Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting your Domain Admin Account

Published bySabina Owen Modified over 6 years ago

Similar presentations

Presentation on theme: "Protecting your Domain Admin Account"— Presentation transcript:

1 Protecting your Domain Admin Account
DA 101 Protecting your Domain Admin Account

2 $WHOAMI Penetration Tester @ SynerComm Bug Bounty Hunter on HackerOne
Python enthusiast @Rhynorater @Rhynorater

3 … and how to protect your administrators
5 Routes to DA … and how to protect your administrators

4 Permissive Global Group Access + MimiKatz
Solution: Apply the principle of least privilege

5 Permissive Global Group Access + MimiKatz
Takeaway:

6 Permissive Global Group Access + MimiKatz
Takeaway: “A local admin can extract from memory the cleartext password of any authenticated user”

7 BloodHound Adversary Simulation Available on GitHub @BloodhoundAD
10 minute setup Queries DC and domain computer for session and admin information Creates pretty graphs … of death PowerShell & EXE available for information gathering Adversary Simulation

8 Ask about an AdSim!

9 Permissive Global Group Access + MimiKatz
Takeaway: “A local admin can extract from memory the cleartext password of any authenticated user.”

10 Permissive Global Group Access + MimiKatz
Takeaway: “A local admin can extract from memory the cleartext password of any authenticated user.”

11 Permissive Global Group Access + MimiKatz
Solution: Principle of Least Privilege Takeaway: Determine who really needs to be a domain administrator Don’t abuse Global Groups Educate your DAs on when their account should be used “A local admin can extract from memory the cleartext password of any authenticated user.”

12 LLMNR & NBT-NS Poisoning
Solution: Turn them off.

13 LLMNR & NBT-NS Poisoning
Takeaway: “Turn off LLMNR. Turn off NBT-NS. Monitor for these requests.” Graphic Credits: Aptive Consulting Ltd.

14 LLMNR & NBT-NS Poisoning
Responder.py Takeaway: “Turn off LLMNR. Turn off NBT-NS. Monitor for these requests.”

15 LLMNR & NBT-NS Poisoning
Inveigh.ps1 Takeaway: “Turn off LLMNR. Turn off NBT-NS. Monitor for these requests.”

16 LLMNR & NBT-NS Poisoning
The Solution Takeaway: “Turn off LLMNR. Turn off NBT-NS. Monitor for these requests.” Turn off LLMNR in Group Policy Turn of NBT-NS via GPO Script Monitor your internal network for LLMNR & NBT-NS requests Inveigh is super easy to use

17 LLMNR & NBT-NS Poisoning
Bonus: SMB Relay Attacks Quick Takeaway: “Turn on SMB Signing”

18 SYSVOL Passwords + leaked aes keys
Solution: Delete the XML files. Just delete them.

19 SYSVOL Passwords + Leaked AES Keys
Vulnerability came out in 2012, patch in 2013 We still see this ALL.THE.TIME. Takeaway: “Apply the patch, delete the XML files, and don’t put cleartext passwords in scripts.”

20 SYSVOL Passwords + Leaked AES Keys
Who needs an AES key when the password is stored in cleartext? Takeaway: “Apply the patch, delete the XML files, and don’t put cleartext passwords in scripts.” Graphic Credit:

21 SYSVOL Passwords + Leaked AES Keys
The Solution Takeaway: “Apply the patch, delete the XML files, and don’t put cleartext passwords in scripts.” Educate your Sys Admins – don’t put cleartext creds in files Apply the patch to change the AES key Delete old XML files with cpassword in them.

22 SYSVOL Passwords + Leaked AES Keys
Bonus: Run Get-GPPPassword on yourself! Takeaway: “Apply the patch, delete the XML files, and don’t put cleartext passwords in scripts.”

23 Solution: Long Service Account Passwords
Kerberoasting Solution: Long Service Account Passwords

24 Account used by service = any domain user can pull KRB5TGS hash
KerberRoasting Account used by service = any domain user can pull KRB5TGS hash Takeaway: “Domain accounts used to run services should have long and complex passwords”

25 Audit your network with setspn.exe!
KerberRoasting Audit your network with setspn.exe! Takeaway: “Domain accounts used to run services should have long and complex passwords”

26 Solution: Ensure no one but Domain Admins can access your DC backups

27 DC Backups User with access to DC backup = Domain Admin Takeaway: “Only Domain Admins should have access to DC Backups”

28 Takeaways A local admin can extract from memory the cleartext password of any authenticated user Turn off LLMNR. Turn off NBT-NS. Monitor for these requests SYSVOL Passwords + Leaked AES Keys Domain accounts used to run services should have long and complex passwords Only Domain Admins should have access to DC Backups

29 DA101 - Kit https://www.SHELLNTELL.com/blog/da-101
Question or Help? Justin Gardner –

30 Questions?

Download ppt "Protecting your Domain Admin Account"

Similar presentations

Operating System Security

Operating System Security
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.

11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from https://training.zdresearch.com https://training.zdresearch.com.

WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Netconf for Peering Automation APRICOT 2015 Tom Paseka.

Netconf for Peering Automation APRICOT 2015 Tom Paseka.
Databases and security continued CMSC 461 Michael Wilson.

Databases and security continued CMSC 461 Michael Wilson.
Module 7: Fundamentals of Administering Windows Server 2008.

Module 7: Fundamentals of Administering Windows Server 2008.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.

Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
© Wiley Inc. 2006. All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Section 5: Troubleshooting and Backing Up GPOs Using Group Policy Troubleshooting Tools Integration of RSoP Functionality Using Logging Options Backing.

Section 5: Troubleshooting and Backing Up GPOs Using Group Policy Troubleshooting Tools Integration of RSoP Functionality Using Logging Options Backing.
Module 5: Implementing Group Policy

Module 5: Implementing Group Policy
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Similar presentations

Ads by Google