Ing. Ondrej Sevecek MCSM:Directory2012 | MVP:Security | CEH | MCSE:Windows2012 | What would a real hacker do to your AD
Intro What happens when they take one of your DCs? You are doomed –must reinstall the whole forest from scratch –may be able to restore the whole forest from last clean backup provided you are sure the intrusion will not happen again
Why do I show these things Secure machines physically Do not use domain admin credentials on insecure machines Separate administrative accounts Never use admin accounts to access services Stress on strong passwords or rather use smart cards
Agenda Physical DC security Password filters Hidden accounts Hidden scheduled tasks Forest is a security boundary Exploiting Kerberos delegation Logon without passwords
Physical DC security Having physical access means you have full power over data, settings and binaries –partially substitute physical security with BitLocker and TPM –use RODCs at insecure locations Hardware keyloggers Reboot and offline modifications
Password filters Password change/reset after an attack means nothing HKYE_LOCAL_MACHINE System CurrentControlSet Control LSA NotificationPackages = MULTI_SZ
Hidden accounts You are never able to do a 100% security audit after an attack Not even Domain Admins can see everything
Hidden scheduled tasks You are never able to do a 100% security audit after an attack Not even the prominent audit tools know everything –root\subscription –ActiveScriptEventConsumer Name = ScriptEngine = VBScript ScriptText = set fso = CreateObject("Scripting.FileSystemObject") : fileName = "c:\hackerFest" & "-" & Year(Now) & "-" & Month(Now) & "-" & Day(Now) & "-" & Hour(Now) & "-" & Minute(Now) & "-" & Second(Now) & ".txt" : set newFile = fso.CreateTextFile(fileName) : newFile.WriteLine("I will be here for ever!") : newFile.Close()
Hidden scheduled tasks You are never able to do a 100% security audit after an attack … continuing … –__EventFilter Name = QueryLanguage = WQL EventNamespace = root\cimv2 Query = SELECT * FROM __InstanceModificationEvent WHERE TargetInstance ISA "Win32_LocalTime" AND TargetInstance.Second = 9 Second, Minute, Hour, DayOfWeek, Month, Quarter, Year, WeekInMonth
Forest is a security boundary Domain Admins from any domain of a forest are also Domain Admins in any other domain as well Site level GPOs No SID filtering inside forest
DE. gopas.virtual Subdomain scenario gopas.virtual CZ. gopas.virtual DE. gopas.virtual
Kerberos delegation with protocol transition Password is not the only means how to log on to network services –no credentials necessary at all Trust this computer to specified services only –Any authentication protocol
Kerberos delegation Client App Server DB LDAP FS Kamil
App Server DB LDAP FS Kamil Kerberos delegation with protocol transition
Delegation with PowerShell Adjust-Privilege 7 $true $winId = New-Object System.Security.Principal.WindowsIdentity [Security.Principal.WindowsIdentity]::GetCurrent() $winId.Impersonate() [Security.Principal.WindowsIdentity]::GetCurrent() $domainAdmins = [ADSI] 'LDAP://CN=Domain Admins,CN=Users,DC=gopas,DC=virtual' $domainAdmins.Add('LDAP://CN=Leos,OU=People,OU=Company,DC= gopas,DC=virtual')
Smart card logon Password is not the only means how to log on to computers NTAuth CA –forest wide trust –do not need to consult AD or touch LDAP at all Notes –ldap:///CN=GOPAS%20Root%20Online%20CA, CN=DC1,CN=CDP,CN=Public%20Key%20Servi ces,CN=Services,CN=Configuration,DC=gopas, DC=virtual?certificateRevocationList?base?obje ctClass=cRLDistributionPoint
Fake Microsoft CA Something must always be trusted Root CA –CN=Microsoft Root Authority,OU=Microsoft Corporation,OU=Copyright (c) 1997 Microsoft Corp. Code signing cert –CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,S=Washington,C=US
Fake Microsoft CA Longer validity for issued certificates –CERTUTIL -setreg CA\ValidityPeriodUnits 5 No certificate template name extension –CERTUTIL -setreg policy\DisableExtensionList No CRL paths into issued certificates –certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
Thank you! and Watch out!