers on Domain Controllers  Server Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers (Default GPO)  Account Operators: modify accounts and groups in the domain (Default GPO)  DNSAdmins: administrative access to Microsoft Active Directory DNS and is often granted the ability to logon to Domain Controllers  Group Policy Creator Owners: create, modify, and delete Group Policies in the domain https://adsecurity.org/?p=3700
Nested Groups
1. Group1 is a member of Domain Admins 2. Group2 is a member of Group1 3. Puar is a member of Group2 4. Puar is a Domain Admin
Checks  Find explicit privileged groups and their members  DA’s, EA’s, Schema Admins, DNSAdmins…  Find those nested groups  Group1 is member of Group2 and blablablaDOMAINADMIN!
 Will Schroeder - A Pentester’s Guide to Group Scoping  https://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/  SS64 - Understand the different types of Active Directory group  https://ss64.com/nt/syntax-groups.html
OUs & GPOs  By default any domain user can read all the GPO settings stored in the SYSVOL share  Lot of information can be enumerated  Local group memberships (Restricted Groups, GPP)  User rights assignment (SeDebugPrivilege, SeEnableDelegation…)  Local admin passwords (GPP!!)  LAPS settings  Registry entries  Scheduled tasks  Scripts  …
Checks  Check out all the GPOs and their settings  Firewall, local admin configurations…  Find where they are applied!!  Computers, users, OUs, sites…
 Andrew Robbins - A Red Teamer’s Guide to GPOs and OUs  https://wald0.com/?p=179  Rastamouse - GPO Abuse  https://rastamouse.me/2019/01/gpo-abuse-part-1/  https://rastamouse.me/2019/01/gpo-abuse-part-2/  Will Schroeder - Where My Admins At? (GPO Edition)  https://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/
Forest/Domain Trusts  Compromising one domain is just the start of the journey  One forest can have multiple domains  One root domain (Ent. Admins here)  Probably multiple child domains  One forest may have trust relationships with other forests
Map all the trust relationships between your current domain and all the trusted domains External Child/Parent Forest
Child/Parent Trusts  Domains inside a forest trust each other  Once a single domain is compromised, any domain in the forest is vulnerable to the SIDHistory technique by creating Golden Tickets  If you compromise BADABING.SOPRANO.SL, you can compromise SOPRANO.SL through that technique
Forest/External Trusts  When a domain from other forest trusts you, you can query information about it  A Forest/External trust does not imply any kind of privilege against the targeted domain (by default)  Privileges across trusts must be configured by administrators  e.g.  This user from DomainA can access this resource in DomainB  This user from DomainA is a member of this group in DomainB
 TWINDCooper from TWIN.PKS is a member of the Satriales group in SOPRANO.SL  TWINDcooper is a Foreign Security Principal  We want to identify this kind of objects that could allow us to hop between forests
Checks  Find relationships between your domain and other domains  I’m in a child domain? Root domain?  Find if there are external relationships and  Forest trusts? external trusts?  Look for accounts who can potentially jump from your forest to another  ForestAPaco has sysdb privileges on ForestBSqlserver01
 Sean Metcalf - Security Considerations for Active Directory (AD) Trusts  https://adsecurity.org/?p=282  Sean Metcalf - Kerberos Golden Tickets are Now More Golden  https://adsecurity.org/?p=1640  Will Schroeder - A Guide to Attacking Domain Trusts  http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/  Will Schroeder - The Trustpocalypse  http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/  Dirk-jan Mollema - Active Directory forest trusts part 1 - How does SID filtering work?  https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/  Will Schroeder – Not a Security Boundary: Breaking Forest Trusts  https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/  Carlos García – Pentesting Active Directory Forests  https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20- %20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0
ACLs  Access controls in Active Directory are mostly managed through the use of ACLs (Access Control Lists)  Each object has its own ACLs (Users, Groups, Computers, OUs, GPOs, Domains…)  An ACL consists in a list of rules that grant or deny rights to a user/group over the object that holds the ACL
e.g. If you check the Domain Admins’ ACL, you will see which objects have rights over the Domain Admins group
Depending on the privileges… Over Users Reset password Set ServicePrincipalName then Kerberoast Set No-Kerb Preauth then As-Reproast Over Groups Adding new members Over GPOs Link them Edit them Over Computers Set Kerberos RBCD Read/modify LAPS password Over Domains DCSync
Checks  Check the ACL’s of interesting objects  Has anyone DCSync privs on the domain? Reset password on user OU’s?
 Andrew Robbins / Will Schroeder – An ACE Up the Sleeve  https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve- Designing-Active-Directory-DACL-Backdoors-wp.pdf  Will Schroeder - Abusing Active Directory Permissions with PowerView  http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with- powerview/  Will Schroeder – The Unintended Risks of Trusting Active Directory  https://www.slideshare.net/harmj0y/the-unintended-risks-of-trusting-active-directory
MANY THANKS Any question?

Recommandé

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 

Recommandé

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
CICD using jenkins and Nomad
CICD using jenkins and NomadCICD using jenkins and Nomad
CICD using jenkins and Nomad
Bram Vogelaar
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
inovex GmbH
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
n00py1
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
WebAuthn
WebAuthnWebAuthn
WebAuthn
Kelley Robinson
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
Jo Hoon
 
Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind map
dasdwwe1
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
nayakslideshare
 

Contenu connexe

Tendances

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
CICD using jenkins and Nomad
CICD using jenkins and NomadCICD using jenkins and Nomad
CICD using jenkins and Nomad
Bram Vogelaar
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
inovex GmbH
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
n00py1
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
WebAuthn
WebAuthnWebAuthn
WebAuthn
Kelley Robinson
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
Jo Hoon
 

Tendances (20)

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
CICD using jenkins and Nomad
CICD using jenkins and NomadCICD using jenkins and Nomad
CICD using jenkins and Nomad
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
WebAuthn
WebAuthnWebAuthn
WebAuthn
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
 

Similaire à Understanding Active Directory Enumeration

Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind map
dasdwwe1
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
nayakslideshare
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
leminhvuong
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
Jisc
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
Amazon Web Services
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
Amazon Web Services
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
sanjoysanyal
 
Mimikatz
MimikatzMimikatz
Mimikatz
rishabh sharma
 
Resume (6)
Resume (6)Resume (6)
Resume (6)
santhosh kumar routhu
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
viditsir
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 

Similaire à Understanding Active Directory Enumeration (20)

Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind map
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
 
Mimikatz
MimikatzMimikatz
Mimikatz
 
Resume (6)
Resume (6)Resume (6)
Resume (6)
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 

Dernier

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 

Dernier (20)

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 

Understanding Active Directory Enumeration

  • 2.
  • 3.
  • 5.  The purpose of this talk:  Where is the information  How to access that information  Why is valuable that information  If you want details on any attack/technique, go to the corresponding links  I might not have enough time to tell the entire talk  Anyways, hope you enjoy it and learn something new (we’ve learnt tons of things doing it )
  • 6. AGENDA 1. Introduction 2. Offensive Enumeration  Local Privileges  Logons and Sessions  LDAP
  • 9. We will focus on having domain creds However, a lot of information can be enumerated without them (exposed services, open shares, network traffic, unauth information…) Platinum Sponsor
  • 10. Credentials  By default, authenticated accounts can access a lot of information
  • 11. But Domain Credentials are not only USER accounts  NTSystem in domain-joined systems corresponds to the domain computer account in the network  Domain Service Accounts are essentially user accounts, so can also be used to enumerate e.g. Kerberoasting or BloodHound
  • 15. Simplifying it in the following topics  MS-RPC  Local Privileges  who is a local admin and where?  Logons and Sessions  where are authenticated those juicy users?  LDAP  objects and relationships
  • 16.  As long as we have visibility and credentials, we can access tons of GOODIES REMEMBER
  • 19.  Who is a local admin and where?  Who can access with RDP and where?  Who can access with WinRM and where? Who…. and where?
  • 20.  Privileged local groups  Administrators  Remote Desktop Users  Distributed COM Users  Remote Management Users  We want to know which users are members of those local groups in each system
  • 21. We mostly care about two things 1. Local privileged accounts that may share the same password on different systems (watchout UAC degrading the access token) 2. Domain users or groups being members of local privileged groups
  • 22. NTDS Domain Controller CAPGoku LDAP HostA CAPSULE.CORP Domain ? ? ? ? ? ? ? ? GPO Enum SAM SAM SAM SAM SAM SAM SAM SAM1 2
  • 23. Remote SAM Enumeration  Win32 API Functions (PowerView)  NetLocalGroupGetMembers  NetLocalGroupEnum  NetUserEnum  …  ADSI WinNT Provider (PowerView)  MS-RPC (Impacket, Rpcclient)
  • 24. Restrictions – SAM Enumeration  Controlled by the following policy:  Network access: Restrict clients allowed to make remote calls to SAM  An administrator can edit the policy to enforce or relax restrictions  Manually or with SAMRi10 https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b  By default newer systems allow only Administrators (beginning with Windows 10 version 1607 and Windows Server 2016)  Older systems allow any Domain User by default
  • 25.
  • 26. Restricted Groups (and the old GPP)*
  • 29. Logons  Querying for users logged on in a system is useful for hunting purposes (where are the Domain Admins?)  However these techniques require your user to be administrator on the target (not very practical)  Can be done using Win32 API calls or enumerating the registry remotely
  • 30. Get-NetLoggedon from PowerView uses NetWkstaUserEnum
  • 31. PsLoggedOn from Sysinternals uses the Registry Remotely
  • 32. Is there a way to identify logons as a low priv user? YES *
  • 33. Sessions  Although commonly called “sessions”, they mean to be network sessions  A network session is created – on the target – when a resource is accessed through the network (i.e a shared folder)  The Win32 API has the NetSessionEnum function which allows to query a system for network sessions
  • 34.  By checking network sessions, we can correlate which users are connected and from where  Thus, the system that originated the network session should have an interactive user logon  Best locations to check sessions are servers (DCs, fileservers…) as they are highly accessed through the network e.g. querying WS04 for network sessions
  • 35. Another example with Goku and Yamcha
  • 36.  Controlled by the following registry key  HKLM:SYSTEMCurrentControlSetServicesLanmanServerDefaultSecuritySrvsvcSessionInfo  By default newer systems only allow Administrators (beginning with Windows 10 version 1607 and Windows Server 2016)  An administrator can edit the registry key to enforce or relax restrictions  Manually or using Net Cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b  Older systems allow any Authenticated User!
  • 37. Tools on Linux  Easy impersonation (as opposed to Windows SSO)  --user USER --password PASSWD --domain DOMAIN  Multiple choices  Impacket, Rpcclient, enum4linux, nmap…
  • 39. LDAP  By default, any low privileged domain account can query information about almost anything through LDAP  You just need something to interact with LDAP!
  • 40. General Offensive Approaches  Builtin or developed tools that leverage Win32 API (net.exe)  LDAP tools (dsquery, dsget…)  .NET (PowerView, SharpView, AD module)  .NET DirectorySearcher class [adsisearcher]  .NET DirectoryEntry class [adsi]  .NET RPC classes
  • 41. Pentest approach – my recommendation  Install RSAT and feel at home  If we are already joined to the domain, we are ready to go
  • 42. What if we are not part of the domain?
  • 44. 1. take care of DNS! (hosts file also works)
  • 46.
  • 47.
  • 50. Tools on Linux  Easy impersonation (as opposed to Windows SSO)  --user USER --password PASSWD --domain DOMAIN  As always make sure of DNS and point your actions to the targeted domain / domain controller  Multiple choices  Ldapsearch, JXExplorer, Pywerview, Bloodhound.py…
  • 51. Interesting Things  Domain Users  Domain Computers  Domain Groups  OUs / GPOs  Forest / Domain Trusts  Relationships (ACLs)
  • 53. User Account Control  Password never expires  same password for years  Account is sensitive  does not delegate credentials  Do not require Kerberos Preauthentication  can be As-Reproasted  Store password using reversible encryption  plaintext password stored in NTDS  Kerberos Delegation  TRUSTED_FOR_DELEGATION = Unconstrained  TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol Transition  …
  • 54. Attributes  servicePrincipalName not null  can be Kerberoasted  adminCount = 1  member of one of the administrative groups  lastLogon / logonCount …  logon information  msDS-AllowedToActOnBehalfOfOtherIdentity / msDS-AllowedToDelegateTo  Kerberos Delegation related  userPassword / unixUserPassword / unicodePwd  sometimes plaintext passwords  …
  • 55. Checks  Check out group memberships  Domain Admin? Local admin somewhere? …  Check out User Account Control settings  Kerberos Delegation? As-Reproastable? …  Check out those attributes  Passwords? Kerberoastable? …
  • 57. User Account Control  Trust this computer for delegation to any service  TRUSTED_FOR_DELEGATION = Unconstrained  Trust this computer for delegation to specific services only – use any authentication  TRUSTED_TO_AUTH_FOR_DELEGATION = Constrained Protocol Transition
  • 58. Attributes  servicePrincipalName  enumerate Kerberos services on the machine! (a.k.a SPN scanning)  adminCount = 1  member of one of the administrative groups  msDS-AllowedToActOnBehalfOfOtherIdentity / msDS- AllowedToDelegateTo  Kerberos Delegation related  ms-Mcs-AdmPwd  LAPS password  operatingSystem  …
  • 59.
  • 60. Checks (same as users)  Check out group memberships  Domain Admin? Any interesting group? …  Check out User Account Control settings  Kerberos Delegation? …  Check out those attributes  Operating system? SPN Scanning? …
  • 61.  Sean Metcalf - SPN Scanning – Service Discovery without Network Port Scanning  https://adsecurity.org/?p=1508  Sean Metcalf - Cracking Kerberos TGS Tickets Using Kerberoast  https://adsecurity.org/?p=2293  Will Schroeder - Kerberoasting Revisited  https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/  Will Schroeder - Roasting AS-REPs  https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/  Sean Metcalf - Active Directory Security Risk #101: Kerberos Unconstrained Delegation  https://adsecurity.org/?p=1667  Elad Shamir - Wagging the Dog: Abusing Resource-Based Constrained Delegation  http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/  Will Schroeder – Another Word on Delegation  https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
  • 63.  Domain Admins: full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory  Enterprise Admins: full AD rights to every domain in the AD forest  Administrators: default admin rights to Active Directory and Domain Controllers  Schema Admins: modify the Active Directory forest schema  Backup Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers (Default GPO)  Print Operators: manage printers and load/unload device drivers on Domain Controllers  Server Operators: logon to, shut down, and perform backup/restore operations on Domain Controllers (Default GPO)  Account Operators: modify accounts and groups in the domain (Default GPO)  DNSAdmins: administrative access to Microsoft Active Directory DNS and is often granted the ability to logon to Domain Controllers  Group Policy Creator Owners: create, modify, and delete Group Policies in the domain https://adsecurity.org/?p=3700
  • 65. 1. Group1 is a member of Domain Admins 2. Group2 is a member of Group1 3. Puar is a member of Group2 4. Puar is a Domain Admin
  • 66. Checks  Find explicit privileged groups and their members  DA’s, EA’s, Schema Admins, DNSAdmins…  Find those nested groups  Group1 is member of Group2 and blablablaDOMAINADMIN!
  • 67.  Will Schroeder - A Pentester’s Guide to Group Scoping  https://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/  SS64 - Understand the different types of Active Directory group  https://ss64.com/nt/syntax-groups.html
  • 68. OUs & GPOs  By default any domain user can read all the GPO settings stored in the SYSVOL share  Lot of information can be enumerated  Local group memberships (Restricted Groups, GPP)  User rights assignment (SeDebugPrivilege, SeEnableDelegation…)  Local admin passwords (GPP!!)  LAPS settings  Registry entries  Scheduled tasks  Scripts  …
  • 69.
  • 70. Checks  Check out all the GPOs and their settings  Firewall, local admin configurations…  Find where they are applied!!  Computers, users, OUs, sites…
  • 71.  Andrew Robbins - A Red Teamer’s Guide to GPOs and OUs  https://wald0.com/?p=179  Rastamouse - GPO Abuse  https://rastamouse.me/2019/01/gpo-abuse-part-1/  https://rastamouse.me/2019/01/gpo-abuse-part-2/  Will Schroeder - Where My Admins At? (GPO Edition)  https://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/
  • 72. Forest/Domain Trusts  Compromising one domain is just the start of the journey  One forest can have multiple domains  One root domain (Ent. Admins here)  Probably multiple child domains  One forest may have trust relationships with other forests
  • 73. Map all the trust relationships between your current domain and all the trusted domains External Child/Parent Forest
  • 74.
  • 75.
  • 76. Child/Parent Trusts  Domains inside a forest trust each other  Once a single domain is compromised, any domain in the forest is vulnerable to the SIDHistory technique by creating Golden Tickets  If you compromise BADABING.SOPRANO.SL, you can compromise SOPRANO.SL through that technique
  • 77.
  • 78.
  • 79. Forest/External Trusts  When a domain from other forest trusts you, you can query information about it  A Forest/External trust does not imply any kind of privilege against the targeted domain (by default)  Privileges across trusts must be configured by administrators  e.g.  This user from DomainA can access this resource in DomainB  This user from DomainA is a member of this group in DomainB
  • 80.  TWINDCooper from TWIN.PKS is a member of the Satriales group in SOPRANO.SL  TWINDcooper is a Foreign Security Principal  We want to identify this kind of objects that could allow us to hop between forests
  • 81. Checks  Find relationships between your domain and other domains  I’m in a child domain? Root domain?  Find if there are external relationships and  Forest trusts? external trusts?  Look for accounts who can potentially jump from your forest to another  ForestAPaco has sysdb privileges on ForestBSqlserver01
  • 82.  Sean Metcalf - Security Considerations for Active Directory (AD) Trusts  https://adsecurity.org/?p=282  Sean Metcalf - Kerberos Golden Tickets are Now More Golden  https://adsecurity.org/?p=1640  Will Schroeder - A Guide to Attacking Domain Trusts  http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/  Will Schroeder - The Trustpocalypse  http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/  Dirk-jan Mollema - Active Directory forest trusts part 1 - How does SID filtering work?  https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/  Will Schroeder – Not a Security Boundary: Breaking Forest Trusts  https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/  Carlos García – Pentesting Active Directory Forests  https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20- %20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0
  • 83. ACLs  Access controls in Active Directory are mostly managed through the use of ACLs (Access Control Lists)  Each object has its own ACLs (Users, Groups, Computers, OUs, GPOs, Domains…)  An ACL consists in a list of rules that grant or deny rights to a user/group over the object that holds the ACL
  • 84. e.g. If you check the Domain Admins’ ACL, you will see which objects have rights over the Domain Admins group
  • 85. Depending on the privileges… Over Users Reset password Set ServicePrincipalName then Kerberoast Set No-Kerb Preauth then As-Reproast Over Groups Adding new members Over GPOs Link them Edit them Over Computers Set Kerberos RBCD Read/modify LAPS password Over Domains DCSync
  • 86.
  • 87. Checks  Check the ACL’s of interesting objects  Has anyone DCSync privs on the domain? Reset password on user OU’s?
  • 88.  Andrew Robbins / Will Schroeder – An ACE Up the Sleeve  https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve- Designing-Active-Directory-DACL-Backdoors-wp.pdf  Will Schroeder - Abusing Active Directory Permissions with PowerView  http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with- powerview/  Will Schroeder – The Unintended Risks of Trusting Active Directory  https://www.slideshare.net/harmj0y/the-unintended-risks-of-trusting-active-directory