Frustrating the PenTester with Active Directory - Dale Hollis

hi uh so my name is Dale Hollis uh I have had over 20 years of experience working with active directory and I work for a company called SSC it is not a security company that like a lot of the other speakers here but we have over 150 different directions so without further ado I need a few volunteers

do not look at these cards

please do not look at these cards just yet are you a friend I'm sorry you want a big pocket James friend I do not know oh okay foreign volunteer yeah okay she would just hold this for a second come out over here

so we're just uh you know play a little game here for a few minutes uh probably won't take us off that long so as they're handing them out you can actually look at your card but don't share the contents from the card for anybody else and there's somebody that has a card with a red X could you raise your hand please again okay ready to go so we're going to start off with you you get you've got volatile okay congratulations um what I would like for you to do is talk with your neighbors for a few moments share share what you have on your card with them and let's see if they have anything that

matches what's on your card okay go for

but nobody else nobody else is supposed to do this just yet [Music] there's two three five one

a good one okay you do have one okay now both of you if you can share with other people see if you see what uh see if anybody shares some Praises from your comments talk to other people um

so sorry I've been quite account for the number of people that would be here so if you have a card can you please raise your hand so that they can don't pop out here

and and if you find what one that matches then you also get up and you look around for people that uh may have something that shares you choosers

some of you may have already figured out what we're where we're going with this

um

[Music]

so if there's a card if somebody gets a card that has a green zero I think it is or it's a blue zero or something like that then just kind of shout out I mean once somebody else has to work here loser all righty so why don't you come up here everybody else you can go exit now compared with what she has

so what is it uh dogs are best friends dogs are best friends you'll get a chance to thank you okay so you can go ahead and sit down there thank you very much so this was just a simple test give that a big round of applause

for those of you who haven't gathered that she was representing our domain control the person with the red X was the individual who who was representing our initial compromise and as you were going through you found more and more people that had one or more passwords that were the same uh this is a very simple very common attack and we actually talked about it a couple of times already which was I was not expecting uh foreign so what this is it's past the hash pad or lateral attack you get a password which frequently is the same across multiple devices in this case you had one that would show me stage and everybody who had show me state raise

your hand okay all of you were workstations because that is typically the the most most organizations many organizations will set your default password as the same across every Workstation and on servers you'll typically again have a administrator account that is the same password across all of those servers uh this is what happens and typically what happens user Parts the credentials from your workstation makes a lateral attack against other workstations until they find one where they can get to a server then they do lateral attacks and servers until they can get to a demand control frequently that actually happens a whole lot quicker than what we just demonstrated I know uh this gentleman here I forgot

your name is Vincent described how he could get domain admin twice like right away didn't even have to do lateral attacks against the servers so what is one way that we can mitigate this problem well one of the things that we're doing at Ireland population is one we're actually emptying the built-in administrators group on our workstations with the exception of one non-built-in okay local accounts that accounts that password is managed by by active directory the password is kept in active directory by a program called lamps it's a free download from Microsoft it's free to implement it does not cost any additional resources you don't have to have a rap server formed there is no lap Circle everything is in active

Direction and then you manage that that account password if you have the permissions you get you can view that password then you can manage that that workstation using that password that is unique to that workstation or server uh it's a very simple tool very very simple to implement them and really cuts down with the possible the possibilities of the lateral attacks any questions on that so far I know we've talked yeah um max does require an active uh so if you have an in a multi-forest environment then yes you have to have a one-way Trust uh the in order to view it you can't you can't really use the you the user interface to view the password in a different domain

but you can use the powershells Powershell servers okay um so

Okay so one of the way one of the things that that we're doing here when I say it should be almost it's just that one account if you use secl I was talking with Brandon earlier about this if you use ssel ssel uses a local system account to run as the in the surface there's no need for it to have any kind of administrative privileges on the workstation or the server uh a lot of the attacks that Brandon and Vincent were talking about earlier would be mitigated by this not everything uh there are listed things that you can do so any questions about lives so uh one of the other things that we do that we are doing

[Music] so we are we have implemented what's called a red Forest which again Brandon kind of mentioned that briefly uh where all of our super administrator accounts so to speak for all of the red Forest there's a one-way trust one-way trust between the red forest and the resource forces or the user forces so an administrator that has an account in the red Forest can read anything in Downstream directories but if that workstation gets compromised they can't even use the action directory tools to see what accounts exist in the red first so that does that make sense some of the experts were kind of obstacating that a little bit but our uh doing some security but at the same time you can't

help mitigate to the red boards if you don't know who they are they are you could probably figure out that they exist if you have the if you have the 80 tools installed is this as applicable for on-prem active directories of this or Azure active directory so Azure active directory is a little bit different uh because you don't have trusts in the same way and um I don't know that lapse is actually applicable to Azure active directory okay uh I have I haven't done as much research in that I know a lot of people had questions from Brandon earlier and if you have questions I'd like to uh open up those questions now um

so how the question was how do you convince the c-suite to veterans one thing it's zero cost with the exception of your efforts two we've already talked about the uh huge attack vulnerabilities because past the hatch not all attacks are some of the most common attacks and this essentially stops that doesn't always stop wouldn't necessarily stop all the other attacks but it does stop no matter what we do good question yes sir can you limit your labs to require life say that again do you require labs to require electricity or something um I don't know the answer to that uh you may be able to that's a assuming that you can configure the local account because that's all it is

it's a mobile account uh to use a private JP then yes you can have questions

make a user and administrator for their phone or extension would you say that the app at that point be step one and [Music] I would actually not do that at all the I would put this empty period If and I would stressed if the user in question the question that he asked was is there a use case and I'm going to paraphrase it is there a use case for allowing an individual user to be able to be put into the local local administrators group and in my estimation I'd say no because if And I stress if the local user actually needs administrative access not saying like they're they're a developer uh then and they need some

administrative access then at most they would have access to view the password for their local computer and then when they need to elevate something in order to install the software on that then they find out the password for their computer and only their computer and then they use whatever admission devices they need there does that answer your question that way it helps I think I was referring more to her like if an institution currently has all of their uh users just given local administrative rights on their own work Solutions between our organized terrible um would would once you're proposing be all-in-one like let's just take it from everybody let's take your users that should be taken away users first and

then do the admins later so no I would say take it away there's this is one of those things with a workstation in the case of a workstation users don't need administrative access if they do need administrative access then they're probably a developer I keep one together uh and other than that I don't see see the use case by default the lapse password will rotate every 30 days you can change that to whatever time period you still desire so in case you're curious normal user accounts can't see that password you have to be delegated to specific permission in order to view that password I'm sorry generally that is preferred actually that is the way that I would do

it almost all of the time the exception being the developer uh machines but who's to say I'm not going to download Netflix onto my machine and then I'll spend my whole day watching Netflix I don't particularly care I know seriously my my take on this is that the individual workstation is already compromised [Music] yeah so I I don't really care if they given machine is more compromised than it was yesterday because I'm I'm throwing Labs all over this what you can't do is use your account or that account as a lateral attack in somebody else that's what I care about okay that's what I'm trying to stop here yes sir you know and you're talking

about people okay so there are two ways to view the password one there's a user interface that comes with the maps installation if you install it all the way as I mentioned earlier that has a limitation that it can only view passwords for computers that you're from the domain that you are in so typically what I've done is I've created Powershell script it's a very simple simple Powershell script that they created this asking for the computer name the domain and your credentials that should be able to leave the password and then it Returns the password if you if that account has the right screen so the the users the the people that are trying to view the password don't

actually know how to need to know how to use Powershell just need to know

questions [Music] So currently I'm not uh the again I I don't really care if a given user if a given machine is being the password for a given machine is being used should could that be useful yes if you have let's say they are asking for 20 machines for the passwords for 20 or 200 or 2000 machines at the same time be something that you would want to know

say that that was that script that permissions anybody any user account can create ad if you if you have so when I was talking about the red Forest if I if I were to use an account that was in that red Forest then that could query any directory that trusts that waste so but if you have just a normal user account that has no particular privileges whatsoever you can query ad now in this case you wouldn't necessarily get uh the password for that you would get information on the computer account but you wouldn't necessarily get the password because that has that permission that has to be specifically delegated [Music]

that's up that's information that you have to delegate inactive Direction typically your domain admin would delegate that that particular permission um

you could try to query my the the computer account for my for my computer account but you're not going to have permissions too at the end an amazing so when you're running the Powershell terminal you're actually running your credentials so it's your credentials that are actually preparing me

in this case [Music] so that is a true statement I accepted it it's like two or three attributes that had to be delegated permissions for you yeah that that specific permission has to be specifically delegated to two-year accounts to be able to view that password

[Music] appropriate so so like uh common commonly different people that need to be able to view that passport is anybody that's on uh desktop support obviously they would need it and sometimes help desk they would need to be able to do those passwords there's pretty much not anybody else that needs to be able to view the password across all machines across all internets again with certain exceptions like the dev machines that they need to do there and you have those correct so this doesn't cost possibly impossible it can oh it can't process that that that's permission is it's not a standard permission but it's done the same way that all other active directory permissions are done okay and

you can delegate that to a specific uh domain local group and then you can make a member of foreign domains a member of that domain local group just like any other domain okay that makes sense so typically you would delegate permissions to an OU to a domain local group and then whoever needs membership in that domain local group [Music]

across the trust right so yes so your you don't have to have direct communication with the red Forest domain if that's what you're asking yes that's what I was hoping yeah no you your workstation has to communicate with its DCs and those DC's have to connect have to communicate with different personalities okay yes sir what's the frequency of execution of description uh so we are still in the process of deploying it across the registrations so I do not know the answer to that question is how often the users need access to tonight I anticipate okay um with the ability to execute Powershell so that anomaly is so let me say it a little bit differently because because we'll have

certain users that can execute ours that's the normal user working at their normal work section at an accounts payable doesn't need to be able to open up option right okay and I'm saying yeah and you're giving people that ability to do that all of a sudden you've just taken works or visibility in your environment we're giving certain limited people in the ability to people such as developers such as help such as field Circle workstation management such as server managers uh we have all of our server managers in the windows team they're the only ones that need to be able to do the match password for Windows servers and they don't need to be able to view the

lapse password for the workstations so they have both they have those roles settled good question anything else questions excuse me within the scripture are you able to set it so that it expires that last password like you would with a GUI interface yes I I not set that up just yet uh but you can't

and the question was could I uh set that script to expire that password yes I can yeah yeah I'm just kind of speaking to his concern even if your script's not doing that that passes a different password 30 days from now anyway right correct Yeah by default again or you can set that to a 15-day interval or a five-day interval or however much you want thank you so now the the biggest problem with laps that that I have uh encountered is when you need to restore a server or something from backup uh especially from the backup that's from over 30 days well that password the password that is enacted correctly no longer works at that point you have to hack into the

server which you should be able to do okay sure go right ahead rotates [Music] while the workstation from domain trust has failed for for the outcome trust has failed it will have the old laptop password cash that if you're on the domain you will expect a different apps password because that password is stored may be [Music] if you have reservation there like it's mostly like Developers [Music]

[Music] please expect me to go check the door [Music] is that that could be something to watch more I the way I understand that lapse does it I don't I need to find out more details because the the computer the computer is supposed to change the password only if it can connect to the domain success first and then it then it says hey I'm ready to change my password right the DC says oh okay yes I I see you you can change your password and then the workstation says okay I'm changing the password it changes the password and then it tells it you need and then ad says

so that that's a possibility and I think we're way out of time sorry so um thank you all very much