SlideShare une entreprise Scribd logo

Carlos García - Pentesting Active Directory Forests [rooted2019]

RootedCON
RootedCON

Carlos García - Pentesting Active Directory Forests [rooted2019]

Technologie
1  sur  75
Télécharger pour lire hors ligne
ciyinet PENTESTING ACTIVE DIRECTORY FORESTS CARLOS GARCÍA GARCÍA ciyinet
ciyinet CARLOS GARCÍA GARCÍA Computer Science Eng. OSCP Penetration Testing Hack&Beers, Qurtuba… Organizer Co-author book Hacking Windows: Ataques a Sistemas y redes Microsoft PS C:> WHOAMI 2
ciyinet WHAT ARE WE GOING TO TALK ABOUT? - Introduction to Active Directory Forests and Trusts - Why Pentesting Trusts? - Authentication Protocols across Trusts - Trusts enumeration - Common Attacks & Techniques - Reconnaissance across Trusts - Conclusions 3
ciyinet FORESTS - Domains are structured into trees and forests - A tree is a collection of related domains - A forest is a collection of trees that trust each others - Only one “Enterprise Admins” group per forest - Exists in root domain only - Non-existing in child domains - Added as local admin in child domain’s DCs 4
ciyinet TRUSTS - Allow authentication traffic to flow between two domains - Establish the ability for users in one domain to authenticate to resources in another domain 5
ciyinet TRUST DIRECTION - One-way - Domain B trusts A - Users in Domain A can access resources in Domain B. Users in domain B cannot access domain A - Two-way - Domain A trusts B, domain B trusts A - Authentication requests can be passed between the two domains in both directions 6
ciyinet TRUST TRANSITIVITY Determines if a trust can be extended outside of the two domains - Transitive - Extends trust relationship with other domains - Let a trusted domain pass through to a third domain - Non-transitive - Denies trust relationship with other domains 7
ciyinet TYPE OF TRUSTS Type Direction Transitivity Description Parent-Child 2-way Transitive Automatically established when a new domain is created in a tree Tree-Root 2-way Transitive Automatically established when a new tree is added to a forest. Between the new tree root and the forest root domain External 1-way or 2-way Non-transitive Manually created between a domain in a forest and another domain in a different forest that does not have a forest trust established Forest 1-way or 2-way Transitive Manually created between one forest root domain and another forest root domain Shortcut 1-way or 2-way Transitive Manually created between domains in the same forest that is used to shorten the trust path in a large and complex domain tree or forest and improve authentication times Realm 1-way or 2-way Transitive or Non-transitive Manually created between an AD domain and a non-Windows Kerberos V5 realm References: https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts 8
ciyinet TRUSTS - All trusts within the same forest are two-way and transitive - This is why all domains within a forest trust each other - Users from any domain can access resources in any other domain within the forest as long as: - They have the proper permissions assigned at the resource - They have network access 9
ciyinet entityA.com spain.entityA.com uk.entityA.com group1.net sales.group1.net Parent-Child trust Parent-Child trust Tree-Root trust Parent-Child trust cordoba.spain.entityA.com Parent-Child trust Tree 2: entityB.net Tree 1: entityA.com Forest: entityA 10
ciyinet DIRECTION OF TRUST VS ACCESS Domain A Trusted domain (inbound) Domain B Trustring domain (outbound) Direction of access Direction of trust 11
ciyinet Why Pentesting Trusts? PENTESTING ACTIVE DIRECTORY FORESTS
ciyinet WHY PENTESTING TRUSTS? - Environments with trusts that were created many years ago without security in mind - Sometimes domain trusts introduce unintended access paths - Some domains (i.e. testing, development…) are not well maintained, controlled or monitored 13
ciyinet WHY PENTESTING TRUSTS? Or simply, what if your target is in a different domain? Reconnaissance Weaponisation and Exploitation Privilege Escalation & Lateral Movement Action on Targets Installation and Command & Control ▪ Email harvesting ▪ Social Networking ▪ IP Discovery ▪ Port Scanning ▪ Identify vulnerabilities ▪ Build and deliver malware via phishing, web, USB drive, network… ▪ Exploit a vulnerability to compromise the victim’s system ▪ Install malware ▪ Stablish persistence inside the environment ▪ Command channel for remote access ▪ Obtain more credentials ▪ Access other systems ▪ Escalate privileges ▪ Identify critical assets ▪ Data exfiltration ▪ Encryption of critical assets ▪ Service disruption ▪ Money $$$ References: Kroll Proactive Security Team 14
ciyinet Authentication Protocols PENTESTING ACTIVE DIRECTORY FORESTS
ciyinet CREDENTIALS FLOW IN WINDOWS 16
ciyinet NTLM ACROSS TRUSTS 1. User requests access and sends DOMAIN-AUSERNAME Client in DOMAIN-A 2. Server sends challenge message 3. Client sends response message 4. Server sends DOMAIN-AUSERNAME challenge and response to DC in DOMAIN-B Server in DOMAIN-B DC in DOMAIN-B DC in DOMAIN-A References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10) https://blogs.technet.microsoft.com/askpfeplat/2013/05/05/how-domain-controllers-are-located-across-trusts/ https://blogs.technet.microsoft.com/isrpfeplat/2010/11/05/optimizing-ntlm-authentication-flow-in-multi-domain-environments/ 8. Server sends authentication result to the client 7. Response to authenticate user 17
ciyinet KERBEROS ACROSS TRUSTS When a user requests access to a resource in a different domain: - User’s DC will not be able to issue a TGS of another domain as TGS can only be built using the target service’s password and DC only contain password data from security principals in their own domain - To solve this, the there is a trusts password between two domains in the same AD forest used as a bridge enable Kerberos authentication across trust 18
ciyinet KERBEROS ACROSS TRUSTS Client in DOMAIN-A 1. Request TGT (AS-REQ) 2. Receive TGT (AS-REP) Server in DOMAIN-B DC in DOMAIN-A DC in DOMAIN-B References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10) https://adsecurity.org/?p=1588 3. Present TGT, request TGS (TGS-REQ) 4. Receive inter-realm TGT (TGS-REP) Client encrypts a timestamp with their secret (hash/key) Client receives a TGT signed with the DOMAIN-A krbtgt account that proves they are who they say they are The TGT is then used to request TGS for specific resources/services on the DOMAIN-B DC sends a TGT for DOMAIN-B signed and encrypted using the inter-realm key DC sends a TGS ticket encrypted using the hash/key of the account that is associated with that service (SPN) The TGT is then used to request service tickets (TGS) for specific services on the domain. TGT I-R TGT TGS 19
ciyinet Trusts Enumeration PENTESTING ACTIVE DIRECTORY FORESTS
ciyinet TRUSTS ENUMERATION So we land in the organization; the exploitation path will depend on: - Domain you land on and its trusts - Privileges you manage to get in it - User’s privileges in foreign domains ? ? ? 21
ciyinet test.dev.ciyilab.local TRUSTS ENUMERATION testcordoba srvproject 23
ciyinet TRUSTS ENUMERATION - NLTEST - Different information depending on where it’s executed from quarantined_domain = Filter_sids nltest /domain_trusts nltest /dclist:DOMAIN nltest /server:DC /trusted_domains 24
ciyinet TRUSTS ENUMERATION - POWERVIEW - To enumerate trusts on a foreign domain, you need to able to bind to a DC (usually PDC) on the foreign domain* - Get-DomainTrust –SearchBase “GC://$($ENV:USERDNSDOMAIN)” - Return all forest trusts for the current forest or a specified forest Get-DomainTrust –Domain FOREIGN DOMAIN FQDN Get-ForestTrust –Domain FOREIGN DOMAIN FQDN 25
ciyinet TRUST MAPPING PowerView BloodHound Get-DomainTrustMapping Invoke-BloodHound –CollectionMethod Trusts –SearchForest Invoke-BloodHound –CollectionMethod Trusts –Domain FOREIGN DOMAIN FQDN 27
ciyinet Forest TRICIAForest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local TRUST MAPPING Parent-Child trust Parent-Child trust assuan.local Tree-Root trust tricia.local Forest trust Forest CANETE canete.local External trust 28
ciyinet Exploitation Path – Common Attacks & Techniques PENTESTING ACTIVE DIRECTORY FORESTS
ciyinet EXPLOITATION PATH Source (attacker’s location) Target domain Technique to use Trust relationship Root Child • Golden Ticket + Enterprise Admins group Inter-realm (2-way) Child Child • SID History exploitation Inter-realm Parent-Child (2-way) Child Root • SID History exploitation Inter-realm Tree-Root (2-way) Forest A Forest B • Printer bug + Unconstrained Delegation ? Intra-realm Forest or External (2-way) - Having Domain-Admin-level on the current domain: 30 - Not having Domain-Admin-level on the current domain: Reconnaissance + Exploitation (and always depending on type of trusts, direction and transitivity)
ciyinet Forest CIYILAB Forest TRICIA ciyilab.local dev.ciyilab.local test.dev.ciyilab.local DA-LEVEL TECHNIQUES – ROOT TO CHILD Parent-Child trust Parent-Child trust assuan.local Tree-Root trust tricia.local Forest trust Forest CANETE canete.local External trust Golden ticket + EA group 31
ciyinet ciyilab.local GOLDEN TICKET + ENTERPRISE ADMINS ciyilabciyi dc01 32 mimikatz.exe "kerberos::golden /domain:ROOT_DOMAIN_FQDN /sid:ROOT_DOMAIN_SID /krbtgt:ROOT_DOMAIN_KRBTGT_NT_HASH /user:USERNAME /groups:500,501,513,512,520,518,519 /ptt" Included by default. 519: RID of “Enterprise Admins” group
ciyinet Forest TRICIAForest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local DA-LEVEL TECHNIQUES – CHILD TO ROOT OR CHILD Parent-Child trust Parent-Child trust assuan.local Tree-Root trust tricia.local Forest trust Forest CANETE canete.local External trust SID history exploitation 34
ciyinet SID HISTORY - Used to migrate users from one domain to another - When a user is migrated, his old SID and all groups’ SIDs he’s a member of can be added to the attribute sidHistory - When the user tries to access a resource, his SID and the SIDs included in the sidHistory attribute are checked to grant/deny access - sidHistory is normally respected by domains within the forest. For external/forest trusts, they are filtered out by the “SID filtering” protection References: https://www.itprotoday.com/windows-78/exploiting-sidhistory-ad-attribute https://www.harmj0y.net/blog/redteaming/the-trustpocalypse/ https://gallery.technet.microsoft.com/migrate-ad-users-to-new-2e480804/ http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ 35
ciyinet test.dev.ciyilab.local SID HISTORY HOPPING/EXPLOITATION testAdministrator srvproject 36 mimikatz.exe "kerberos::golden /domain:CHILD_DOMAIN_FQDN /sid:CHILD_DOMAIN_SID /krbtgt:CHILD_DOMAIN_KRBTGT_NT_HASH /user:USERNAME /sids:ENTERPRISE_ADMINS_GROUP_SID /ptt" Get it with PowerView: ConvertTo-SID -ObjectName "Enterprise Admins" -Domain ROOT_DOMAIN_FQDN
ciyinet No Domain-Admin… No fun? PENTESTING ACTIVE DIRECTORY FORESTS
ciyinet EXPLOITATION PATH - Having Domain-Admin-level in the domain you are: - Not having Domain-Admin-level on the current domain: Reconnaissance + Exploitation (and always depending on type of trusts, direction and transitivy) 39 Source (attacker’s location) Target domain Technique to use Trust relationship Root Child • Golden Ticket + Enterprise Admins group Inter-realm (2-way) Child Child • SID History exploitation Inter-realm Parent-Child (2-way) Child Root • SID History exploitation Inter-realm Tree-Root (2-way) Forest A Forest B • Printer bug + Unconstrained Delegation ? Intra-realm Forest or External trust (2-way)
ciyinet RECONNAISSANCE 1. Enumerate trusts the current domain has and also trusts the other domains have 2. Enumerate objects: a. Enumerate security principals (i.e. users, groups, computers) in the current domain that have access to resources in another domain b. Enumerate groups that have users from another domain 3. Map exploitation path: what accounts need to be compromised to move from the current position to the target 40 References: http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
ciyinet 1. TRUSTS ENUMERATION Forest CANETE canete.local 41
ciyinet Forest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local 1. TRUSTS ENUMERATION Parent-Child trust Parent-Child trust Forest CANETE canete.local External trust 43
ciyinet 2. OBJECT ENUMERATION Security principals (users/groups) can be configured to have access to resources in another domain as: - Members of a local group in foreign machines - Look for foreign local group membership - Members of a domain group in a foreign domain - Look for foreign domain group membership - Principals in ACEs in a DACL - Look for foreign security principals in ACE in a foreign domain 44
ciyinet TYPE OF GROUPS Group Visibility (available to) Can have members from Same domain Other domains in same forest Domains outside the forest (forest or external trust) Functional memberships Local Local • Users • Computers • Domain local groups • Global groups • Universal groups • Users • Computers • Global groups • Universal groups • Users • Computers • Global groups • Users in the same forest • Users in other forests (foreign security principals) AD Domain local Domain (Cannot be used outside the domain they’ve been created in) • Users • Computers • Other Domain local groups • Global groups • Universal groups • Users • Computers • Global groups • Universal groups • Users • Computers • Global groups • Users in the same forest • Users in other forests (foreign security principals) AD Global Forest(s) • Users • Computers • Other Global groups None None Cannot have users of other domains AD Universal Forest(s) (Stored within the Global Catalog) • Users • Computers • Global groups • Other Universal groups • Users • Computers • Global groups • Other Universal groups None Users in the same forest References: https://www.youtube.com/watch?v=aPh8_RB8XEU 45
ciyinet FOREIGN LOCAL GROUP MEMBERSHIP - Remote SAM (SAMR) or GPO correlation - Depending on current configuration (i.e. Windows firewall), in some cases we might need local admin privs on target to enumerate its local groups PowerView: Get-NetLocalGroup –ComputerName HOSTNAME Get-NetLocalGroupMemeber –ComputerName HOSTNAME -GroupName GROUP References: http://www.harmj0y.net/blog/redteaming/local-group-enumeration/ 46
ciyinet Forest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local 1. TRUSTS ENUMERATION Parent-Child trust Parent-Child trust Forest CANETE canete.local External trust 47
ciyinet dev.ciyilab.local canetezoidberg madw1201.dev.ciyilab.local 49
ciyinet Forest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local Parent-Child trust Parent-Child trust Forest CANETE canete.local External trust 50
ciyinet dev.ciyilab.local devmadw1201$ madw1201.dev.ciyilab.local 52
ciyinet Forest TRICIAForest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local Parent-Child trust Parent-Child trust assuan.local Tree-Root trust tricia.local Forest trust Forest CANETE canete.local External trust 53
ciyinet FOREIGN USER MEMBERSHIP Enumerate users in groups outside of the user’s domain. This can be used within the same forest PowerView: *Only Universal groups membership will be reflected Get-DomainForeignUser –Domain FOREIGN DOMAIN FQDN 54
ciyinet FOREIGN GROUP MEMBERSHIP Enumerate groups in the target domain that contains users that are not from the target domain. This can be used against domain within the same forest or through a external/forest trust PowerView: Get-DomainForeignGroupMember –Domain FOREIGN DOMAIN FQDN 56
ciyinet FOREIGN ACL PRINCIPALS 1. Enumerate DACLs (and their ACE entries) of all objects in domains that trusts yours 2. Only analyze ACE entries with foreign security principals This can be used against domain within the same forest or through a external/forest trust PowerView to list ACE entries with security principals from our domain: Get-DomainObjectAcl –Domain FOREIGN DOMAIN FQDN –ResolveGUIDs | Where-Object {$_.SecurityIdentifier –like ‘CURRENT_DOMAIN_SID*’} 57
ciyinet 3. MAPPING EXPLOITATION PATH – OBJECT ENUMERATION WITH BLOODHOUND BloodHound can enumerate trusts and objects in foreign domains (local and domain groups membership, ACLs, etc.) Invoke-BloodHound –SearchForest Invoke-BloodHound –Domain FOREIGN DOMAIN FQDN 58
ciyinet Forest CANETE canete.local 59
ciyinet Forest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local Parent-Child trust Parent-Child trust Forest CANETE canete.local External trust 62
ciyinet Forest TRICIAForest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local Parent-Child trust Parent-Child trust assuan.local Tree-Root trust tricia.local Forest trust Forest CANETE canete.local External trust 64
ciyinet PENTESTING ACTIVE DIRECTORY Wrapping Up
ciyinet WRAPPING UP – “METHODOLOGY” 1. Enumerate trusts the current domain has and also trusts the other domains have 2. Is the target within the same forest? Yes: step 3 No: steps 4 and 5 3. Got DA-level privileges in the current domain? Yes: use DA-level techniques No: steps 4 and 5 4. Enumerate objects: a. Security principals (i.e. user, groups, computers) in the current domain that have access to resources in another domain b. Groups that have users from another domain c. Foreign security principals in ACE in foreign domains 5. Map exploitation path What accounts need to be compromised to move from the current position to the target 67
ciyinet Conclusions PENTESTING ACTIVE DIRECTORY FORESTS
ciyinet CONCLUSIONS - If other domain trusts our domain, we can query their AD information - Trusts can introduce unintended access paths - Domain trust boundaries are not security boundaries - Losing control of the KRBTGT account password hash of any domain equates to losing control of the entire forest - You must reset KRBTGT (twice) in every domain in the forest! 69
ciyinet BUSINESS RISK Compromise of just one Domain Admin account in the Active Directory forest exposes the entire organization to risk. The attacker would have unrestricted access to all resources managed by all domains, users, servers, workstations and data. Moreover, the attacker could instantly establish persistence in the Active Directory environment, which is difficult to notice and cannot be efficiently remediated with guarantees. “Once Domain Admin, always Domain Admin” “Once any Domain Admin, always Enterprise Admin” 70
ciyinet ACKNOWLEDGMENT & REFERENCES - My brother (Happy B-DAY!!!) - Francisco Tocino - Nikhil Mittal (@nikhil_mitt) - Will Schroeder (@harmj0y) - Andrew Robbins (@_wald0) - Benjamin Delpy (@gentilkiwi) - Sean Metcalf (@PyroTek3) 71
ciyinet 72
ciyinet 73
PENTESTING ACTIVE DIRECTORY FORESTS
ciyinet PENTESTING ACTIVE DIRECTORY FORESTS ciyinet carlos@ciyi.es CARLOS GARCÍA GARCÍA

Recommandé

ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 

Recommandé

ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory Exploits
Enterprise Management Associates
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
Will Schroeder
 
Cassandra - decentralized structured database
Cassandra - decentralized structured databaseCassandra - decentralized structured database
Cassandra - decentralized structured database
Huynh Thai Bao
 

Contenu connexe

Tendances

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

Tendances (20)

Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory Exploits
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Cloud security
Cloud securityCloud security
Cloud security
 

Similaire à Carlos García - Pentesting Active Directory Forests [rooted2019]

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
How to Protect Big Data in a Containerized Environment
How to Protect Big Data in a Containerized EnvironmentHow to Protect Big Data in a Containerized Environment
How to Protect Big Data in a Containerized Environment
BlueData, Inc.
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
PowerPoint PresentationThis section will include an online pre.docx
PowerPoint PresentationThis section will include an online pre.docxPowerPoint PresentationThis section will include an online pre.docx
PowerPoint PresentationThis section will include an online pre.docx
ChantellPantoja184
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Redis Labs
 

Similaire à Carlos García - Pentesting Active Directory Forests [rooted2019] (20)

Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Cassandra - decentralized structured database
Cassandra - decentralized structured databaseCassandra - decentralized structured database
Cassandra - decentralized structured database
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
How to Protect Big Data in a Containerized Environment
How to Protect Big Data in a Containerized EnvironmentHow to Protect Big Data in a Containerized Environment
How to Protect Big Data in a Containerized Environment
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
PowerPoint PresentationThis section will include an online pre.docx
PowerPoint PresentationThis section will include an online pre.docxPowerPoint PresentationThis section will include an online pre.docx
PowerPoint PresentationThis section will include an online pre.docx
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
 
Отчет Csa report RAPID7
Отчет Csa report RAPID7Отчет Csa report RAPID7
Отчет Csa report RAPID7
 
Irm solutions 09 2014
Irm solutions 09 2014Irm solutions 09 2014
Irm solutions 09 2014
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 

Plus de RootedCON

Plus de RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Carlos García - Pentesting Active Directory Forests [rooted2019]

  • 2. ciyinet CARLOS GARCÍA GARCÍA Computer Science Eng. OSCP Penetration Testing Hack&Beers, Qurtuba… Organizer Co-author book Hacking Windows: Ataques a Sistemas y redes Microsoft PS C:> WHOAMI 2
  • 3. ciyinet WHAT ARE WE GOING TO TALK ABOUT? - Introduction to Active Directory Forests and Trusts - Why Pentesting Trusts? - Authentication Protocols across Trusts - Trusts enumeration - Common Attacks & Techniques - Reconnaissance across Trusts - Conclusions 3
  • 4. ciyinet FORESTS - Domains are structured into trees and forests - A tree is a collection of related domains - A forest is a collection of trees that trust each others - Only one “Enterprise Admins” group per forest - Exists in root domain only - Non-existing in child domains - Added as local admin in child domain’s DCs 4
  • 5. ciyinet TRUSTS - Allow authentication traffic to flow between two domains - Establish the ability for users in one domain to authenticate to resources in another domain 5
  • 6. ciyinet TRUST DIRECTION - One-way - Domain B trusts A - Users in Domain A can access resources in Domain B. Users in domain B cannot access domain A - Two-way - Domain A trusts B, domain B trusts A - Authentication requests can be passed between the two domains in both directions 6
  • 7. ciyinet TRUST TRANSITIVITY Determines if a trust can be extended outside of the two domains - Transitive - Extends trust relationship with other domains - Let a trusted domain pass through to a third domain - Non-transitive - Denies trust relationship with other domains 7
  • 8. ciyinet TYPE OF TRUSTS Type Direction Transitivity Description Parent-Child 2-way Transitive Automatically established when a new domain is created in a tree Tree-Root 2-way Transitive Automatically established when a new tree is added to a forest. Between the new tree root and the forest root domain External 1-way or 2-way Non-transitive Manually created between a domain in a forest and another domain in a different forest that does not have a forest trust established Forest 1-way or 2-way Transitive Manually created between one forest root domain and another forest root domain Shortcut 1-way or 2-way Transitive Manually created between domains in the same forest that is used to shorten the trust path in a large and complex domain tree or forest and improve authentication times Realm 1-way or 2-way Transitive or Non-transitive Manually created between an AD domain and a non-Windows Kerberos V5 realm References: https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts 8
  • 9. ciyinet TRUSTS - All trusts within the same forest are two-way and transitive - This is why all domains within a forest trust each other - Users from any domain can access resources in any other domain within the forest as long as: - They have the proper permissions assigned at the resource - They have network access 9
  • 11. ciyinet DIRECTION OF TRUST VS ACCESS Domain A Trusted domain (inbound) Domain B Trustring domain (outbound) Direction of access Direction of trust 11
  • 13. ciyinet WHY PENTESTING TRUSTS? - Environments with trusts that were created many years ago without security in mind - Sometimes domain trusts introduce unintended access paths - Some domains (i.e. testing, development…) are not well maintained, controlled or monitored 13
  • 14. ciyinet WHY PENTESTING TRUSTS? Or simply, what if your target is in a different domain? Reconnaissance Weaponisation and Exploitation Privilege Escalation & Lateral Movement Action on Targets Installation and Command & Control ▪ Email harvesting ▪ Social Networking ▪ IP Discovery ▪ Port Scanning ▪ Identify vulnerabilities ▪ Build and deliver malware via phishing, web, USB drive, network… ▪ Exploit a vulnerability to compromise the victim’s system ▪ Install malware ▪ Stablish persistence inside the environment ▪ Command channel for remote access ▪ Obtain more credentials ▪ Access other systems ▪ Escalate privileges ▪ Identify critical assets ▪ Data exfiltration ▪ Encryption of critical assets ▪ Service disruption ▪ Money $$$ References: Kroll Proactive Security Team 14
  • 17. ciyinet NTLM ACROSS TRUSTS 1. User requests access and sends DOMAIN-AUSERNAME Client in DOMAIN-A 2. Server sends challenge message 3. Client sends response message 4. Server sends DOMAIN-AUSERNAME challenge and response to DC in DOMAIN-B Server in DOMAIN-B DC in DOMAIN-B DC in DOMAIN-A References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10) https://blogs.technet.microsoft.com/askpfeplat/2013/05/05/how-domain-controllers-are-located-across-trusts/ https://blogs.technet.microsoft.com/isrpfeplat/2010/11/05/optimizing-ntlm-authentication-flow-in-multi-domain-environments/ 8. Server sends authentication result to the client 7. Response to authenticate user 17
  • 18. ciyinet KERBEROS ACROSS TRUSTS When a user requests access to a resource in a different domain: - User’s DC will not be able to issue a TGS of another domain as TGS can only be built using the target service’s password and DC only contain password data from security principals in their own domain - To solve this, the there is a trusts password between two domains in the same AD forest used as a bridge enable Kerberos authentication across trust 18
  • 19. ciyinet KERBEROS ACROSS TRUSTS Client in DOMAIN-A 1. Request TGT (AS-REQ) 2. Receive TGT (AS-REP) Server in DOMAIN-B DC in DOMAIN-A DC in DOMAIN-B References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10) https://adsecurity.org/?p=1588 3. Present TGT, request TGS (TGS-REQ) 4. Receive inter-realm TGT (TGS-REP) Client encrypts a timestamp with their secret (hash/key) Client receives a TGT signed with the DOMAIN-A krbtgt account that proves they are who they say they are The TGT is then used to request TGS for specific resources/services on the DOMAIN-B DC sends a TGT for DOMAIN-B signed and encrypted using the inter-realm key DC sends a TGS ticket encrypted using the hash/key of the account that is associated with that service (SPN) The TGT is then used to request service tickets (TGS) for specific services on the domain. TGT I-R TGT TGS 19
  • 21. ciyinet TRUSTS ENUMERATION So we land in the organization; the exploitation path will depend on: - Domain you land on and its trusts - Privileges you manage to get in it - User’s privileges in foreign domains ? ? ? 21
  • 22.
  • 24. ciyinet TRUSTS ENUMERATION - NLTEST - Different information depending on where it’s executed from quarantined_domain = Filter_sids nltest /domain_trusts nltest /dclist:DOMAIN nltest /server:DC /trusted_domains 24
  • 25. ciyinet TRUSTS ENUMERATION - POWERVIEW - To enumerate trusts on a foreign domain, you need to able to bind to a DC (usually PDC) on the foreign domain* - Get-DomainTrust –SearchBase “GC://$($ENV:USERDNSDOMAIN)” - Return all forest trusts for the current forest or a specified forest Get-DomainTrust –Domain FOREIGN DOMAIN FQDN Get-ForestTrust –Domain FOREIGN DOMAIN FQDN 25
  • 26.
  • 27. ciyinet TRUST MAPPING PowerView BloodHound Get-DomainTrustMapping Invoke-BloodHound –CollectionMethod Trusts –SearchForest Invoke-BloodHound –CollectionMethod Trusts –Domain FOREIGN DOMAIN FQDN 27
  • 28. ciyinet Forest TRICIAForest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local TRUST MAPPING Parent-Child trust Parent-Child trust assuan.local Tree-Root trust tricia.local Forest trust Forest CANETE canete.local External trust 28
  • 29. ciyinet Exploitation Path – Common Attacks & Techniques PENTESTING ACTIVE DIRECTORY FORESTS
  • 30. ciyinet EXPLOITATION PATH Source (attacker’s location) Target domain Technique to use Trust relationship Root Child • Golden Ticket + Enterprise Admins group Inter-realm (2-way) Child Child • SID History exploitation Inter-realm Parent-Child (2-way) Child Root • SID History exploitation Inter-realm Tree-Root (2-way) Forest A Forest B • Printer bug + Unconstrained Delegation ? Intra-realm Forest or External (2-way) - Having Domain-Admin-level on the current domain: 30 - Not having Domain-Admin-level on the current domain: Reconnaissance + Exploitation (and always depending on type of trusts, direction and transitivity)
  • 31. ciyinet Forest CIYILAB Forest TRICIA ciyilab.local dev.ciyilab.local test.dev.ciyilab.local DA-LEVEL TECHNIQUES – ROOT TO CHILD Parent-Child trust Parent-Child trust assuan.local Tree-Root trust tricia.local Forest trust Forest CANETE canete.local External trust Golden ticket + EA group 31
  • 32. ciyinet ciyilab.local GOLDEN TICKET + ENTERPRISE ADMINS ciyilabciyi dc01 32 mimikatz.exe "kerberos::golden /domain:ROOT_DOMAIN_FQDN /sid:ROOT_DOMAIN_SID /krbtgt:ROOT_DOMAIN_KRBTGT_NT_HASH /user:USERNAME /groups:500,501,513,512,520,518,519 /ptt" Included by default. 519: RID of “Enterprise Admins” group
  • 33.
  • 34. ciyinet Forest TRICIAForest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local DA-LEVEL TECHNIQUES – CHILD TO ROOT OR CHILD Parent-Child trust Parent-Child trust assuan.local Tree-Root trust tricia.local Forest trust Forest CANETE canete.local External trust SID history exploitation 34
  • 35. ciyinet SID HISTORY - Used to migrate users from one domain to another - When a user is migrated, his old SID and all groups’ SIDs he’s a member of can be added to the attribute sidHistory - When the user tries to access a resource, his SID and the SIDs included in the sidHistory attribute are checked to grant/deny access - sidHistory is normally respected by domains within the forest. For external/forest trusts, they are filtered out by the “SID filtering” protection References: https://www.itprotoday.com/windows-78/exploiting-sidhistory-ad-attribute https://www.harmj0y.net/blog/redteaming/the-trustpocalypse/ https://gallery.technet.microsoft.com/migrate-ad-users-to-new-2e480804/ http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ 35
  • 36. ciyinet test.dev.ciyilab.local SID HISTORY HOPPING/EXPLOITATION testAdministrator srvproject 36 mimikatz.exe "kerberos::golden /domain:CHILD_DOMAIN_FQDN /sid:CHILD_DOMAIN_SID /krbtgt:CHILD_DOMAIN_KRBTGT_NT_HASH /user:USERNAME /sids:ENTERPRISE_ADMINS_GROUP_SID /ptt" Get it with PowerView: ConvertTo-SID -ObjectName "Enterprise Admins" -Domain ROOT_DOMAIN_FQDN
  • 37.
  • 38. ciyinet No Domain-Admin… No fun? PENTESTING ACTIVE DIRECTORY FORESTS
  • 39. ciyinet EXPLOITATION PATH - Having Domain-Admin-level in the domain you are: - Not having Domain-Admin-level on the current domain: Reconnaissance + Exploitation (and always depending on type of trusts, direction and transitivy) 39 Source (attacker’s location) Target domain Technique to use Trust relationship Root Child • Golden Ticket + Enterprise Admins group Inter-realm (2-way) Child Child • SID History exploitation Inter-realm Parent-Child (2-way) Child Root • SID History exploitation Inter-realm Tree-Root (2-way) Forest A Forest B • Printer bug + Unconstrained Delegation ? Intra-realm Forest or External trust (2-way)
  • 40. ciyinet RECONNAISSANCE 1. Enumerate trusts the current domain has and also trusts the other domains have 2. Enumerate objects: a. Enumerate security principals (i.e. users, groups, computers) in the current domain that have access to resources in another domain b. Enumerate groups that have users from another domain 3. Map exploitation path: what accounts need to be compromised to move from the current position to the target 40 References: http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
  • 41. ciyinet 1. TRUSTS ENUMERATION Forest CANETE canete.local 41
  • 42.
  • 43. ciyinet Forest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local 1. TRUSTS ENUMERATION Parent-Child trust Parent-Child trust Forest CANETE canete.local External trust 43
  • 44. ciyinet 2. OBJECT ENUMERATION Security principals (users/groups) can be configured to have access to resources in another domain as: - Members of a local group in foreign machines - Look for foreign local group membership - Members of a domain group in a foreign domain - Look for foreign domain group membership - Principals in ACEs in a DACL - Look for foreign security principals in ACE in a foreign domain 44
  • 45. ciyinet TYPE OF GROUPS Group Visibility (available to) Can have members from Same domain Other domains in same forest Domains outside the forest (forest or external trust) Functional memberships Local Local • Users • Computers • Domain local groups • Global groups • Universal groups • Users • Computers • Global groups • Universal groups • Users • Computers • Global groups • Users in the same forest • Users in other forests (foreign security principals) AD Domain local Domain (Cannot be used outside the domain they’ve been created in) • Users • Computers • Other Domain local groups • Global groups • Universal groups • Users • Computers • Global groups • Universal groups • Users • Computers • Global groups • Users in the same forest • Users in other forests (foreign security principals) AD Global Forest(s) • Users • Computers • Other Global groups None None Cannot have users of other domains AD Universal Forest(s) (Stored within the Global Catalog) • Users • Computers • Global groups • Other Universal groups • Users • Computers • Global groups • Other Universal groups None Users in the same forest References: https://www.youtube.com/watch?v=aPh8_RB8XEU 45
  • 46. ciyinet FOREIGN LOCAL GROUP MEMBERSHIP - Remote SAM (SAMR) or GPO correlation - Depending on current configuration (i.e. Windows firewall), in some cases we might need local admin privs on target to enumerate its local groups PowerView: Get-NetLocalGroup –ComputerName HOSTNAME Get-NetLocalGroupMemeber –ComputerName HOSTNAME -GroupName GROUP References: http://www.harmj0y.net/blog/redteaming/local-group-enumeration/ 46
  • 47. ciyinet Forest CIYILAB ciyilab.local dev.ciyilab.local test.dev.ciyilab.local 1. TRUSTS ENUMERATION Parent-Child trust Parent-Child trust Forest CANETE canete.local External trust 47
  • 48.
  • 51.
  • 54. ciyinet FOREIGN USER MEMBERSHIP Enumerate users in groups outside of the user’s domain. This can be used within the same forest PowerView: *Only Universal groups membership will be reflected Get-DomainForeignUser –Domain FOREIGN DOMAIN FQDN 54
  • 55.
  • 56. ciyinet FOREIGN GROUP MEMBERSHIP Enumerate groups in the target domain that contains users that are not from the target domain. This can be used against domain within the same forest or through a external/forest trust PowerView: Get-DomainForeignGroupMember –Domain FOREIGN DOMAIN FQDN 56
  • 57. ciyinet FOREIGN ACL PRINCIPALS 1. Enumerate DACLs (and their ACE entries) of all objects in domains that trusts yours 2. Only analyze ACE entries with foreign security principals This can be used against domain within the same forest or through a external/forest trust PowerView to list ACE entries with security principals from our domain: Get-DomainObjectAcl –Domain FOREIGN DOMAIN FQDN –ResolveGUIDs | Where-Object {$_.SecurityIdentifier –like ‘CURRENT_DOMAIN_SID*’} 57
  • 58. ciyinet 3. MAPPING EXPLOITATION PATH – OBJECT ENUMERATION WITH BLOODHOUND BloodHound can enumerate trusts and objects in foreign domains (local and domain groups membership, ACLs, etc.) Invoke-BloodHound –SearchForest Invoke-BloodHound –Domain FOREIGN DOMAIN FQDN 58
  • 60.
  • 61.
  • 63.
  • 65.
  • 67. ciyinet WRAPPING UP – “METHODOLOGY” 1. Enumerate trusts the current domain has and also trusts the other domains have 2. Is the target within the same forest? Yes: step 3 No: steps 4 and 5 3. Got DA-level privileges in the current domain? Yes: use DA-level techniques No: steps 4 and 5 4. Enumerate objects: a. Security principals (i.e. user, groups, computers) in the current domain that have access to resources in another domain b. Groups that have users from another domain c. Foreign security principals in ACE in foreign domains 5. Map exploitation path What accounts need to be compromised to move from the current position to the target 67
  • 69. ciyinet CONCLUSIONS - If other domain trusts our domain, we can query their AD information - Trusts can introduce unintended access paths - Domain trust boundaries are not security boundaries - Losing control of the KRBTGT account password hash of any domain equates to losing control of the entire forest - You must reset KRBTGT (twice) in every domain in the forest! 69
  • 70. ciyinet BUSINESS RISK Compromise of just one Domain Admin account in the Active Directory forest exposes the entire organization to risk. The attacker would have unrestricted access to all resources managed by all domains, users, servers, workstations and data. Moreover, the attacker could instantly establish persistence in the Active Directory environment, which is difficult to notice and cannot be efficiently remediated with guarantees. “Once Domain Admin, always Domain Admin” “Once any Domain Admin, always Enterprise Admin” 70
  • 71. ciyinet ACKNOWLEDGMENT & REFERENCES - My brother (Happy B-DAY!!!) - Francisco Tocino - Nikhil Mittal (@nikhil_mitt) - Will Schroeder (@harmj0y) - Andrew Robbins (@_wald0) - Benjamin Delpy (@gentilkiwi) - Sean Metcalf (@PyroTek3) 71
  • 75. ciyinet PENTESTING ACTIVE DIRECTORY FORESTS ciyinet carlos@ciyi.es CARLOS GARCÍA GARCÍA