Craving for Domain Admin

Slide 1

Slide 1 text

Craving For Domain Admin

Slide 2

Slide 2 text

#whoami ▸Chirag Savla ▸Senior Cloud Security Engineer at White Knight Labs ▸Active Directory, Azure & Pentesting ▸Creator of few opensource tools such as ProcessInjection, Callidus etc. ▸Trainer at BlackHat, BSide Milano, etc. ▸Speaker at multiple conferences & local meetup. ▸Blog - https://3xpl01tc0d3r.blogspot.com/ 2

Slide 3

Slide 3 text

“ Prevention is ideal, detection is a must

Slide 4

Slide 4 text

Disclaimer ▸ We will not deep dive into details of individual attack techniques. ▸ We will not cover topics related to AV/EDR evasion. ▸ We will assume few things during the demo. 4

Slide 5

Slide 5 text

Agenda ▸ Why ? ▸ Kerberos ▸ Resource Based Constrained Delegation (RBCD) ▸ Shadow Credentials ▸ ADCS ▸ Kerberos Relay ▸ Local Privilege Escalation ▸ Domain Privilege Escalation 5

Slide 6

Slide 6 text

Why ? 6 Pentest Vuln Scan Exploit Why not DA ?

Slide 7

Slide 7 text

Why ? 7 RedTeam Enumerate Domain Admin Stealth

Slide 8

Slide 8 text

Kerberos 8

Slide 9

Slide 9 text

RBCD 9

Slide 10

Slide 10 text

RBCD ▸ Generic Write ▸ Generic All ▸ Control over an object which has SPN configured ▸ Modify msDS- AllowedToActOnBehalfOfOtherIdentity attribute 10

Slide 11

Slide 11 text

Shadow Credentials - PKINT 11

Slide 12

Slide 12 text

Shadow Credentials – No PKI 12

Slide 13

Slide 13 text

Shadow Credentials – NTLM Hash 13

Slide 14

Slide 14 text

ADCS 14

Slide 15

Slide 15 text

Kerberos Relay 15

Slide 16

Slide 16 text

Local Privilege Escalation ▸ Misconfiguration ▸ Kernel Exploit ▸ Exploit - Vulnerable Application ▸ Low Priv Domain User 16

Slide 17

Slide 17 text

Patch 17

Slide 18

Slide 18 text

Patch 18

Slide 19

Slide 19 text

Patch - Alternative 19

Slide 20

Slide 20 text

Domain Privilege Escalation ▸ Domain Misconfiguration ▸ ADCS Misconfiguration ▸ Password Reuse 20

Slide 21

Slide 21 text

Demo Time This is not a rocket science. 21

Slide 22

Slide 22 text

Reference ▸ https://github.com/fortra/impacket ▸ https://github.com/cube0x0/KrbRelay ▸ https://github.com/Dec0ne/DavRelayUp ▸ https://youtu.be/9F9L4cA39Fs?si=yMVlqM8cRvBHJnp6 ▸ https://googleprojectzero.blogspot.com/2021/10/using-kerberos- for-authentication-relay.html ▸ https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay- With-Shadow-Credentials.html ▸ https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff67 8feb ▸ https://posts.specterops.io/certified-pre-owned-d95910965cd2 22

Slide 23

Slide 23 text

Reference ▸ https://github.com/decoder-it/KrbRelayEx ▸ https://www.synacktiv.com/publications/relaying-kerberos-over-smb- using-krbrelayx ▸ https://x.com/0x64616e/status/1787936133491355866 ▸ https://github.com/decoder-it/KrbRelay-SMBServer ▸ https://github.com/ustayready/tradecraft/blob/master/offensive- security-experiments/active-directory-kerberos-abuse/adcs-+- petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller- machine-certificate.md ▸ https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9 ▸ https://github.com/dirkjanm/krbrelayx 23

Slide 24

Slide 24 text

Reference ▸ https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds- part-1-e2a0c0102b99 ▸ https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html ▸ https://eladshamir.com/2021/06/21/Shadow-Credentials.html ▸ https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20pr esentations/Sagi%20Sheinfeld%20Eyal%20Karni%20Yaron%20Zinar%20- %20Using%20Machine-in-the- Middle%20to%20Attack%20Active%20Directory%20Authentication%20S chemes.pdf ▸ https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring- uncommon-ntlm-relay-attack-techniques/ ▸ https://posts.specterops.io/shadow-credentials-abusing-key-trust- account-mapping-for-takeover-8ee1a53566ab 24

Slide 25

Slide 25 text

25 THANKS! Any questions? You can find me at @chiragsavla94