G1234! - My quest for (privileged) identity to own your domain - Nir Yosha

so welcome to besides Las Vegas the ground 1 2 3 4 track today we have near Yosha giving his talk on his quest for privileged identity to own his own domain privilege escalation and lateral movement near started his career as a squad leader in the Israeli intelligence Corps he helped with gathering intelligence tracking the growth of terrorist organizations over the last 15 years of experience in identity management user behavior and insider threat analysis currently near is a principal solutions engineer for preempt near publishes his posts on LinkedIn and speaks occasionally at security conferences and we're lucky enough to have them here at besides before we get started though I do need to thank all of

our sponsors especially our stellar sponsors a critical stack and valid mail and as well as our other stomp sponsors Microsoft silence and Robin Hood these talks are are being recorded in stream to youtube so if you can please silence your cellphone's we would appreciate it and so that the people who are watching online are able to hear if we have time for any questions at the end if you can raise your hand and I'll run the mic to you to ask your questions and with that let's welcome near tepee sides thank you thank you so much how is everyone doing good afternoon I'm not going to drop any old days here I'm not going to reveal as

any new sophisticated attack vectors what I will talk about are those good old Active Directory misconfigurations do we have any defense guys here anyone specifically that deals with Active Directory vulnerabilities yeah so you know what I'm talking about I work for a company that has a an assessment tool for if directory so what we do is we look at the identities and try to figure out those vulnerabilities and it is still relevant 20:19 many many years after patches coming out we still see those vulnerabilities with our customers there is a lack of visibility on the users access there are specific threat detection that are still missing when we look at it past the hash and

gold attic and we'll talk about this today and there's no enforcement a lot of the staff is postmortem it's after the intrusion so real story around three months ago we getting a phone call from a client and he needs our assessment tool because they have this unexplained lock out of accounts we went into the site and we see an unmanaged device new device in the network that is trying to login into the domain and we see that there are like huge amount of users some of which are not even part of the domain a lot of them are getting those locked out and we're showing it to the client and then we see one user that

successfully logged in to that unmanaged device so we showing it to the customer and he's not impressed he he cares about the unlock account he wants the unlock accounts they locked out accounts to unlock them and he's not is not really trying to explain to him there is might be a relationship between the locked out accounts and that authenticated user and before we end up this discussion we see that user getting into the CEO laptop and magically the customer started to freak out and disconnected this device is disabled the account but but the story is exactly about what I'm going to talk here today those misconfigurations in Active Directory so I I i tried to structure

the the talk in a sequence way the way we see it usually so i can call it the kill chain of owning your domain i'm not going to focus on the initial intrusion or the execution on object i'm going to look on a very narrow phase where there is a privilege escalation lateral movement internal reconnaissance and as you can see here it's a cycle it's a cycle that keeps on happening until the bad guys get into their target so i have to embarrass my stuff this is actually from my first be side at cleveland and yes i dressed up in my talk as a detective that's how weird I am that the idea in my crazy mind was that because I'm

talking about threat intelligence and indicators of indicators of compromise and investigation detective will make sense so that's what my background is threat intelligence used to be in the Israeli intelligence code and I don't know how but I guess it worked because I'm now in Las Vegas right someone liked it okay so we are going to skip the initial intrusions the fact of the matter are is that there are many ways to get inside the network mainly the portals the open portals VPN Oh wha which I don't still understand why is still not protected by MFA in most of the companies I am working with in citrix there's escaping Citrix boxes talks all over and so we

assumption is that we are already establishing a foothold within the network and at this point whether it's a malware injected into a one of the processes or hijacking some high privileged program or bypassing the user privilege they sorry the UAC we're getting a local administrator on an endpoint that is probably not our target not our end goal and so from a tagger perspective at this point I want to start to look around just as you do with the external reconnaissance you want to start to monitor the new environment live off the land so to speak and find your next hop well Microsoft is making it easy so anyone is familiar with the GPP group policy preferences that allows us to set

up passwords across the domain that was introduced in Windows 2008 and we still see it with the customers today using that or even if they upgraded their systems to a later patch they still have those password there they don't they don't change them Michael stuff eventually realized that this is a bad idea to send the same administrator password across the domain they did it in phases the first realization was we probably don't want to keep passwords in clear-text within the domain controller probably a bad idea so administrator were able to create the scripts with clear text and then Microsoft was adding a patch that will encrypt that with an AES encryption key but around 2012 Microsoft dropped the

ball and published this private key for that encryption in MSDN public portal so everyone could go and decrypt that XML sitting and sysvol which by the way is accessible to any domain user so what we see across the board is even though most of the clients already upgraded the security patch that solves this problem a lot of them forget about the file that was sitting in a Cisco folder and what we do is we can get those file decrypt them with the published private key and most of the time the password are still relevant still being used within the network so mitigation don't forget to remove all those exposed password after patching Microsoft came up with labs

anyone familiar with labs so this is a solution that randomizes the password across domain laccolith sorry crossed local administrators there are other solutions to do that and in many cases what you can do is you can just disable that user not every endpoint required the at local administrator definitely not the guest use user to be there other things we see is obviously a lot of endpoints today are being provisioned from an image file and so the image has a specific local admin password and we can detect that the boot timestamp is similar between two machines there's a chance that the local administrator is the same as well that makes sense now if we're not lucky

to get those local administrators password working for us we will start with internal reconnaissance so coming in from threat intelligence it's very similar for the bad guys when they get into the network to look for intelligence gathering the same way they do it when they are outside the network there are scanning tools you can leverage Active Directory and you can look for other evidence within the network so we all know the scanning tools one port that uniquely identified domain controller is the LDAP global catalog anyone remembers which port number is the LDAP 389 this one is not necessarily going to be Active Directory it could be any other directory but this port will help you to find the domain

controllers in your network the other thing I show here is which one do you think is most more under the radar flags for nmap the top or the bottom one the top because when you're using the scanning tools that basically killing the session immediately after the starting it this is very unique within the environment so as an attacker one thing to look for is to stay under the radar we're using scanning but there's an easy way once we identify the domain controller is to query the domain controller using those valid LDAP queries so this is a tool called bloodhound which is much less noisy than an nmap or any other scanning tool because it doesn't interact with the

host it just interact with domain controller and it is looking for all those entities within the domain the users the hosts the groups and build this graph that gives you an idea of how the land look like and where should you move from there so this is an example of a bloodhound salute demo where there is a target the target is a development server and on the top is my source and platon find mommy finds for me one hub where I can this case elevate privileges from a domain user to administrator user that is part of the domain admins and the target so that too is very coming very handy to find my target and enter

is the typical intelligence-gathering we still see within environments those network diagram ceilings all over clear text passwords and who here thinks that summer 2019 is probably a good password to spray on a network anyone here has summer 2019 anywhere in yeah that's that we keep on seeing those password and we'll talk about it because at the end of the day credential is the main issue when you go to do all those attack vectors that we're going to talk about

so when it comes to reconnaissance you want to make sure your environment monitors all activities to the domain controllers there is a very specific footprint to most of the tools flatout included and you want to make sure you trained your users around credentials and the same thing you keep your finance documentation your HR documentations secure you might want to as well put all your network diagrams secure as well because they can be used by the attackers okay so we established a foothold we start it with some local reconnaissance and now we're ready to dump the hashes so Microsoft is very handy right gives us this process called else's we'll talk about that and we'll talk about NTDs elseís probably heard of

is that process that is still today running on Windows 7 and down in kernel memory and can be dumped now the elseis keeps the credentials of not only the current users but all the users that logged in into the endpoint since the last reboot and so potentially you can get some good hashes over there we will talk about ntlm and Kerberos by the way ntlm is actually empty hash with Microsoft calls anti hash LM the land manager is the old hash that Microsoft is not supporting anymore but for some kind of reason people still call it ntlm a 2016 server and Windows 10 clients Microsoft introduced potential God credentials god is a way to secure Elsa's in a isolated area

within memory that nobody can just access like that even if you have or you are in a system space but you just need one machine in your network that is not 2016 like anyone here has clients with still 2012 servers or Windows 7 anyone 2008 Windows NT Wow is it connected to the network or under that's that's like history let that you can send you can donate it to museums so yeah so none of the none of those operating systems can have this feature it's not ported backwards so mr. Benjamin tell Pete a creator of mimikatz creator even a workaround for Windows 10 so in a case of mimic ads usually in Windows 7 or

2012 servers you would be able to use mini cuts to dump the hashes so this is an example of the commands running on Windows 10 and what mr. delphy shows here that you cannot really get the password now when credential guard is enabled also credentials God will keep the cover of keys so those are the keyboard keys usually we will get them in Windows 2012 servers or Windows 7 now in 10 there's still a way around it so custom security support provider is the company that communicates the hashes outside from the host to the server and so if at some point someone is going to authenticate himself the passwords are not secure anymore they are in motion

they are secure only when they are at rest and so what mr. del P is showing here is it just injected a custom SSP the custom SSP supported by Microsoft and at this point it is being monitored and translated into a clear text so the bottom line here is it's not a matter of whether you're gonna get it it's just whether you're gonna dump it from the Hat from the memory or wait for those credentials to get out of memory and then catch it while they are on the way

yeah Thank You mr. bell yeah all right the next place hashes are located is NTDs via Pete this is a this is basically the database of Active Directory and it sits on every domain controller this is a block diagram of this schema or the way it works is it's basically a database right based on es E and JetBlue and if you get a hold of that you get a hold of the password hashes as well now this is another demo where I can show you where the file is so it sits under entity s folder and you cannot just copy the file as is because it is being used by the Kerberos key distribution center the KDC however you

can create a shadow copy off the file and then when you create a shadow coffee for the file you can take it offline and start cracking it so this is what I'm doing out here actually I can move it a little bit forward now there's another company that needs to be used when you are looking for the hashes it's called a boot key and that is sitting in the registry so what I do is I export the registry Keys as well which is under the system and then offline I can start to crack it now sometimes you will get that message that the file is not in a clean state because we just created a Shadow Copy so what

you need to do you need to defrag it make sure that you fix all the broken pieces and eventually you're getting this rain of hashes that's gold at literally gold thank you so much so in and in in that specific case I use the tool of Michael graphing terror that called gate attp account there are other tools that can be used in order to to get those hashes out of entity as the deed so mitigation make sure that hashes are protected in the host by not allowing high privileged users to get there because if they getting there they potentially can be dumped and from an entity s perspective make sure you protect not only your domain controllers

but also the backup of your DC's a lot of time those backups are not encrypted and not really kept safely in a place and most of the time we found them and we find them we still can get those hashes so the other way of getting information is by stealing the hashes which is tricking users to authenticate with you there's a couple of ways to do that a lot of them are based on the SMB authentication mechanism so if you're familiar with the SMB authentication the way it works is if I want to access a shared drive the server is asking me to encrypt a challenge with my password hash if it's encrypted and verified by the server I

grant that they granted me access otherwise access is denied so what can I do in order to trick a user to get into my file server well I can add an HTML image tag in either a page or an outlook HTML form and as you can see here it's as simple as pointing to the file server where my either responder or any other tool is waiting to collect the hashes so there's an already built in model there in responder and that will allow you to get those hashes another way is to use custom forms in Outlook anyone is familiar with that so if I get ahold of users credentials I can create custom form a custom form is when you get an

invite from Outlook or a another email that looks different it's because someone was crafted a specific form and that form is synced across clients so it's going to sync to your outlook client within your network even if it was created on a Outlook Web Access and then that form potentially can also have a PowerShell payload for example PowerShell Empire so this is how it looks like you can create those power shell payloads or you can just simply add a oh and oily object within a an email and then you will see here the specific session key this is the SPE authentication that includes the source identity hash and this could be this could be cracked and eventually

being used to move laterally and escalate privileges so all of those things eventually are going to help you get hashes and by cracking those hashes you'll be able to move to the next step in our kill chain so how to prevent that mitigation for stealing hashes is this specific Microsoft custom form has a patch if you don't use the patch the user doesn't even have to interact with it and it will call up the SP if you had the patch at least the users will get notification from Microsoft on that block port 445 which is SMB outbound there's no reason for you to have this port open forgot sex my ISP is blocking my 445 outbound because they know how to

dangerous it is and we still see that being opened and block it on the endpoint as well because the customers can take their authority clients can take their laptops home and then when they're looking for their email at home then the egress filtering rules are not in effect anymore they're not going to block them and so make sure that the endpoint is blocking port 445 outbound as well and make sure that windows login has a sufficient complex password because at the end of the day that's gonna make the bad guys life harder when they trying to crack your passwords alright next is a kind of a legacy protocol that is still available in Windows 7

it's called LLM in our that's a mouthful when I put this here because it's it's just funny the way Microsoft sometimes do things this is a way to disable LLM in our so in order to disable LLM in our and you probably cannot read it out here so I read it for you but basically it says in order to enable the policy or when you enable the policy ll M&R will be disabled when you disable the policy and then L ll MNR will be enabled so I just I just thought it's funny that in trying to make our life harder but if it is enabled which is basically disabled then the the attack victor works like

that you poison the subnet with a short drive that doesn't exist so it's not going to be resolved in the TNS and then the victim is going to try to resolve it and whenever the name is not going to be resolved it's going to broadcast a question who is in this case sneer zero one and if I'm the attacker I would say I'm snare zero one please send deep hashes to me and then getting the hashes and whenever the client or the victim is trying to access I tell him thank you bye bye got your hash I don't need you anymore so that's how the attack works now there's this definitely not a need to to

allow this we still see this enabled on on clients just disable enable Ln M&R and NBT which is basically NetBIOS protocol on the on the network drive now if you have multiple network drives you need to do it on each and every one of them so the disabling LLM in our can be done from group policy but the disabling the envy T&S is cannot be done because you need to look for all your network drives first and then you can do that using powershell script SMP signing what is SMP signing SMP signing is a feature that allows the recipient to make sure the SMP session is coming in from the identity so it's basically digitally

signing SMP packets and make sure the source is who it it is a lot of people don't enable SMB signing because SMB signing has some performance overload so there's a lot of performance testing that needs to be done before enabling it but if it's not enabled there's an either cool attack which is called SMP relay attack which is basically a man-in-the-middle where I somehow get my victim to try to authenticate to me with an admin right and then what I do is I take the admin request and I forward it to the target and a target is like okay well if you who you claim you are please encrypt my challenge I take that request

forwarded to the victim the victim is encrypting it i forward it back into the attacker to the target the target is like okay you get access and as always what do I did what I say to the victim bye-bye so that's how it works so to mitigate that just enable SMP signing that could be enforced via group policies and again make sure that you're aware of the performance implications okay now let's talk a little bit about Kerberos it's kind of a headache but if you talk about Active Directory have to mention Kerberos and there are a lot of attacks based on Kerberos so the way I kind of learned to speak about it is the analogy to an amusement park

so some amusement parks when you go in there you have to buy a ticket for entering the park but then you need to buy a ticket for each and every one of the rides not sure it's true anymore but that's the animal that's that's the way I'm going to compare it to Kerberos so cap there's two things that you need to know about Kerberos two type of tickets TGT ticket granting ticket and TGS ticket granting service so the way authentication in Active Directory works is I authenticate myself in front of Active Directory and then I get the TGT this is the ticket that proves that I am who I claim I am now I can take the

ticket and using that ticket I can ask to access services for example a file server web server any other services that are Kerberos supported I get a ticket for that server service and when I get it I present it to the specific destination application they verify that I have the permissions and then they create the session for me makes sense now what if I had a high privileged user hash already with me then I don't need to ask for the TGT this is basically someone that just already gave me their ticket to the amusement park I don't need to pay this I can use it now if this is a super high privilege user which is the kerb dgt

hash this is the master key this is the hash that has access to all the resources within Active Directory then I'm golden okay then I can access anything within my environment this is actually my golden ticket so in order to create a golden ticket which is basically crafting this ticket that Active Directory will believe is valid I need to have the Active Directory information did cede the security which I'll talk about later on and the hash of high or highest privileged account the curb TGT and then when I got all those ingredients the way to prepare my golden ticket is instructions are very simple just encrypt any user ID it could be even a user ID that is not part of my

domain because Active Directory for some reason is not even verifying the user at least for the first twenty minutes and then it it's use it with the courtesy hash this will prove Active Directory that you have rights to access any services within the domain now another benefit here is that when you craft the ticket you can decide how valid or how long it will be valid so you can really change it you know from ten hours to ten years again something that Active Directory is not enforcing so this is the golden ticket okay basically think about it this is the way for me to simulate or create a ticket that will allow me to access all

the rights within my amusement park so obviously the key for a golden ticket is curb TGT and that's why this is kind of a design flaw but this is something that you need to make sure you keep and you keep rotating the password of it because otherwise if someone got ahold of it basically they own you on your domain so Microsoft had another attribute or another way to give access to accounts that that called SP n so what is SP n SP n comes to solve the problem of accessing services that are not directly communicating with your clients let me explain give you an example let's say that there is a access to your Outlook server when you accessing your

Outlook server the outlook server in your behalf is trying to access other resources in order to basically allow you to communicate with your emails whether is it database or maybe it's the web access or any other servers and so if I get an access to this client I get access to other servers as well now Active Directory allows me to look for all those accounts service accounts that has SP ends and just get those service accounts encrypted with the password hashes but the fact that I get the password hashes will help me later on to generate those writes those tickets that will get me on the rights to TGS s and so in our example here is

if I got all the information all the ingredients to create the TGS the ticket granting service to a specific application server for example my file server my web server then I don't need to speak with the domain controller at all I just created my own write ticket so the ingredients for the silver ticket is query Active Directory for services identify the service account that you're trying to access and identify the endpoint that you're trying to access and then create this TGS ticket granting service request that looks exactly as if it came from Active Directory so again the idea here is to craft it and to communicate with the service account without even communicating with the

domain controller so all of those things are eventually kind of taking advantage of the way Kerberos works today so in the case of Kerberos thing those passwords eventually needs to be cracked and so the more you make it harder for the users to crack them the harder it is to generate at TGS so almost there we're getting to the end of our ride and talking about few more attack vectors that we see out there and then we'll kind of talk a little bit about what we can do about it in general and you know the whole the whole idea above credential theft and where's the future right this is all new NIST suggestions on passwords and the biometrics

authentication all of this is trying to address those attacks that I'm just talking about here so she'd secure the idea that's basically the number that identify either a host or a user within your environment that's how it works Microsoft had to add a attribute to users that called seed history and the idea behind it is when you migrate from one domain to another you need to keep the old seat the seat that came from the old domain and the seat that came to the new one and of course people will start thinking on how to exploit that feature so the way to explore it is well we note a list of known seats those are the

strongest seats they have a very known ID well what if we will take that seed and we will inject it into the existing user oh sorry yep I know I know I have a high I was sure no prom anyone that put their ear plugs can take them off so yeah anyways you you inject those those seed if you can inject them then legitimate you you can impersonate a user with no rights to have a lot of Rights and so it is very important when you migrate users from one domain to another to make sure you clean the seed history and if you're looking for trust between domains make sure there's seats filtering and those seeds are being

verified and you know you're not falling into this seed history injection attack and finally there are two attacks that a kind of opposite of each other but both are built on the fact that domain controllers for high availability need to sync between each other so domain controllers that you know the sprain that we spoke about that we have a lot of time and they keep on communicating with each other if I have a rogue domain controller I can either push some bad object into the network or I can pull some some cool information from it and use it so the sink is me being replicating the data to my rogue domain controller and the shadow is me

injecting some basically backdoors that later on can be used so a very good example of a shadow so remember the seedy story right this is the CD story how can we leverage both DC shadowing and see the history we can try to add a domain register domain real quick push one of the objects to include a seed history of high products user and then disconnect ourselves before being detected so now we've just inserted a backdoor and that user now can have high privileges and being used for escalation and so mitigation there there's a list of events within Active Directory that will give you a hint on someone's trying to get DC shadow and you be aware

of those those basically very high fidelity level of detection alternatively if you monitor all the traffic you will be able to see those calls that that pushes those requests on the TC sync part is replicating directory feature that's you pulling information for from valid domain controllers to your mimic domain controller and then you add yourself into the domain controller sorry you are suffer them to do to Active Directory and then you say hey I'm a new domain controller sitting you know in a remote site for you know disaster recovery purposes please send me all the hashes you get all the hashes there so mitigation there is well make sure you have control on those specific users

that have replications by default not every user will allow to replicate the data back to you so I guess the bottom line of this talk is and I'm sorry if it was a little bit you know overloaded with attack vectors and details but I think the common denominator of all those attack is that they cannot really be fixed because they are based on design flow Microsoft Active Directory after 15 years still relies on ntlm hashes when it comes to authentication it doesn't verify the source so you can relay ntlm hashes you can use them from different machines and those design flows cannot back port it they cannot even be changed because they are part of

the design a Kerberos is a little bit more secure but the same thing as you showed you you can forge those tickets you can fake them pretty well and the services that accept them don't double check it with Active Directory this is too much trust I would say there on the on the server side and it's all started with stolen credentials I mean statistics tells us that almost 50 percents of breaches are some kind of a stolen credentials result whether it's fishing whether it's social engineering which is just using buying credentials on a dark web what have you those things eventually will end up as a breach now I'm not sure anyone heard of all of

those new nice password guidelines yeah so what this is basically saying is listen it doesn't work right all those special characters all this you know password changing rotations every 90 days it doesn't work maybe we should try something else maybe we should look for those easy to remember but hard to guess type of passwords and just keep them so you don't need to worry about all the rotation thing now I don't know if it's going to work or not and there's too many other standards out there that saying exactly the opposite but obviously we all acknowledge that the way passwords are handled today is a problem and in order to improve it we need to make sure we implement the

principle of least privilege is at least please make sure that the damage is not that bad by making sure everyone's get the password sure everyone gets the permissions that they need for their work no more not less but no more and only at the time when they need it and make sure you do the separation of tears so if someone is compromised it doesn't bleed order to the servers and domain controllers you want to make sure that all of those zones are buffered and use multi-factor authentication for god sakes I still don't get it obviously for externals but also for internal I mean nothing will happen if the users will verify the entity and potentially you can prevent a breach and

you can look at look at those risks or that has to do with the authentication as a spectrum right it's low risk medium risk iris so use adaptive enforcement depending on the risk you can react differently you can extend an MFA to verify and tl can just send an email to the user and tell MA did you really access this finance server or is it someone else and start using some controls a lot of the attack surfaces today are based on aggregate attack service which means taking all the logs over all the attack surfaces and eventually kind of after the fact trying to figure out what was the reason for the day specific you know specific breach you

just got well I want to have some controls in the way potentially stop it yeah even even even deny access and maybe get a phone call that asked you to enable that access back that's it you know it's not the end of the world so to summarize you know 15 years later we still have problems that probably going to stay for a while with Active Directory so make sure you are aware of them to begin with and make sure on the defense side that you monitor your domain controllers because they are the keys to your crown jewels thank you appreciate your time [Applause]