Craving for Domain Admin

Transcript

1. Craving For Domain Admin

2. #whoami ▸Chirag Savla ▸Senior Cloud Security Engineer at White Knight

   Labs ▸Active Directory, Azure & Pentesting ▸Creator of few opensource tools such as ProcessInjection, Callidus etc. ▸Trainer at BlackHat, BSide Milano, etc. ▸Speaker at multiple conferences & local meetup. ▸Blog - https://3xpl01tc0d3r.blogspot.com/ 2

3. “ Prevention is ideal, detection is a must

4. Disclaimer ▸ We will not deep dive into details of

   individual attack techniques. ▸ We will not cover topics related to AV/EDR evasion. ▸ We will assume few things during the demo. 4

5. Agenda ▸ Why ? ▸ Kerberos ▸ Resource Based Constrained

   Delegation (RBCD) ▸ Shadow Credentials ▸ ADCS ▸ Kerberos Relay ▸ Local Privilege Escalation ▸ Domain Privilege Escalation 5

6. Why ? 6 Pentest Vuln Scan Exploit Why not DA

   ?

7. Why ? 7 RedTeam Enumerate Domain Admin Stealth

8. Kerberos 8

9. RBCD 9

10. RBCD ▸ Generic Write ▸ Generic All ▸ Control over

    an object which has SPN configured ▸ Modify msDS- AllowedToActOnBehalfOfOtherIdentity attribute 10

11. Shadow Credentials - PKINT 11

12. Shadow Credentials – No PKI 12

13. Shadow Credentials – NTLM Hash 13

14. ADCS 14

15. Kerberos Relay 15

16. Local Privilege Escalation ▸ Misconfiguration ▸ Kernel Exploit ▸ Exploit

    - Vulnerable Application ▸ Low Priv Domain User 16

17. Patch 17

18. Patch 18

19. Patch - Alternative 19

20. Domain Privilege Escalation ▸ Domain Misconfiguration ▸ ADCS Misconfiguration ▸

    Password Reuse 20

21. Demo Time This is not a rocket science. 21

22. Reference ▸ https://github.com/fortra/impacket ▸ https://github.com/cube0x0/KrbRelay ▸ https://github.com/Dec0ne/DavRelayUp ▸ https://youtu.be/9F9L4cA39Fs?si=yMVlqM8cRvBHJnp6 ▸

    https://googleprojectzero.blogspot.com/2021/10/using-kerberos- for-authentication-relay.html ▸ https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay- With-Shadow-Credentials.html ▸ https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff67 8feb ▸ https://posts.specterops.io/certified-pre-owned-d95910965cd2 22

23. Reference ▸ https://github.com/decoder-it/KrbRelayEx ▸ https://www.synacktiv.com/publications/relaying-kerberos-over-smb- using-krbrelayx ▸ https://x.com/0x64616e/status/1787936133491355866 ▸ https://github.com/decoder-it/KrbRelay-SMBServer

    ▸ https://github.com/ustayready/tradecraft/blob/master/offensive- security-experiments/active-directory-kerberos-abuse/adcs-+- petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller- machine-certificate.md ▸ https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9 ▸ https://github.com/dirkjanm/krbrelayx 23

24. Reference ▸ https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds- part-1-e2a0c0102b99 ▸ https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html ▸ https://eladshamir.com/2021/06/21/Shadow-Credentials.html ▸ https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20pr

    esentations/Sagi%20Sheinfeld%20Eyal%20Karni%20Yaron%20Zinar%20- %20Using%20Machine-in-the- Middle%20to%20Attack%20Active%20Directory%20Authentication%20S chemes.pdf ▸ https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring- uncommon-ntlm-relay-attack-techniques/ ▸ https://posts.specterops.io/shadow-credentials-abusing-key-trust- account-mapping-for-takeover-8ee1a53566ab 24

25. 25 THANKS! Any questions? You can find me at @chiragsavla94