Scribd Logo
Upload

Welcome to Scribd!

  • Tim Medin: Attacking Misconfigurations

    Uploaded by

    Phan Tom
    33 views23 pages
    Tim Medin presented on common Active Directory misconfigurations that attackers exploit. He stressed that attackers often don't need advanced techniques if basic configuration issues are not addressed, like excessive sharing of sensitive data, nested groups providing excessive permissions, and passwords stored in clear text in AD profiles. Medin demonstrated how tools like PowerView can easily find this exposed data and how weaknesses like nested groups and overly broad sharing decrease the work needed for attackers. He advocated prioritizing simple fixes first to remove opportunities for attackers.

    Original Description:

    Original Title

    badad

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Tim Medin presented on common Active Directory misconfigurations that attackers exploit. He stressed that attackers often don't need advanced techniques if basic configuration issues are not addressed, like excessive sharing of sensitive data, nested groups providing excessive permissions, and passwords stored in clear text in AD profiles. Medin demonstrated how tools like PowerView can easily find this exposed data and how weaknesses like nested groups and overly broad sharing decrease the work needed for attackers. He advocated prioritizing simple fixes first to remove opportunities for attackers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    33 views23 pages

    Tim Medin: Attacking Misconfigurations

    Uploaded by

    Phan Tom
    Tim Medin presented on common Active Directory misconfigurations that attackers exploit. He stressed that attackers often don't need advanced techniques if basic configuration issues are not addressed, like excessive sharing of sensitive data, nested groups providing excessive permissions, and passwords stored in clear text in AD profiles. Medin demonstrated how tools like PowerView can easily find this exposed data and how weaknesses like nested groups and overly broad sharing decrease the work needed for attackers. He advocated prioritizing simple fixes first to remove opportunities for attackers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 23

    Tim Medin

    tim@redsiege.com
    @TimMedin
    @RedSiege
    slides: redsiege.com/badad

    ATTACKING COMMON ACTIVE


    DIRECTORY MISCONFIGURATIONS
    TIM MEDIN
    SANS Author – 560
    SANS Instructor – 560, 660
    IANS Faculty
    SANS MSISE Program Director
    Principal Consultant, Founder – Red Siege
    Pen Tester for more than a decade
    Former admin and blue team
    2
    FIX SIMPLE FIRST
    Your team has limited resources
    Often targets fix edge cases and neglect the simple
    Attackers only go advanced as they need to
    No need for an attacker to use 0-day if everything is wide open

    redsiege.com 3
    ACTIVE DIRECTORY MISTAKES
    MEANS ATTACKERS SIMPLY
    USE YOUR NETWORK AS DESIGNED
    IT'S NOT A BUG
    IT'S A HIDDEN FEATURE
    BAD GUY WANTS
    They want information from you
    that will make them money

    What information is important to you?


    Look for that data on the network and remove it

    redsiege.com 6
    EXCESSIVE
    SHARING
    Too often file shares (and things like
    SharePoint) have sensitive data that is
    over shared

    redsiege.com 7
    BROAD SHARING
    Increases impact of breach
    Attacker doesn't need to pivot
    Attacker already has access to the data
    How are you going to alert on access to a central file share?
    The attacker doesn't need all your data, just some of it

    Blog: Getting to the (Actual) Goal


    redsiege.com/goal

    redsiege.com 8
    POWERVIEW
    PowerView "is a PowerShell tool to gain network situational
    awareness on Windows domains."
    https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
    Note: This is the dev branch and it contains important updates

    • Find shares with Find-InterestingDomainShareFile


    • Test access as a regular user and add –CheckAccess
    • By default it will look…
    • Across all systems
    • all shares
    • For files named *password*, *sensitive*, *admin*, *login*,
    *secret*, unattend*.xml, *.vmdk, *creds*, *credential*, *.config
    redsiege.com 9
    PASSWORDS IN
    AD DESCRIPTION
    Too often password information is in
    clear text in the AD user
    Admins assume only admins can read it

    redsiege.com 10
    AD PROPERTIES
    Administrators assume only other
    admins can read it
    Many tools exists to extract this info
    • PowerShell
    • DS Commands
    • LDAP Queries
    • AD Explorer

    redsiege.com 11
    AD SEARCHING
    PowerShell can help
    Get-ADUser -Filter * -Properties Description | Where-Object {
    $_.Description.length -gt 8 }

    Data can be in other fields too

    redsiege.com 12
    NESTED
    GROUPS
    Too much nesting means you may loose
    sight of who actually has permissions

    redsiege.com 13
    EXCESS PERMS
    Overly nested groups makes it harder to understand
    who or what actually has access
    Attacker either doesn't need to pivot or needs to pivot less

    Blog: Finding the silver lining in getting your teeth kicked in


    redsiege.com/silver

    redsiege.com 14
    Blog: Beyond Net User – Part 1: Limitations of the “Net” commands
    redsiege.com/netuser
    RECURSIVE SEARCH
    DS Commands

    DS Commands allow for recursive searching


    dsquery group -name "Domain Admins" | dsget group -expand -members

    Blog: Beyond Net User – Part 2: DS Commands


    redsiege.com/ds

    redsiege.com 16
    RECURSIVE SEARCH
    PowerShell

    PowerShell does for recursive searching, but doesn't show groups


    Get-ADGroupMember GroupName -Recursive

    It does show all the members users


    Does not show the nested groups

    redsiege.com 17
    WEAPONIZED LNK
    Works with extra permissions and with excessive shares
    If we have access to a share we can create a malicous .lnk file
    The .lnk file includes a reference to the attacker
    Computers will (often) silently connect and authenticate (send hashes)
    Create link with Metasploit:
    Capture hashes with with Impacket

    ref: https://goblinsecurity.blogspot.com/2017/08/back-and-forth-with-lnk-and-netntlm.html

    redsiege.com 18
    PASSWORDS
    SUCK
    Yep

    redsiege.com 19
    PASSWORDS SUCK
    We can offline crack the accounts behind Kerberos SPNs
    In general, user selected passwords are bad

    Use a vault for critical accounts


    Monitor this account usage very closely
    Complexity requirements work against us
    Attackers need access as any single user to pull SPNs to crack tickets
    Service accounts are often over privileged and have archaic passwords
    This is your one slide on this because I'm tired of talking about it :)
    redsiege.com 20
    BAD
    ARCHETECTURE
    Difficult to fix

    redsiege.com 21
    BAD ARCHETECTURE
    Privilege separation accounts (da VS non-da accounts, etc)

    Unconstrained/constrained delegation

    Set logon hours for sensitive accounts; also monitor behavior

    Enable credential guard

    Enforce use of Kerberos auth with AES-256, alert if other

    redsiege.com 22
    slides: redsiege.com/badad
    Tim Medin
    tim@redsiege.com
    @TimMedin
    @RedSiege

    You might also like