9. Services to show categorization
• https://fortiguard.com/webfilter
• Fortiguard shows “Newly Observed Domain”
• https://www.virustotal.com/gui/domain/
• Virus Total shows clean now and 12 months ago
• Trustedsource.org
• shows the site as Uncategorized with a reputation as Unverified
• https://talosintelligence.com/reputation_center
• Not blacklisted. Unknown to Talos Intelligence too (Cisco)
• https://urlfiltering.paloaltonetworks.com/
• Palo Alto URL test shows it as “Alcohol and Tobacco” and “Low Risk” meaning benign activity for last 90 days
• https://sitereview.bluecoat.com/#/
• Blue coat (Symantec) shows it as Business Economy category
• https://www.brightcloud.com/tools/url-ip-lookup.php
• Webroot shows Moderate Risk and category “Home and Garden”
17. Active Directory
• SUCCESS!
• Where do we start
• Enumerate local machine
• PSP’s
• Whoami ?
• What tools/scripts can I run
• Manual Enumeration of AD
• Bloodhound
18.
19. KERBEROASTING
• Targets accounts with Service Principal Name
• e.g. MSSQLSvc/<FQDN> is assigned to a username
• The password of the username is used to sign the TGS provided to the client.
• hashcat –m 13100 <TGS> <wordlist>
SPN Username
MSSQLSvc/SQL01.east.com Oaktree
20. Active Directory
• SUCCESS!
• Where do we start
• Enumerate local machine
• PSP’s
• Whoami ?
• What tools/scripts can I run
• Manual Enumeration of AD
• Bloodhound
26. Delegation
• Unconstrained
• Constrained
• For a given computer or user account, this attribute specifies the list of service
principal names (SPN) corresponding to Windows services that can act on behalf of
the computer or user account.
• msDS-AllowedToDelegateTo
• Resource Based Constrained Delegation
• “(specifically msDS-AllowedToActOnBehalfOfOtherIdentity, so rights would include
GenericAll, GenericWrite, WriteOwner, etc.) we can abuse this access and a modified
S4U Kerberos ticket request process to compromise the computer itself.”
• https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer-
takeover/
Accounts trusted
for delegation
(userAccountControl:1.2.840.113556.1.4.803:=524288)
30. • The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later
operating systems. DPAPI is used to help protect private keys, stored credentials
(in Windows XP and later), and other confidential information that the operating
system or a program wants to keep confidential.
DPAPI is not responsible for storing the confidential information it protects. It is
only responsible for encrypting and decrypting data for programs that call it, such
as Windows Credential manager, the Private Key storage mechanism, or any
third-party programs that call the CryptProtectData() function and
the CryptUnprotectData() function in Windows 2000, Windows XP, or later.
33. Notes for Demonstration
• Credentials are stored in user's profile. Can use Seatbelt to identify these.
• Run vault::cred within Mimikatz before continuing
• Usually in:
• %appdata%MicrosoftCredentials
• %localappdata%MicrosoftCredentials
• We can unlock the credential blob by requesting the masterkey as the user
by using the /rpc flag
• We can unlock any credential blob if we can obtain the masterkey of a
domain admin.
36. Notes
/export - optional - tickets are exported in .kirbi files. They start with user's LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)