DA 101 Protecting your Domain Admin Account

Сентябрь 10, 2022

Главная
ОБЖ
DA 101 Protecting your Domain Admin Account

Содержание

2. $WHOAMI Penetration Tester @ SynerComm Bug Bounty Hunter on HackerOne Python enthusiast @Rhynorater @Rhynorater jgardner@synercomm.com
3. 5 ROUTES TO DA … and how to protect your administrators
4. PERMISSIVE GLOBAL GROUP ACCESS + MIMIKATZ Solution: Apply the principle of least privilege
5. Permissive Global Group Access + MimiKatz Takeaway:
6. Permissive Global Group Access + MimiKatz “A local admin can extract from memory the cleartext password
7. BloodHound Available on GitHub @BloodhoundAD 10 minute setup Queries DC and domain computer for session and
8. Ask about an AdSim!
9. Permissive Global Group Access + MimiKatz “A local admin can extract from memory the cleartext password
10. Permissive Global Group Access + MimiKatz “A local admin can extract from memory the cleartext password
11. Permissive Global Group Access + MimiKatz “A local admin can extract from memory the cleartext password
12. LLMNR & NBT-NS POISONING Solution: Turn them off.
13. LLMNR & NBT-NS Poisoning “Turn off LLMNR. Turn off NBT-NS. Monitor for these requests.” Takeaway: Graphic
14. LLMNR & NBT-NS Poisoning “Turn off LLMNR. Turn off NBT-NS. Monitor for these requests.” Takeaway: Responder.py
15. LLMNR & NBT-NS Poisoning “Turn off LLMNR. Turn off NBT-NS. Monitor for these requests.” Takeaway: Inveigh.ps1
16. LLMNR & NBT-NS Poisoning “Turn off LLMNR. Turn off NBT-NS. Monitor for these requests.” Takeaway: The
17. LLMNR & NBT-NS Poisoning “Turn on SMB Signing” Quick Takeaway: Bonus: SMB Relay Attacks
18. SYSVOL PASSWORDS + LEAKED AES KEYS Solution: Delete the XML files. Just delete them.
19. SYSVOL Passwords + Leaked AES Keys “Apply the patch, delete the XML files, and don’t put
20. SYSVOL Passwords + Leaked AES Keys “Apply the patch, delete the XML files, and don’t put
21. SYSVOL Passwords + Leaked AES Keys “Apply the patch, delete the XML files, and don’t put
22. SYSVOL Passwords + Leaked AES Keys “Apply the patch, delete the XML files, and don’t put
23. KERBEROASTING Solution: Long Service Account Passwords
24. KerberRoasting “Domain accounts used to run services should have long and complex passwords” Takeaway: Account used
25. KerberRoasting “Domain accounts used to run services should have long and complex passwords” Takeaway: Audit your
26. DC BACKUPS Solution: Ensure no one but Domain Admins can access your DC backups
27. DC Backups “Only Domain Admins should have access to DC Backups” Takeaway: User with access to
28. Takeaways A local admin can extract from memory the cleartext password of any authenticated user Turn
29. DA101 - Kit https://www.SHELLNTELL.com/blog/da-101 Question or Help? Justin Gardner – jgardner@synercomm.com
31. Скачать презентацию

Слайд 2

$WHOAMI
Penetration Tester @ SynerComm
Bug Bounty Hunter on HackerOne
Python enthusiast
@Rhynorater
@Rhynorater
jgardner@synercomm.com

Слайд 3

5 ROUTES TO DA
… and how to protect your administrators

Слайд 4

PERMISSIVE GLOBAL GROUP ACCESS + MIMIKATZ
Solution: Apply the principle of least

privilege

Слайд 5

Permissive Global Group Access + MimiKatz
Takeaway:

Слайд 6

Permissive Global Group Access + MimiKatz
“A local admin can extract from

memory the cleartext password of any authenticated user”

Takeaway:

Слайд 7

BloodHound
Available on GitHub @BloodhoundAD
10 minute setup
Queries DC and domain computer for

session and admin information
Creates pretty graphs … of death
PowerShell & EXE available for information gathering

Adversary Simulation

Слайд 8

Ask about an AdSim!

Слайд 9

Permissive Global Group Access + MimiKatz
“A local admin can extract from

memory the cleartext password of any authenticated user.”

Takeaway:

Слайд 10

Permissive Global Group Access + MimiKatz
“A local admin can extract from

memory the cleartext password of any authenticated user.”

Takeaway:

Слайд 11

Permissive Global Group Access + MimiKatz
“A local admin can extract from

memory the cleartext password of any authenticated user.”

Takeaway:

Solution: Principle of Least Privilege

Determine who really needs to be a domain administrator
Don’t abuse Global Groups
Educate your DAs on when their account should be used

Слайд 12

LLMNR & NBT-NS POISONING
Solution: Turn them off.

Слайд 13

LLMNR & NBT-NS Poisoning
“Turn off LLMNR. Turn off NBT-NS.
Monitor for these requests.”
Takeaway:
Graphic

Credits: Aptive Consulting Ltd.

Слайд 14

LLMNR & NBT-NS Poisoning
“Turn off LLMNR. Turn off NBT-NS.
Monitor for these requests.”
Takeaway:
Responder.py

Слайд 15

LLMNR & NBT-NS Poisoning
“Turn off LLMNR. Turn off NBT-NS.
Monitor for these requests.”
Takeaway:
Inveigh.ps1

Слайд 16

LLMNR & NBT-NS Poisoning
“Turn off LLMNR. Turn off NBT-NS.
Monitor for these requests.”
Takeaway:
The

Solution

Turn off LLMNR in Group Policy
Turn of NBT-NS via GPO Script
Monitor your internal network for LLMNR & NBT-NS requests
Inveigh is super easy to use

Слайд 17

LLMNR & NBT-NS Poisoning
“Turn on SMB Signing”
Quick Takeaway:
Bonus: SMB Relay Attacks

Слайд 18

SYSVOL PASSWORDS + LEAKED AES KEYS
Solution: Delete the XML files.

Just delete them.

Слайд 19

SYSVOL Passwords + Leaked AES Keys
“Apply the patch, delete the

XML files, and don’t put cleartext passwords in scripts.”

Takeaway:

Vulnerability came out in 2012, patch in 2013 We still see this ALL.THE.TIME.

Слайд 20

SYSVOL Passwords + Leaked AES Keys
“Apply the patch, delete the

XML files, and don’t put cleartext passwords in scripts.”

Takeaway:

Who needs an AES key when the password is stored in cleartext?

Graphic Credit: https://adsecurity.org

Слайд 21

SYSVOL Passwords + Leaked AES Keys
“Apply the patch, delete the

XML files, and don’t put cleartext passwords in scripts.”

Takeaway:

Educate your Sys Admins – don’t put cleartext creds in files
Apply the patch to change the AES key
Delete old XML files with cpassword in them.

The Solution

Слайд 22

SYSVOL Passwords + Leaked AES Keys
“Apply the patch, delete the

XML files, and don’t put cleartext passwords in scripts.”

Takeaway:

Bonus: Run Get-GPPPassword on yourself!

https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1

Слайд 23

KERBEROASTING
Solution: Long Service Account Passwords

Слайд 24

KerberRoasting
“Domain accounts used to run services should have long and complex

passwords”

Takeaway:

Account used by service = any domain user can pull KRB5TGS hash

Слайд 25

KerberRoasting
“Domain accounts used to run services should have long and complex

passwords”

Takeaway:

Audit your network with setspn.exe!

Слайд 26

DC BACKUPS
Solution: Ensure no one but Domain Admins can access your

DC backups

Слайд 27

DC Backups
“Only Domain Admins should have access to DC Backups”
Takeaway:
User with

access to DC backup = Domain Admin

Слайд 28

Takeaways
A local admin can extract from memory the cleartext password of

any authenticated user
Turn off LLMNR. Turn off NBT-NS. Monitor for these requests
SYSVOL Passwords + Leaked AES Keys
Domain accounts used to run services should have long and complex passwords
Only Domain Admins should have access to DC Backups

Слайд 29

DA 101 Protecting your Domain Admin Account

Содержание

$WHOAMIPenetration Tester @ SynerCommBug Bounty Hunter on HackerOnePython enthusiast @Rhynorater@Rhynoraterjgardner@synercomm.com

5 ROUTES TO DA… and how to protect your administrators

PERMISSIVE GLOBAL GROUP ACCESS + MIMIKATZSolution: Apply the principle of least

Permissive Global Group Access + MimiKatzTakeaway:

Permissive Global Group Access + MimiKatz“A local admin can extract from

BloodHoundAvailable on GitHub @BloodhoundAD10 minute setupQueries DC and domain computer for

Ask about an AdSim!

Permissive Global Group Access + MimiKatz“A local admin can extract from

Permissive Global Group Access + MimiKatz“A local admin can extract from

Permissive Global Group Access + MimiKatz“A local admin can extract from

LLMNR & NBT-NS POISONINGSolution: Turn them off.

LLMNR & NBT-NS Poisoning“Turn off LLMNR. Turn off NBT-NS.Monitor for these requests.”Takeaway:Graphic

LLMNR & NBT-NS Poisoning“Turn off LLMNR. Turn off NBT-NS.Monitor for these requests.”Takeaway:Responder.py

LLMNR & NBT-NS Poisoning“Turn off LLMNR. Turn off NBT-NS.Monitor for these requests.”Takeaway:Inveigh.ps1

LLMNR & NBT-NS Poisoning“Turn off LLMNR. Turn off NBT-NS.Monitor for these requests.”Takeaway:The

LLMNR & NBT-NS Poisoning“Turn on SMB Signing”Quick Takeaway:Bonus: SMB Relay Attacks

SYSVOL PASSWORDS + LEAKED AES KEYS Solution: Delete the XML files.

SYSVOL Passwords + Leaked AES Keys “Apply the patch, delete the

SYSVOL Passwords + Leaked AES Keys “Apply the patch, delete the

SYSVOL Passwords + Leaked AES Keys “Apply the patch, delete the

SYSVOL Passwords + Leaked AES Keys “Apply the patch, delete the

KERBEROASTINGSolution: Long Service Account Passwords

KerberRoasting“Domain accounts used to run services should have long and complex

KerberRoasting“Domain accounts used to run services should have long and complex

DC BACKUPSSolution: Ensure no one but Domain Admins can access your

DC Backups“Only Domain Admins should have access to DC Backups”Takeaway:User with

TakeawaysA local admin can extract from memory the cleartext password of

DA101 - Kithttps://www.SHELLNTELL.com/blog/da-101Question or Help? Justin Gardner – jgardner@synercomm.com

Похожие презентации

$WHOAMI
Penetration Tester @ SynerComm
Bug Bounty Hunter on HackerOne
Python enthusiast
@Rhynorater
@Rhynorater
jgardner@synercomm.com

5 ROUTES TO DA
… and how to protect your administrators

PERMISSIVE GLOBAL GROUP ACCESS + MIMIKATZ
Solution: Apply the principle of least

Permissive Global Group Access + MimiKatz
Takeaway:

Permissive Global Group Access + MimiKatz
“A local admin can extract from

BloodHound
Available on GitHub @BloodhoundAD
10 minute setup
Queries DC and domain computer for

Permissive Global Group Access + MimiKatz
“A local admin can extract from

Permissive Global Group Access + MimiKatz
“A local admin can extract from

Permissive Global Group Access + MimiKatz
“A local admin can extract from

LLMNR & NBT-NS POISONING
Solution: Turn them off.

LLMNR & NBT-NS Poisoning
“Turn off LLMNR. Turn off NBT-NS.
Monitor for these requests.”
Takeaway:
Graphic

LLMNR & NBT-NS Poisoning
“Turn off LLMNR. Turn off NBT-NS.
Monitor for these requests.”
Takeaway:
Responder.py

LLMNR & NBT-NS Poisoning
“Turn off LLMNR. Turn off NBT-NS.
Monitor for these requests.”
Takeaway:
Inveigh.ps1

LLMNR & NBT-NS Poisoning
“Turn off LLMNR. Turn off NBT-NS.
Monitor for these requests.”
Takeaway:
The

LLMNR & NBT-NS Poisoning
“Turn on SMB Signing”
Quick Takeaway:
Bonus: SMB Relay Attacks

SYSVOL PASSWORDS + LEAKED AES KEYS
Solution: Delete the XML files.

SYSVOL Passwords + Leaked AES Keys
“Apply the patch, delete the

SYSVOL Passwords + Leaked AES Keys
“Apply the patch, delete the

SYSVOL Passwords + Leaked AES Keys
“Apply the patch, delete the

SYSVOL Passwords + Leaked AES Keys
“Apply the patch, delete the

KERBEROASTING
Solution: Long Service Account Passwords

KerberRoasting
“Domain accounts used to run services should have long and complex

KerberRoasting
“Domain accounts used to run services should have long and complex

DC BACKUPS
Solution: Ensure no one but Domain Admins can access your

DC Backups
“Only Domain Admins should have access to DC Backups”
Takeaway:
User with

Takeaways
A local admin can extract from memory the cleartext password of

DA101 - Kit
https://www.SHELLNTELL.com/blog/da-101
Question or Help? Justin Gardner – jgardner@synercomm.com