SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Kugler
•
0 recomendaciones•400 vistas
Zielgruppe: Admins, CIO Schwerpunkt: technisch Sprache: Deutsch Abstract ********** In Unternehmen werden Vertrauensbeziehungen zwischen Active Directory Forests angelegt. Ist damit die eigene Domäne in Gefahr? Der Talk zeigt exotischere Angriffe innerhalb von Active Directory und über Forest-Grenzen hinweg. Und warum wir durch Drucker dem Untergang geweiht sind. About the Speaker: ********************* Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Kugler
Similar a SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Kugler (20)
Más de SBA Research
Más de SBA Research (18)
Último
Último (20)
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Kugler
- 1. Klassifikation: Public Willkommen zur SBA Live Academy #bleibdaheim # remotelearning Heute: The Forest has Eyes by Reinhard Kugler This talk will be recorded as soon as the presentation starts! Please be sure to turn off your video in your control panel.
- 2. Klassifikation: Public 2 The Forest has Eyes by Bev Doolittle
- 3. Klassifikation: Public 5 (Net-)NTLM-Relay PC Kali Domain Controller NTLM- SSP Metasploit :445 Metasploit :4444 SAMBAExplorer Meterpreter SBA Research gGmbH, 2020
- 4. Klassifikation: Public 6 Mitigation: Samba Signing • the protocol feature samba signing would mitigate man-in-the- middle attacks on SMB • SMB Signing is only enabled on Domain Controllers (by default) • also back-ported to NT 4.0 and 98 ;-) HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkStationParameters RequireSecuritySignature = 1 (Required) HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanServerParameters. RequireSecuritySignature = 1 (Required) https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/
- 5. Klassifikation: Public 7SBA Research gGmbH, 2020 https://www.bishopfox.com/blog/2014/06/week-life-pen-tester/ The Life of a Penetration Tester
- 6. Klassifikation: Public 8SBA Research gGmbH, 2020
- 7. Klassifikation: Public 9SBA Research gGmbH, 2020 https://docs.microsoft.com/de-de/windows- server/networking/windows-time- service/how-the-windows-time-service-works
- 8. Klassifikation: Public 10SBA Research gGmbH, 2020 Virtual Environment Production Headquarter Tschibutti Uganda
- 9. Klassifikation: Public 11SBA Research gGmbH, 2020 https://github.com/BloodHoundAD/BloodHound
- 10. Klassifikation: Public 17 Replication SBA Research gGmbH dcsync Domain Controller Mimikatz
- 11. Klassifikation: Public 18 Pass-the-Hash Administrator:8846F7EAEE8FB117AD06BDD830B7586C Administrator:8846F7EAEE8FB117AD06BDD830B7586C= Net-NTLMv2 Mimikatz https://github.com/gentilkiwi/mimikatz SBA Research gGmbH, 2020
- 12. Klassifikation: Public 19 Forging of Log Events SBA Research gGmbH, 2020
- 13. Klassifikation: Public 20 Tier Model SBA Research gGmbH, 2020 https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
- 14. Klassifikation: Public 22 http://digital-forensics.sans.org/blog/2014/11/24/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-more Granting Ticket (TGT) Service Ticket (TGS) for HTTP/www.example.org:80 TGT TGS SBA Research gGmbH, 2020
- 15. Klassifikation: Public 23 S4U (con-/unconstrained Delegation) SBA Research gGmbH, 2020
- 16. Klassifikation: Public 25 Why Delegation (Impersonation)? Web Application Files Shares Database Act as logged-on (Active Directory) user TGS TGS SBA Research gGmbH, 2020
- 17. Klassifikation: Public 26 Unconstrained Delegation Impersonation as user donald@ Access service as user donald@ e.g. WebDav service runs under a service user Service Ticket TGT Service Ticket TGT Domain Controller (Kerberos AS/KDC) TGT https://shenaniganslabs.io/2019/01/28/Wagging- the-Dog.html SBA Research gGmbH, 2020
- 18. Klassifikation: Public 29 Constrained Delegation Impersonation as user Administrator@ Access service as user donald@ e.g. WebDav service runs under a service user Service Ticket Service Ticket MSSQL TGT Domain Controller (Kerberos AS/KDC) MSSQL/server https://shenaniganslabs.io/2019/01/28/Wagging- the-Dog.html Service Ticket SBA Research gGmbH, 2020
- 19. Klassifikation: Public 30 Domain compromized … is the root domain in danger? SBA Research gGmbH, 2020 Virtual Environment Production Headquarter Tschibutti Uganda
- 20. Klassifikation: Public 36 int.mcduck.com int.glomgold.za Forest Trust (two-way) Kerberos Golden Ticket + Extra SIDs ACL abuse, Delegation attack Parent-Child (two-way) Server with delegation enabled SBA Research gGmbH, 2020
- 21. Klassifikation: Public 37SBA Research gGmbH, 2020 How to be safe?
- 22. Klassifikation: Public 38 Takeaways SBA Research gGmbH, 2020 Least privilege, roles and tiers check trust relationships Test your attack szenarios! Review Objects with delegation attributes Protected Users Security Group for Admins
- 23. Klassifikation: Public 40SBA Research gGmbH, 2020 new attacks ahead?
- 24. Klassifikation: Public 41 Microsoft Printer Bug https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/ https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 https://www.youtube.com/watch?list=PLyQeLlJVTqDdBbkMHIFN8v6qrric3P38Y&v=bKko3ByTdMs&feature=emb_title SBA Research gGmbH, 2020
- 25. Klassifikation: Public 42 Misunderstood Features and Constellations SBA Research gGmbH, 2020 https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
- 26. Klassifikation: Public 44 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Wissenstransfer SBA Live Academy | sec4dev | Trainings | Events | Lehre | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org
- 27. Klassifikation: Public 45 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 01.04.2020, 13.00 Uhr, live: „Und, wie geht‘s Ihrer Supply- Chain heute so?“ by „Stefan Jakoubi“ Supply Chain und Cyber Security Treten Sie unserer MeetUp Gruppe bei! https://www.meetup.com/Security-Meetup-by-SBA- Research/
- 28. Klassifikation: Public 46 Reinhard Kugler SBA Research gGmbH Floragasse 7, 1040 Wien rkugler@sba-research.org SBA Research gGmbH, 2020