[attack]tive directory - triangle infosecon€¦ · network -> dns clientenable turn off...
TRANSCRIPT
![Page 1: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/1.jpg)
[Attack]tiveDirectory
Exploiting Active Directory for Offensive PurposesPresented by Ryan Hausknecht
![Page 2: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/2.jpg)
“We’re ready for a
pentest, our
vulnerability scan
shows NO criticals!”
2
![Page 3: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/3.jpg)
How their network got owned in fifteen minutes via Active Directory
![Page 4: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/4.jpg)
4
$whodat
⬡ Ryan Hausknecht (House-neckt)
⬡ Security Consultant @ SpecterOps
⬡ Instructor at UNC Charlotte for Cyber Security
⬡ Instructor & Organizer at FBI/Infragard Cyber Camp
⬡ Blackhat 2019 Instructor – Red Team Operations
⬡ GPEN, GWAPT, OSCP
⬡ @haus3c
![Page 5: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/5.jpg)
What’s this whole thing about?
⬡ Massive discrepancy in maturity between enterprises and SMBs
⬡ Red team exists to help blue team
⬡ Many attacks over the years, these are the most common I’ve seen
⬡ More-so in SMBs vs. enterprises, but still applicable
⬡ A clean vulnerability scan does not mean a clean environment
⬡ High quality photoshop Microsoft Paint edits.
![Page 6: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/6.jpg)
A Brief History of Active Directory (AD)
⬡ Directory services for Windows
⬡ Introduced in Server 2000
⬡ Used to control objects on the domain∙ Users, computers, policies, etc.
⬡ Can group objects into Organizational Units (OU)
⬡ Utilizes Group Policies to apply settings
![Page 7: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/7.jpg)
Default Group Policy
⬡ Security =/= Convenience
⬡ Default GP is not meant to be secure!
⬡ It’s
![Page 8: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/8.jpg)
1. Gathering Credentials
![Page 9: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/9.jpg)
LLMNR & NBT-NS Spoofing
⬡ Local Link Multicast Name Resolution
⬡ NetBIOS Naming Service (Protocol in an API)
⬡ “Backups” to DNS∙ E.g. \\fileshrae01\
⬡ Natively insecure∙ Trusts any response!
⬡ Commonly found on networks with decom’d file shares
⬡ Enabled by DEFAULT
![Page 10: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/10.jpg)
![Page 11: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/11.jpg)
![Page 12: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/12.jpg)
![Page 13: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/13.jpg)
WPAD Spoofing
⬡ Web Proxy Auto Discovery (WPAD) Protocol
⬡ Outlines how to search for a Proxy Auto Connection (PAC) file any time internet is used.
⬡ First searches via DHCP, then DNS, then LLMNR
⬡ Enabled by DEFAULT
![Page 14: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/14.jpg)
![Page 15: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/15.jpg)
![Page 16: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/16.jpg)
![Page 17: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/17.jpg)
![Page 18: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/18.jpg)
Mitigations
⬡ Turn off via Group Policy
⬡ LLMNR: Computer Configuration -> Administrative Templates -> Network -> DNS ClientEnable Turn Off Multicast Name Resolution
⬡ NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced, WINS Tab -> Disable NetBIOS over TCP/IP
⬡ Should not impact anything, if something is relying on LLMNR or NBTNS, it’s probably broken already∙ FQDNs
![Page 19: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/19.jpg)
Mitigations - WPAD⬡ Turn off via Group Policy
⬡ Create a DNS entry for ‘wpad’
⬡ Apply patch MS16-077∙ The location of the WPAD file is no longer requested via
broadcast protocols, but only via DNS.
![Page 20: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/20.jpg)
IPv6 Spoofing
⬡ IPv6 – “Replacement” for IPv4∙ Not widely used for internal networks
⬡ 192.168.1.1 – IPv4
⬡ fe80::88ae:e421:f660:2616%9– IPv6
⬡ Problem: DHCPv6
⬡ Bigger Problem: Windows prefers IPv6 by default
![Page 21: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/21.jpg)
![Page 22: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/22.jpg)
![Page 23: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/23.jpg)
We control DNS. What now?⬡ NTLM Hashes can be passed (Pass-the-hash)
⬡ Net-NTLMv2 Hashes cannot be passed
⬡ Hash relaying
![Page 24: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/24.jpg)
![Page 25: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/25.jpg)
![Page 26: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/26.jpg)
Mitigations
⬡ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 0 /f
⬡ DNSSEC
⬡ SMB Signing
![Page 27: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/27.jpg)
2. PrivEsc via KerberosCondensing chaos into 5 minutes
![Page 28: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/28.jpg)
WHAT
![Page 29: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/29.jpg)
THE
![Page 30: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/30.jpg)
****
![Page 31: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/31.jpg)
![Page 32: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/32.jpg)
Kerberos Overview
⬡ Protocol, Alternative to NTLM Authentication
⬡ Preferred way of authentication via tickets
⬡ Complex
⬡ Really Complex
⬡ Think SSO, but for Windows
![Page 33: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/33.jpg)
Kerberos-ulary
⬡ Key Distribution Center (KDC) – Domain Controller that does the authentication
⬡ Service Principal Name (SPN) – Unique name for a service account∙ E.g.: CIFS/LABDC01.LAB.LOCAL∙ Done through setspn.exe – Creates SPN for a user account
⬡ Ticket Granting Ticket (TGT) – Used to authenticate to the KDC
⬡ Ticket Granting Server (TGS) – A service ticket
![Page 34: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/34.jpg)
![Page 35: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/35.jpg)
![Page 36: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/36.jpg)
Kerberoasting
⬡ Requires credentials, but privileges are irrelevant
⬡ Request the TGS ticket, which has the password
hash of the SPN’s account, then crack it offline.
∙ Contains the hash because that’s the only thing
the DC and server have in common, so it’s used
for decryption
⬡ Can be requested by any authenticated user
![Page 37: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/37.jpg)
Kerberoasting Demo
![Page 38: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/38.jpg)
![Page 39: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/39.jpg)
Mitigations
⬡ Have a very long password for your accounts with SPNs
⬡ Make sure no users have SPNs
![Page 40: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/40.jpg)
Delegation Attacks
⬡ Delegation - A feature that allows a user or computer to impersonate another account∙ Unconstrained∙ Constrained*∙ Resource-Based Constrained*
![Page 41: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/41.jpg)
Unconstrained Delegation∙ Unconstrained – User authenticates to a service
on a server with a TGS for service. The service extracts the user’s TGT from the TGS to use for other TGS requests. ∙ Ticket stored in memory∙ Printer bug
![Page 42: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/42.jpg)
![Page 43: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/43.jpg)
Printer Bug
⬡ Coerces a machine (e.g. domain controller) that has a printer setup on it, to authenticate to a host of our choosing via SpoolSample∙ Tool written by @tifkin_ to use the Print System
Remote Protocol (MS-RPRN) to trigger authentication.
⬡ Coerce a DC to authenticate to a host that we control that has unconstrained delegation on = win
![Page 44: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/44.jpg)
![Page 45: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/45.jpg)
Mitigations
⬡ Ensure sensitive accounts cannot be delegated
![Page 46: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/46.jpg)
![Page 47: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/47.jpg)
PrivExchange
⬡ Leverages the fact that Exchange servers are over-privileged
⬡ Also done via relaying credentials
⬡ Works by making an API call to Exchange, which sends a response with the Exchange server’s credentials∙ Requires only a mailbox
⬡ Once machine creds are relayed, the supplied user credentials are then added to the Enterprise Admins group
![Page 48: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/48.jpg)
![Page 49: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/49.jpg)
DCSync
⬡ Feature
⬡ Replication
⬡ Mimikatz implemented the functionality
![Page 50: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/50.jpg)
![Page 51: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/51.jpg)
![Page 52: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/52.jpg)
![Page 53: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/53.jpg)
Mitigations
⬡ KB4490060
![Page 54: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/54.jpg)
KRBTGT
⬡ Account’s hash used to encrypt TGTs
⬡ Created by default when installing AD DS
⬡ Bad news if compromised
54
![Page 55: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/55.jpg)
Golden and Silver Tickets
⬡ Golden Ticket – When the KRBTGT account hash is compromised and the attacker can forge any ticket for any account.
⬡ Silver Ticket – When the service or machine account hash is compromised and is used to forge a service ticket for that specific service
![Page 56: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/56.jpg)
“ How can I defend myself against these attacks?”
![Page 57: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/57.jpg)
Introducing the sniffy boi
![Page 58: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/58.jpg)
Bloodhound
⬡ Graphs the domain to reveal relationships between
objects within Active Directory
⬡ EXTREMELY useful for an attacker
∙ Shows attack paths
⬡ EXTREMELY useful for the defense
![Page 59: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/59.jpg)
![Page 60: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/60.jpg)
Resource: https://twitter.com/dudeslce/status/1111526726041890816?s=19
![Page 61: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/61.jpg)
Credits
⬡ Will Schroeder for everything Kerberos and answering my questions
⬡ Sean Metcalf for everything else Kerberos ⬡ Lee Christensen for PrinterBug⬡ Dirk-Jan for PrivExchange⬡ Tim Medin for Kerberoasting⬡ SpiderLabs for Impacket⬡ Bloodhound Slack
![Page 62: [Attack]tive Directory - Triangle InfoSeCon€¦ · Network -> DNS ClientEnable Turn Off Multicast Name Resolution ⬡NBT-NS: Network Connection Properties -> TCP/IPv4 -> Advanced,](https://reader035.vdocument.in/reader035/viewer/2022062605/5fcd3f035c0dfe081447abce/html5/thumbnails/62.jpg)
Can I just get the tl;dr please
⬡ Default GP = bad∙ Disable LLMNR∙ Disable WPAD (Or create a DNS entry)∙ Disable IPv6 (If not in use)
⬡ Don’t use Unconstrained Delegation⬡ Patch your Exchange server⬡ Use Bloodhound to identify attack paths⬡ Patch domain controllers⬡ Questions? @Haus3c⬡ Link to this deck: