• Home

  • Documents

  • AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security...
41

AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author
Page 2: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Offline Attackson Active Directory

Michael Grafnetter

Security Researcher and Trainer

Page 3: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Presenter bio

Michael Grafnetter

Security Researcher and Trainer

Michael is an expert in Active Directory security. He is the author of the DSInternalsPowerShell module and Thycotic Weak Password Finder, tools used by securityauditors and penetration testers worldwide. In the role of a security consultant,he has performed multiple security audits at large enterprises, mostly financialinstitutions. Michael is a former PowerShell MVP.

Page 4: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Directory Services Internals

Page 5: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

WARNING

The following presentation features demosperformed by professionals, so for your safetyand the protection of those around you, do notattempt to re-enact any activity you are aboutto see.

Page 6: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Database Mounting Tool

Disadvantages

•Read-only

•Hides secret attributes

Page 7: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Dumping AD Secrets

Page 8: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Export Formats

Page 9: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Auditing AD Passwords

Page 10: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Auditing AD Passwords

Page 11: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

AD Group Membership

primaryGroupId

member

Page 12: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Well-Known Global Group RIDs

Domain Admins 512

Domain Users 513

Domain Guests 514

Domain Computers 515

Domain Controllers 516

Cert Publishers 517

Group Policy Creator Owners 520

Page 13: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Offline Group Membership Modification

Page 14: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Forging SID History

Page 15: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Forging SID History

Page 16: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Forging SID History

Page 17: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

SID Filtering?

Page 18: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Offline Password Reset

Page 19: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Password Hash Cloning

Page 20: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

DEMO

Offline AD Database Modification

Page 21: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Replication Metadata

Page 22: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Replication Metadata

Page 23: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Airbus CyberSecurity BTA

Page 24: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

DPAPI-NG (AKA CNG DPAPI)

• NCryptProtectSecret(Descriptor, Data,…)

• NCryptUnprotectSecret(ProtectedBlob,…)

Page 25: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

PFX/PKCS#12 File Protection

Page 26: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

KDS Root Keys

Page 27: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Extracting KDS Root Keys

Page 28: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Ignite 2016 Talk

Page 29: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Credential Roaming

Page 30: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Credential Roaming - Storage

Page 31: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Credential Encryption using DPAPI

Page 32: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

DPAPI Domain Backup Key

Page 33: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Extracting Roamed Credentials

Page 34: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Decrypting Roamed Private Keys

Page 35: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

DEMO

Exctracting and Decrypting Roamed Credentials

Page 36: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Bonus: Bootable Flash Drive

Page 37: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Restore From Media: Motivation

Page 38: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Install From Media (IFM) Backup

Page 39: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

RFM Script

Page 40: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Conclusions

• Virtualization, SAN and Backup admins are AD admins

• Enable BitLocker on DCs

• Deploy read-only domain controllers (RODCs)

• Perform AD security assessments (including password audits)

• Monitor security-related changes in AD

• Regularly change passwords (users, computers, service accounts, krbtgt)

• Plan for disaster recovery

Page 41: AD Offline Attacks - DSInternals · 2018-11-06 · Presenter bio Michael Grafnetter Security Researcher and Trainer Michael is an expert in Active Directory security. He is the author

Questions

Presenter email: [email protected]

Presenter Twitter:

Presenter blog: www.dsinternals.com

mailto:[email protected]
http://www.dsinternals.com/

GIFT GUIDE: HOLIDAY 2019 WINTER WONDERS - Michael Korsmkholidaygiftguide.com/files/MK_HOLIDAY_2020_GIFT_GUIDE.pdf · michael kors san diego sunglasses $139.00 michael michael kors

GIFT GUIDE: HOLIDAY 2019 WINTER WONDERS - Michael Korsmkholidaygiftguide.com/files/MK_HOLIDAY_2020_GIFT_GUIDE.pdf · michael kors san diego sunglasses $139.00 michael michael kors

Documents
Case Presentation by Michael Armstrong by Michael Armstrong

Case Presentation by Michael Armstrong by Michael Armstrong

Documents
© Michael Lacewing Idealism Michael Lacewing enquiries@alevelphilosophy.co.uk

© Michael Lacewing Idealism Michael Lacewing [email protected]

Documents
© Michael Lacewing Expression Michael Lacewing enquiries@alevelphilosophy.co.uk

© Michael Lacewing Expression Michael Lacewing [email protected]

Documents
2 February. Discussion Questions What’s the difference between Michael and {Michael}? What would happen if we said Michael = {Michael}?

2 February. Discussion Questions What’s the difference between Michael and {Michael}? What would happen if we said Michael = {Michael}?

Documents
Windows PowerShell 5 Preview April 2015 - DSInternals Grafnetter Windows PowerShell 5 Preview April 2015 Gold partner: Generální partner:

Windows PowerShell 5 Preview April 2015 - DSInternals Grafnetter Windows PowerShell 5 Preview April 2015 Gold partner: Generální partner:

Documents
Michael Williams Michael Jercinovic

Michael Williams Michael Jercinovic

Documents
Scott Michael jost - Hunt Family · Scott Michael jost DESIGNER. Scott Michael jost DESIGNER. Scott Michael jost DESIGNER. Scott Michael jost DESIGNER. Title: Cabinetmaker's Workbench

Scott Michael jost - Hunt Family · Scott Michael jost DESIGNER. Scott Michael jost DESIGNER. Scott Michael jost DESIGNER. Scott Michael jost DESIGNER. Title: Cabinetmaker's Workbench

Documents
Story by Chris Ryall, Michael Ritchie, and Michael Verrecchiatransformers.target.com.edgesuite.net/Transformers_092407/img/... · Story by Chris Ryall, Michael Ritchie, and Michael

Story by Chris Ryall, Michael Ritchie, and Michael Verrecchiatransformers.target.com.edgesuite.net/Transformers_092407/img/... · Story by Chris Ryall, Michael Ritchie, and Michael

Documents
Michael Franks - Michael Franks (Book)[1]

Michael Franks - Michael Franks (Book)[1]

Documents
Social Psychology Cole Michael Edging Michael Todter

Social Psychology Cole Michael Edging Michael Todter

Documents
Michael Neale michael@michaelneale jboss michaelneale

Michael Neale michael@michaelneale jboss michaelneale

Documents
Welcome to Welcome to Saint Michael ParishSaint Michael Parishstorage.cloversites.com/stmichaelparish/documents/012912.pdf · Welcome to Welcome to Saint Michael ParishSaint Michael

Welcome to Welcome to Saint Michael ParishSaint Michael Parishstorage.cloversites.com/stmichaelparish/documents/012912.pdf · Welcome to Welcome to Saint Michael ParishSaint Michael

Documents
[Michael Harwood, Michael Harwood] Conveyancing La

[Michael Harwood, Michael Harwood] Conveyancing La

Documents
Scott, Michael - Carobnjak_ Tajne Besmrt - Michael Scott

Scott, Michael - Carobnjak_ Tajne Besmrt - Michael Scott

Documents
Object Eventing Service Michael Boyle and Michael Rounding

Object Eventing Service Michael Boyle and Michael Rounding

Documents
michael dunn foundation - The Michael Dunn Center

michael dunn foundation - The Michael Dunn Center

Documents
Pass-the-Hash Attacks - DSInternals · 1997 –Pass-the-Hash demonstrated using a modified Samba ... Identify all high-value assets Protect against known and unknown threats Detect

Pass-the-Hash Attacks - DSInternals · 1997 –Pass-the-Hash demonstrated using a modified Samba ... Identify all high-value assets Protect against known and unknown threats Detect

Documents
Sturman Michael 3-9-2021 Michael Sturman

Sturman Michael 3-9-2021 Michael Sturman

Documents
Michael Birsak and Michael Hanzl

Michael Birsak and Michael Hanzl

Documents
Michael Gold's homepage Michael S. Gold

Michael Gold's homepage Michael S. Gold

Documents
FICHA ARTÍSTICA Y TÉCNICA - Grupo Smediagruposmedia.com/descargas/michael-legend-programa.pdf · 2019-06-29 · MICHAEL LEGEND MICHAEL LEGEND Michael Legend, a tribute to Michael

FICHA ARTÍSTICA Y TÉCNICA - Grupo Smediagruposmedia.com/descargas/michael-legend-programa.pdf · 2019-06-29 · MICHAEL LEGEND MICHAEL LEGEND Michael Legend, a tribute to Michael

Documents
Copyright by Michael Erlewine, 2014 Michael@Erlewine

Copyright by Michael Erlewine, 2014 Michael@Erlewine

Documents
MICHAEL GRAVES COLLEGE KEAN UNIVERSITY ^ MICHAEL …

MICHAEL GRAVES COLLEGE KEAN UNIVERSITY ^ MICHAEL …

Documents
Design Exploration J. Michael Moore michael@csdl.tamu.edu michael

Design Exploration J. Michael Moore [email protected] michael

Documents
MICHAEL MATANKY, CHARLES FRANKLIN, MICHAEL DUFRESNE

MICHAEL MATANKY, CHARLES FRANKLIN, MICHAEL DUFRESNE

Documents
Fatima Michael College of Engineering & Technology Michael College of Engineering & Technology ... Fatima Michael College of Engineering & Technology. Scanned by CamScannerFatima Michael

Fatima Michael College of Engineering & Technology Michael College of Engineering & Technology ... Fatima Michael College of Engineering & Technology. Scanned by CamScannerFatima Michael

Documents
Michael B. Wilkinson Michael Wilcockson

Michael B. Wilkinson Michael Wilcockson

Documents
Michael Holland 518-885-9064 Michael

Michael Holland 518-885-9064 Michael

Documents
Michael Langer - Billie Jean - Michael Jackson (4 Guitars)

Michael Langer - Billie Jean - Michael Jackson (4 Guitars)

Documents