Attacking Kerberos: Kicking the Guard Dog of Hades

did you start okay cool all right welcome back from lunch tough time slot everyone's gonna fall asleep awesome so uh welcome back I'm going to be talking a little bit here about attacking Microsoft Kerberos some of the uh cool attack figured out um presented this at Derby con last year obligatory slide on oh this clicker accidentally clicked about 30 seconds ago now it has no clicking at all my day rocks all right so the obligatory slide who am I Tim medin I work for a company called counter hack I'm also an instructor with Sans do a bunch of other stuff if you want there's a QR code to contact information it also includes a link to the slides and

when he wants it usually come to the presentation like this people are like yeah look I'm clicking on that still nobody there's one guy thanks Jose knows me so he knows that he's already owned so that's why he's he's gonna do it he's okay yeah let me just kick kick PowerPoint once again you think I'd never done this before that's what this is what Macs are supposed to be good at yes all right what is Kerberos Kerberos is the authentication used by Microsoft in the Windows domain also the three-headed dog that guards the gates of hell same thing right rough crowd man all right get some more can we bring a beer card in here

on the uh the first piece here the uh the Microsoft version the authentication how many of you guys have heard of things like golden ticket stuff like that we talked about a little bit about that how that fits in and how he completely hosts me so a little bit of an overview what are we going to be talking about um the longest I like to get my presentations backwards anybody else a little ADD like three of you the rest of you probably weren't paying attention but that's okay that's fine I get it that's how I roll I like to do my presentations backwards somebody to demo first and then we'll do the long part the long description of

how it works later so if you see the demo you're like that sucks I don't care if you leave I'm fine with that do what you got to do so what can we do here so with this attack what we can do is we can crack passwords for remote services that's cool we can do it without sending a single packet to that service so I don't have to have network connection to it I don't have to be accessible with a firewall frankly it doesn't have to be up doesn't have to be existence anymore as long as that service account still exists we can use that for a day as any user I don't have to be domain admin I don't

have to be a local admin I can be any user on a box also offline cracking what's the benefit for an offline attack versus an online guessing stuff yeah there's there's no locks what else speed you're going to get millions of attempts per second versus three four ten so orders of magnitude faster we do all this again as any user without uh actually connecting to the device well then at later point second demo we're going to use that to rewrite some of the tickets so here's what we're going to do real high level real quick I'll come back and explain what each of these pieces do and why it's important first we're going to find their service accounts there's a

mapping between the service account and the SPN we're going to ignore the computer account so again we'll come back to why that's important in a little bit we'll get a whole bunch of tickets extract them from Ram crack it and most surface okay so let me flip over now to my windows box so I've got a domain here by the way sorry for the the Jitter apparently there's an air conditioner right above both of these in the School of Engineering no one thought of this I'm just saying scroll back up here let me clear a couple of things all right so the first thing we're going to do I'll zoom in here just a second

we're going to see who I am so a little information about my account so my account is uh TM which is my first name last name um scroll down to my groups I'm just a domain user nothing special uh who am I slash all did you guys know this command existed who am I slash all the slash all is amazing it shows you like the Sid you can get all sorts of group group information associated with the Sid with it awesome awesome capability anyway long story short I'm a regular user on the domain locally let's see who I am so I'm gonna say net uh local local group gosh this is hard to type and

this is why I copy and paste um the group the members of the administrator group are the administrator account and domain admins so I am not a privileged user on the domain and I am not a privileged user on this on this box as it should be right we want end users to have as few permissions as possible so we got this box set up properly I've actually patched all these systems so they're done latest greatest patch versions as well so let's try to copy and paste because apparently I suck at typing so we'll use a command called set Spa I'll come back to the description of that here in just a second but this

shows me the mapping between user accounts and the services so I can see the account CN domain controllers DC madine local I can see that I've got a bunch of these uh these this account is tied to all of these spns we'll come back to a little bit more description of this in just a second we can also see that we have a lot of computer accounts so when I authenticate to the remote box the the service is going to be tied to a computer account we also have sometimes where the services associated with a user account this is going to be more interesting to us anybody ever try to crack a password for a computer account

yeah good freaking luck right it's a randomized thing you're not going to guess it how many of you crack the password for a user account yeah everybody right people pick crappy passwords so we're more interested in here when someone maps to a user account than a computer account again we'll spend a little bit more detail here in just a second I could take a look at my system whoops k-list I can see the tickets that my system currently has with k-list scroll back up I see my first couple of tickets they're related to the krb TGT this is the one crib roast account to rule them all this is the account that's associated with the um

golden ticket also connecting to the DC the domain controller but what I want to do is I want to request a ticket for something else so if we scroll back up here to my did I scroll past it of course you guys don't know right um the web service account so if I would connect to the HTTP service I'm the server web01 it maps to an underlying account with this descriptor long story short it's the web service account and it's a user account which means someone set the password the password might suck so what I'm going to do is I'll request the ticket a little bit of Powershell Magic paste this whoops try that again and now if I do k-list

again I can see that I should have another ticket which I do right here so now what I'm going to do is I'm going to use Kerberos to extract that ticket here sorry mimikats to extract that ticket and I'm going to use [Music] export let me exit out of here and we can see now we created a bunch of Kirby files what I want to do now is use a tool that I wrote and we're going to crack passwords based on those tickets and we'll explain why this works in just a second but from this we're able to figure out that password one is the underlying password for our web service account now that web 01 box I'm gonna try to Ping

web 01. it's not accessible frankly this system is not even up I have it powered off if you come back over here and we look at my Library whoops come back here [Music] virtual machine Library we can see this web o one box is offline frankly it could be it could be nuked maybe the the box is completely offline we destroyed that server it's gone but that mapping still exists in that active directory

all right so offline cracking the remote service is any user and the service isn't even up awesome that's fun right and let's go back and see why does this actually work foreign by the way if you guys have questions shout them out at any time feel free I like Interactive so let's talk a little bit let's go a little bit of the back story we talked about the golden ticket golden ticket is cool but in order for the golden ticket to work I have to have a full domain compromise I have to have control of the domain controller so I can get the password hash for the krb TGT account once I have that I can forge tickets for

anybody I can be anybody in your network this we're going to use that earlier into some sort of pen test if you get the bounce just right it stays in place um this is not going to be your initial compromise in the network so someone gets access to the network they can use this to extend their rates potentially get access to other systems and other accounts now if we crack that service account just a second ago for the web service where's a box where I know that credential is going to work [Music] the web server right the the web server the app the the service itself is running under the context of that web service account

so I know that that thing could do has some permissions on that box luckily I could take it and bounce it right back in you can try the other accounts other sips we'll see why in just a little bit why Kerber Sorry by why SQL Server is very very interesting why does all of this work well as part of Kerberos there are some secret things all over the place I talked to the domain controller and it encrypts something and it gives it to me I take half I give it to the other service all encrypt it there is one thing that is unknown the one secret from system to system and domain what is it

the password hash right that's it the password hash that is the only thing so what it's doing is it's encrypting the tickets with the password hash so what I can do is I can say I want a ticket for the web server and I can try to do is I can take a password guess hash it try to decrypt decrypt to successful boom I don't get the right password if it doesn't I try again guess hash decrypt guess hash decrypt guess hash decrypt boom success now I've got a proper password okay so we use this mtlm path ntlm hash that is the one secret that we use everywhere so now how does Kerberos work I got some fancy fancy drawings here

that took me threes of minutes to put together [Music] we have my box here on the left okay it jumps on the network it says I want to talk to things I want to communicate to things so it puts a request in to the domain controller I verify myself to the domain controller By Request by encrypting it with my hash KDC can also has my hash it can decrypt and it's going to send back a TGT think of this like a carnival all right you've got one entrance ticket that allows you to ride the other runs and then after that you get additional tickets for each ride that you want to play with so I I've got this ticket

granting ticket now if I want to connect to something else I now send that TGT back to the domain controller and say Hey I want to connect to his web server the domain controller says your ticket looks good you have permission to get additional tickets here's the ticket now the domain controller doesn't doesn't know if I have permissions or not not his call that would completely overwhelm the domain controller if it knew every permission for everything across the entire network it pushes that off to the web server so it's going to give a ticket back to him I'm going to send my ticket that my half of this ticket I actually get two pieces two pieces here to him and he's

gonna say go No Go okay so the two pieces I get back one piece I'm Gonna Keep one piece I'm going to pass along to the remote service so the piece that I've sent across to the remote service guess what this is encrypted with this guy's hash right so he decrypts it he knows that I got it from the KDC because the KDC has the hash so it decrypts it it then says hey is the user the right user in the right groups fill in the blank boom I have access or not make sense so far like I said feel free to ask questions at any point in time all right so now I've sent my ticket

over uh to this guy now what's inside these pieces of tickets there's obviously much more to it than just these these couple of pieces but in the server piece it's got information about me who am I what groups am I a part of there's also additional session key so after the initial exchange it'll actually transition over to that specific session key and uh these different encryption keys again encrypted with the server's hash my piece the piece that I keep because I give the TGT to the domain controller he gives me the ticket for the service my piece tells me how long the ticket is valid for it tells me the session key because remember these two pieces have to match

because when we switch to encrypted a lot and it's going to be encrypted with my TGT session key okay so you guys see how it's going back and forth how we have a little bit of this back and forth I read the rfcs for this crap so you wouldn't have to you're welcome all right [Music] they are brutal anybody read rfc's before anybody else an insomniac Insomniac notice these two groups don't overlap or sometimes they do but uh yeah rough dry reading so this S Pen I talked about the SPN a little bit earlier here's what the SPN is the SPN is a mapping so I want to authenticate to a service I have no clue what account is being used

in the underlying service right I shouldn't have to that's not my problem that's Kerberos is in the domain's problem because when I connect to this when I let me go back and slide when I connect to this guy I don't know his account I certainly should not have his hash but a domain controller is going to have to look that up to make sure that it encrypts that half of the ticket using the proper hash right here's how it does that lookup with spns okay so the remote box is hey you should authenticate okay I'd love to I talked to the kec and I say all I know is this guy is a web server and here's his name

controller I'm going to use those terms interchangeably DC KDC whatever it has a mapping we saw that with our set SPM tool just a little bit ago we saw the mapping between user accounts and the service so the service here let's say I want to connect to cliff.madine.local and I want to connect to it for mail I don't know the underlying account the KDC does it's gonna say oh you're connecting to Cliff you're connecting to this service I need to encrypt with this account credential be whatever name right oh you're connected to the web server and Charlotte here's the account it's underlying used here here you can to set up that matter okay so if KDC has this giant list of

information we can actually query the domain controller and get some of this information as well so here's some other interesting ones as well so we've got my SQL or Ms SQL Etc it's going to uniquely identify the service and there's a bunch of different specs on how this works we've got the service type up front there's a big long document with various service types we've got the hostname you can add a port because sometimes we'll run a web server on a weird port and we can add the DN if we need it I very rarely see that usually we'll see service type host name sometimes report okay so these are the different names we have

and there's how we set up the mapping so if my server one box is running a web server and I want to map it to the web service account this is how I do it now obviously to run that you have to be a privileged user so that's that's how we do our mapping we can set SPN to search here's my service types as we showed you getting crackable tickets this is important right I don't want to spend CPU Cycles on things that realistically I'm not going to get unless I'm inside the NSA nobody we need this beer card back yeah half the people work for the NSA like we already got this recording don't

worry so we can we can query that the domain controller and say hey what do we have that's mapped to what so I can say set SPN I can say Dash f for forest or Dash t for domain because Microsoft and spelling I guess I don't know Target I guess I don't know why they went that Forest is I specify my domain Dash Q stands for query and I want all the things all the server the service names all the host names and give them all to me and what I can do is I can manually look through and say hey you know what the SQL score box here on sql1 with name [Music] SQL engine is a member is in this

specific group the users group meaning likely it's actually a user account some person probably generated this password people are terrified of changing credentials for services especially big important things like SQL servers right salesmen love it when SQL servers go down because then they go to the bar and drink all day right the work shuts down the bad the database is done so we don't change those things you you probably all have these servers you walk into the server room you don't make direct eye contact with it and you back out slowly and once a year you bring a bunch of fruit to it we all had those boxes right because if you make that box bad and you see you're

at it for too long it's like screw you like quick and it never happens except Friday at four o'clock too right or at two in the morning you're laughing because this is so true so anyways we had our sequel box people aren't going to change this credential which means if we're doing our cracking we can let our cracking run for a very very long period of time before our rotation would ever happen if ever frankly user accounts you know we rotate service accounts very very rarely can see that uh we see The Exchange box here so we've got IMAP and the name exchange01 is our server and that's mapped to uh the underlying computer account

the underlying computer account is going to have a password that frankly we're not going to guess it's it's good it's good enough Randomness that's just not going to happen we're not going to guess that we could offline cracking but again unless you're inside the NSA good freaking luck so we can get these tickets now going through a pile of these manually is going to be as we call technical terms the suck right so we got some better ways I wrote a couple of tools in Powershell and VBS so depending on the remote system it'll work uh supports Powershell V1 so we get older systems but what this does is it will ask the kdcs or the domain

controller hey I'd like all of these mappings the mappings that we saw when I ran set SPN I'd like all of those oh and by the way I only want the user ones don't bother don't don't waste my time with computer accounts so that means I'm likely to get ones that I'm more I'm going to be more able to correct and again PS1 we have Powershell as well as VBS so you can run into all sorts of sorts of systems [Music] you can crack that a computer account let's talk I will gladly buy you all the beers same so requesting the tickets now this is a little bit funky again these words um but we use a little bit of Powershell

this is going to grab specifically one ticket which is what we did just a second ago where I grabbed one ticket for the web server web server that wasn't even up but the web server nonetheless we can do a little bit of kung fu here and get a lot more tickets or we can use the two we had in the previous page with a little bit of uh Mojo to make the data look a little bit different we can massage it get very specific information elevated the ESPN Command right nope nope I'm a regular user over here come on switch there we go yeah who am I slash all right I am just a regular old user and

I'm not elevated in my box [Music] well if I want to authenticate to anything then yes I mean so frankly yeah you have to so if I want to talk to anything I have to be able to request tickets so there is a specific log item I think I've got it later in the notes there's a let's Jump Ahead great question so his question was do request do we need to do we want to authenticate and of course if we're in a domain we very much want to so um there's a very specific item that will be in the domain controller's log that says hey somebody requested a ticket of course everybody requests tickets if I'm going for one

because I'm blending in now if I start Mass requesting tickets you can find that really easy your sim if it's looking for this information which at this point in time I don't believe any of them are um you should be able to be alerted to somebody requesting a mass quantity of tickets of course you could go nice low and slow hide from the IPS whatever to answer your question yeah awesome so as we mentioned before if I'm requesting a ticket box doesn't have to be up it doesn't have to be accessible from where I am it just has to still have that mapping a lot of people when they decommission a box they'll leave the accounts floating

around they'll leave the mapping still in place maybe they move from an old SQL Server to a new SQL server and left the old account floating around you know you have to you have to make sure that you clean up to prevent some of this so we have the ticket for the remote system encrypted with what sometimes I'm trying to make you guys interact okay now it's rough where I T people the room fills from the back to the front just for this gentleman you have an ex admin by the way you nailed it no offense all right so crack myself up sometimes oh the ticket is it with the other remote sir Mrs hash we

can pull that back and try to crack it now I tried I wrote this in Python so it's not super fast any of you guys done any sort of like threading or multi-processor stuff I see a couple people are like I tried so I test I I wrote this thing I gave it to a couple of friends of mine actually Mick had it and his co-workers like oh I was using your tool and I still let you know the cool threading stuff and I tried all sorts of different threads and the fastest speed I could get was with one thread [Music] anyway I'm working on a module for John if you've ever looked at you looked at

the John the Ripper code it's horrific and they're sort of proud about that like is there any documentation on this if you can't read the code you shouldn't be programming screw you guys so I'm slowly making it through a lot of their crappy comments trying to figure out what's going on foreign here very shortly all right so we cracked the password the remote the remote password now what we can log back into that box so I cracked the service account the underlying service account for the web server I can probably log straight back into that box I might be able to log into another box I might be able to use it all over the

place that's kind of fun right or maybe I'll see it's some sort of scheme that I can get additional passwords lots of different information we can use or because the ticket is encrypted with that hash and I now can generate the hash I can make my own tickets or modify the tickets so that makes this a lot of fun so we'll jump into that in just in just a second I also have an additional tool that will extract this these these tickets the TGs request tickets from packet captures and put them in a crackable format yes

so his question is um after after so the tickets encrypted with using the mtlm hash is the key what's the encryption type it is crap now I can't remember off top of my head I think it's an rc4 from a it's a stream Cipher off the top of my head I'll have to see that stuff my head it doesn't matter we got the key right screw screw the heart attacks this is easier all right I'm completely blanking at this point then I can check my code it's in there um so how does I I send my ticket to the remote box the remote box makes the decision whether it should let me in or not

wait how does it make that decision it does it with the privileged attribute certificate or the pack we call it the path contains all sorts of information about me it contains my username it contains my writ so I can see my user rip that's the big long sin security identifier the red is the relative identifier that last little piece at the end it maps to my user account it also tells me the groups I'm a member of so if I make it if I can decrypt this ticket and I can re-encrypt this ticket I can change anything in the ticket and then resend it the remote box right well sort of it's protected with a couple signatures

now we have one secret thing in the domain for each for each box it's got its hatch so the server checks some guess what the key is for that checksum the hash so I can change the thing I can resign it because I've got that awesome but then we've got the other guy the other guy is signed with the KR krb tgt's password hash and if I've got that already I frankly don't need to use this at this point in time so wouldn't it be nice if Windows didn't always check that other signature because this system can check this signature itself right it has the hash it knows its own hash it can decrypt it using the

hash it can damn well check the check the signature but to check the signature on the krb TGT we're going a little limp there to check the signature using the krb TGT either my box has to have that hash or we have to send it to the domain controller to verify that takes extra overhead so if every single time I want an authenticated like give me a second here I pass it to the main controller he comes back not only is there additional latency there but the domain controller is going to take a lot more burden it's got to verify a lot more of this information and this by the way this verification Channel uses a secure TCP

communication so you can't just inject things with like UDP so the server will check its own sometimes it will ask the kitty Kitty sometimes not all the time this is where things start to break down according to the dock here Windows OS sends the pack validation messages to the main controller the net logon service um if it does not have the act as part of the operating system privilege basically if this thing runs as a service on my local box it says I'm too important to waste time on this I'm not going to bother checking so guess what runs as a service on on boxes like this SQL Server awesome that's where all the cool data

is unfortunately this won't work with web because an abstraction layer when it comes down to the the web at the app pools so an app pool will always verify with the KDC so this isn't going to work with web servers but it does work with a lot of other cool things exchange SQL server and the Beautiful Thing with SQL Server is during the install process it says hey we suggest you use other accounts why don't you give us the names and passwords for those accounts so it helps set it up in this sort of a manner now you can toggle a specific setting that says always ask the domain controller but good luck pulling it off in your

network add a couple of milliseconds of of a delay to every single query and watch people start screaming at you because that'll start to stack after a while we have some big problems so frankly it's just not going to happen on top of this with SQL Server is there's a couple of documents Microsoft has this like four page document I'm properly setting up the account so it will register this via the SPN and get that all squared away it's four pages or if you make the SQL Server account a domain admin it fixes all the problems guess what people pick we'll change it later right later is Latin for yeah not really ever yeah so it's not going to happen

Microsoft tells you not to do this a lot of the blogs out there do if you for this and you add you say how do I set up SQL Server to use Kerberos a lot of the blogs just say screw it make the domain administrator it doesn't matter oh sweet made my job a lot easier um another important thing with it with SQL Server is it it asks us the account because remember we want to make sure we use a user account and not a computer account SMB will use the computer accounts by default and I've never seen anybody remap this if anything I'm not quite sure why you would exchange defaults to that should say

computer account you can change it but takes a little bit more effort not too bad and HTTP uses Apple app pools so what we can do then is we can start to rewrite tickets rewriting ticket is tons of fun now ironic tool to do this I spoke about this at derbycon there was another guy doing a talk at talking Saturday and I'm free that the other dude is going to release the same stuff I've been working on I've been I've been shopping around this talk for like I don't know almost a year everyone kept turning it down I'm like no no this stuff was fun and I'm like oh great this guy's gonna blow it the day before

so I go through his talk and I sit there and I super excited because he didn't break anything the next morning I'm waking up like guys give me a good day I'm gonna do my talk it's Derby con this is gonna be so much fun I roll over I look at my phone my buddies my buddy's got to talk that's uh at like nine o'clock I'm a little bit late what's going on on Twitter so Benjamin delpy the guy who wrote mimikats it's a freaking Saturday okay the dude releases the exact same tool is better and on a freaking Saturday but he beat me by like four hours and I'm like Bang you're killing me man so he shows all

this cool stuff about how he's doing this silver ticket he's super friendly guy um so we've been that that morning I spent a bunch of time rewriting slides I'm talking with him I found a bunch of bugs in it in fact while I was playing I was communicating with him I needed to send him some tickets and I sent him anybody familiar with the golden tickets basically that first attachment I added by accident that's the krb TGT that is the one ticket to rule them all it encrypts the like everything it signs everything I accidentally sent the guy who wrote mimikatz the keys to my domain this day is awesome it's going so well so yeah so I'm frantically freaking out

I'm like dude you totally stole my thunder guys like oh I'm sorry I didn't mean to him like it could take one day off I mean you're French I mean you could take every day off take a Saturday the Frenchman in here exactly you offended the French so what we can do that was supposed to be a joke so um what we can do is we can use memcats to generate and play with our own tickets okay so let me jump back to my box here

[Music] oh I forgot to show you too here's my get all the tickets real quick in one line K list there's all the tickets from the entire domain and then we can extract them with curb with um mimikats

extract them all

and then crack them all so we got a bunch of passwords for for all the accounts the one we're specifically going to look at here is going to be SQL Server because SQL Server is the one that is special oftentimes in these domains the password we found here is Phoenix one so the underlying password for this service account running SQL Server is Phoenix one okay so let me kill everything here

I just I'm just clearing out all the tickets deleting all the tickets ahead on fi on my disk so I'm going to try to connect to the SQL server and you'll see we saw before I have no special permissions in fact if I try to connect to the SQL Server it tells me log and fail I don't have permissions but I know the password that's the underlying password for that account right so what I can do is I can rewrite that ticket

uh we already cracked the password [Music] I want

sorry my copy and paste apparently is sucking so what I'm going to do is I'm going to change that ticket oops cats I'm going to change the ticket and if we take a look up here I'm going to change the red to 1159 if we take a look at what I had before

we can see my Sid is 1106. so what I'm doing is in that pack showed the rig I'm changing the red to be another user so now if I connect to SQL Server [Music] and authenticate now I've got access okay so I'm impersonating the other user by using their writ now who does SQL Server think I am oh is it important right so let's go back to my notes copy and paste this because we got a new query [Music] paste [Music] it still thinks I'm TM [Music] username there's my Sid it's going to give us this long piece of information if we look at the very very end here we can actually decode that last little

piece it's actually a big long number but if we decode that it's going to show that um what number does it 1106 11 59. the the red for Bob now that's kind of fun I could impersonate you random users but wouldn't it be fun to add some groups the answer is yes folks yeah right because right now I look at the database and I can see Bob's secret plans but I can't see the plan for world domination so Bob's secret plans I can take a look at the table uh select the top a thousand rows and we see we get a little bit information from this right you guys watch it's the best documentary ever anybody

watch Idiocracy awesome terrifying documentary but anyway so we see Bob's Bob's secret messages his things to do but I can't read the plans for world domination so what I'd like to do is read that what's a group I would like to have uh I'd like to be a part of in the Windows domain domain administrators yeah absolutely so let's go back here select this guy [Music] oh Jesus I don't think he's on my door [Music]

so we'll connect back now I am now I added myself if we take a look at my command here we see groups that I added 512 is if I remember correctly this is domain administrators this is Enterprise administrators this is schema administrators and this is one of the other administrators I added for good luck I don't need all these things but why the hell not right so I connect to my database here plans for world domination I can now see the information I can get the plans for world domination here and we see it's a South Park reference right so that's kind of fun but at this point in time we still see that I am

authenticated as [Music] me that's kind of boring people are going to see what I'm doing on the box even though I don't technically permissions like they say no I like to blame stuff on other people right so why not do that so who better than to blame things on then

the Frenchman I'm gonna blame your mom okay also the Writ is invalid [Music] there is no user with a writ of 999. so forensically if someone comes back you're like well who dumped all the information

I want to see somebody going to CTO and be like

that your mom hacked us

so if I connect now

new query [Music]

execute boom your mom right we can also do other fun stuff like oh that's kind of fun but what if instead of your mom what if we change the name to something else

like maybe what if we used an invalid username paste this here [Music] right so I can now use my username potentially as SQL injection maybe this is render on a page somewhere I've got cross-site scripting oh we have we have so much fun to do with this right so many fun things we can we can do because everyone trusts a user use safe at this point in time we can now start attacking all sorts of other fun things right so my username now it says select star from pound we could put script alert boxes beef hooks maybe even embed some sort of payload in there who knows it's Off to the Races awesome awesome capability

[Music] it is in the event logs let me double check it's in the it's in the locks

[Music] no no it's gonna be a local they'll check locally yeah yeah it doesn't this doesn't get passed back up but if you check the logs on this box I we should see let me just show it real quick we should be able to see a where's my SQL Server

apparently she's showing up I want crap mine was a restore there we go we can try it real quick [Music] come on

in those logs security

this is this is the SQL Server and I'm yeah I have no idea what this Maps back to but that's the SQL Server it actually shows up in its event logs as that so cool huh all right exactly right you start putting funky things into the Sims like oh yeah it's safe it's a username right good luck with that so we got a little extra time here right the mitigations we got mitigations the things we should do to protect against this use good pass for it's long and short of it there's a good password right if the more recent versions of Power Cell give us capability and and the domain we can set up service

accounts where the passwords will rotate automatically it picks good ones do that okay and it sounds simple just pick good passwords but people are terrified of changing service accounts they don't want to break anything because they control important stuff also look for this event ID right so look for that event ID and we'll see somebody requesting large quantities of tickets again if they request one good luck you're not going to find that specific user okay there's a really cool capability in uh in mimicats as well you know you don't think things maybe you're compiling code doing a large Network scan you gotta blow up a little bit of steam right nobody I blow up a little bit of steam all

right and if you're at a Windows box not a lot of choices so you could you get a little bit bored you open up a little bit of Minesweeper right yeah it game sucks right

oh you can't see my screen can you hold on a sec sorry this version of I have to do the latest version of the windows format or what do you call it for Mac all right so we've we've got our Minesweeper you're putting the largest size I think it's so frustrating because you're down to like a 50 50. nobody's had this happen anyone wants to admit it all right no I don't do I never play games at work

I got my mimikats here I got this bad guy disappeared Ben actually gave me a custom compiled version you so you can do mimic Vines sweeper it shows you all the mines are so if you take nothing from this

there you go all right so anyways let's all right so that pretty much wraps it up so what we did is we did some offline cracking of remote service accounts without sending a single packet to it because we used the uh bad password bad password encrypts the ticket we use that to crack the password and then from there we can start to rewrite tickets I'm trying to get back to the very beginning here questions

shell access would that put it with us hint of this yes I very rarely see that if you get access to someone's box people say oh well white listing Well the shell is whitelisted I mean it's signed by Microsoft so you can you can bypass that questions none all right well thank you guys so much enjoy the the rest of the day foreign