Zielgruppe: Admins, CIO
Schwerpunkt: technisch
Sprache: Deutsch
Abstract
**********
In Unternehmen werden Vertrauensbeziehungen zwischen Active Directory Forests angelegt. Ist damit die eigene Domäne in Gefahr? Der Talk zeigt exotischere Angriffe innerhalb von Active Directory und über Forest-Grenzen hinweg. Und warum wir durch Drucker dem Untergang geweiht sind.
About the Speaker:
*********************
Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Kugler
1. Klassifikation: Public
Willkommen
zur SBA Live Academy
#bleibdaheim # remotelearning
Heute: The Forest has Eyes
by Reinhard Kugler
This talk will be recorded as soon as the presentation starts!
Please be sure to turn off your video in your control panel.
4. Klassifikation: Public 6
Mitigation: Samba Signing
• the protocol feature samba signing would mitigate man-in-the-
middle attacks on SMB
• SMB Signing is only enabled on Domain Controllers (by default)
• also back-ported to NT 4.0 and 98 ;-)
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkStationParameters
RequireSecuritySignature = 1 (Required)
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanServerParameters.
RequireSecuritySignature = 1 (Required)
https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/
5. Klassifikation: Public 7SBA Research gGmbH, 2020
https://www.bishopfox.com/blog/2014/06/week-life-pen-tester/
The Life of a Penetration Tester
7. Klassifikation: Public 9SBA Research gGmbH, 2020
https://docs.microsoft.com/de-de/windows-
server/networking/windows-time-
service/how-the-windows-time-service-works
13. Klassifikation: Public 20
Tier Model
SBA Research gGmbH, 2020
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
16. Klassifikation: Public 25
Why Delegation (Impersonation)?
Web Application
Files Shares
Database
Act as logged-on
(Active Directory) user
TGS
TGS
SBA Research gGmbH, 2020
17. Klassifikation: Public 26
Unconstrained Delegation
Impersonation as
user donald@
Access service
as user donald@
e.g. WebDav
service runs under
a service user
Service Ticket
TGT
Service Ticket
TGT
Domain Controller
(Kerberos
AS/KDC)
TGT
https://shenaniganslabs.io/2019/01/28/Wagging-
the-Dog.html
SBA Research gGmbH, 2020
18. Klassifikation: Public 29
Constrained Delegation
Impersonation as
user Administrator@
Access service
as user donald@
e.g. WebDav
service runs under
a service user
Service
Ticket
Service Ticket
MSSQL
TGT
Domain Controller
(Kerberos
AS/KDC)
MSSQL/server
https://shenaniganslabs.io/2019/01/28/Wagging-
the-Dog.html
Service
Ticket
SBA Research gGmbH, 2020
19. Klassifikation: Public 30
Domain compromized
… is the root domain in danger?
SBA Research gGmbH, 2020
Virtual Environment
Production
Headquarter
Tschibutti
Uganda
20. Klassifikation: Public 36
int.mcduck.com int.glomgold.za
Forest Trust
(two-way)
Kerberos Golden
Ticket + Extra SIDs
ACL abuse,
Delegation attack
Parent-Child
(two-way)
Server with
delegation enabled
SBA Research gGmbH, 2020
22. Klassifikation: Public 38
Takeaways
SBA Research gGmbH, 2020
Least privilege, roles and tiers
check trust relationships
Test your attack szenarios!
Review Objects with delegation attributes
Protected Users Security Group for Admins
24. Klassifikation: Public 41
Microsoft Printer Bug
https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
https://www.youtube.com/watch?list=PLyQeLlJVTqDdBbkMHIFN8v6qrric3P38Y&v=bKko3ByTdMs&feature=emb_title
SBA Research gGmbH, 2020
26. Klassifikation: Public 44
Professional Services
Penetration Testing
Architecture Reviews
Security Audit
Security Trainings
Incident Response Readiness
ISMS & ISO 27001 Consulting
Forschung & Beratung unter einem Dach
Applied Research
Industrial Security | IIoT Security |
Mathematics for Security Research |
Machine Learning | Blockchain | Network
Security | Sustainable Software Systems |
Usable Security
SBA Research
Wissenstransfer
SBA Live Academy | sec4dev | Trainings |
Events | Lehre | sbaPRIME
Kontaktieren Sie uns: anfragen@sba-research.org
27. Klassifikation: Public 45
#bleibdaheim #remotelearning
Coming up @ SBA Live Academy
01.04.2020, 13.00 Uhr, live:
„Und, wie geht‘s Ihrer Supply-
Chain heute so?“
by „Stefan Jakoubi“
Supply Chain und Cyber Security
Treten Sie unserer MeetUp Gruppe bei!
https://www.meetup.com/Security-Meetup-by-SBA-
Research/