Transcription
Active directory :How to change a weak point into aleverage for security monitoringVincent LE TOUX – ENGIE – FranceFirst Conference 2017 – San Juan (Puerto Rico)June 12th (Monday) 12:00—12:45
CONTENTSChapter 1Why focusing on Active Directory ?Chapter 2Focusing on AD vulnerabilitiesChapter 3Monitoring the domains (that we don’t control)Chapter 4How to secure the domains ?
About the ENGIE ContextA critical infrastructure operator (Thermic,gas, hydro, nuclear) under regulations(NERC/NIS, )A complex history & a decentralized cultureThe group is present in 70 015Société GénéraledesPays-BasCompagnieUniverselledu Canal Maritimede SuezSociété Lyonnaisedes Eauxet de l’ÉclairageCompagnie Mutuellede TramwaysGaz deFranceElectrabelSuez Lyonnaisedes EauxInternational PowerSUEZGDF SUEZENGIE2017-06-12First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring3
Why focusing on ActiveDirectory ?
Does it remind something to you ?We are secured. We have bigwalls.Leave us aloneYour organization2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring5
Not castles from fairy talesTrust everyoneforgot Corporate ADReorganization(never completed)ActiveDirectoryinsideCompany boughtCriticalapplicationconnected toADMergerExternal companiesActiveDirectoryinsideActive DirectoryinsideJoin VentureBusiness as usualThe reality2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring6
Quizz: Who can become the domain admins (or more) ?Built-in Administratorsnet group "Domain Admins" %username% /DOMAIN /ADDServer OperatorsC:\ sc config browser binpath "C:\Windows\System32\cmd.exe /c net group \" Domain Admins\"%username% /DOMAIN /ADD" type "share" group "" depend ""[SC] ChangeServiceConfig SUCCESSC:\ sc start browser[SC] StartService FAILED 1053:The service did not respond to the start or control request in a timely fashion.(well, it has the right to logon to DC and discoverPrint operatorspassword in batches or copy ntdis.dit backup)Account operatorsnet group “badgroup" %username% /DOMAIN /ADD see slide after for the choice of the groupBackup operatorsBackup osoft\Windows NT\SecEdit\GptTmpl.infRestore: with [Group Membership]*S-1-5-32-544 Members etc etc etc ,*S-1-5-21-my-sidThen DCSync krbtgt Golden ticket Enterprise admins (see later)2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring7
Focusing on ADvulnerabilities
Extended rightsWhere are your admins ? Extended rights can reset the password ofaccounts, reanimate tombstone, take controlof accounts indirectly(Allowed-To-Authenticate, User-Force-Change-Password,Reanimate-Tombstones, Unexpire-Password, UpdatePassword-Not-Required-Bit, Apply-Group-Policy, SelfMembership, Migrate SID History, Unexpire Password, DSReplication-Get-Changes-All ) Delegation modelRootOU-1I got adelegation onOU-1admin1UsersDomainAdministrators Users (helpdesk, ) can become domain admins instantly2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring9
Pass the hash / over pass the hash / pass the ticket / golden ticket / silverticket Lsass.exeNTLMPass the HASHNTLM:123456789TGSPasswordsamePass the ticketTGTKerberosOver Pass the HASHSilver ticket(KDC account)Golden ticket(krbtgt)KDCRc4 hmac nt: 123456789Aes 128: 123456789Aes 256: 123456789KDC2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring10
Silver ticket DCSync : being compromise without knowing it Detecting silver tickets requires to collect all kerberos events on ALL computers Silver / Golden tickets still valid if created with the old password (to avoid replication problem)DCSync export secrets needed to build silverticketsMimikatz create / import golden / silver ticketOld or current passwordkerberos::golden /domain:lab.local /sid:S-1-5-21-xxx/target: explicitdc.lab.local /service:ldap /rc4:currkey/user:explicitdc /id:xxx /groups:516 /sids:S-1-5-9/ticket:explicitdc.silver.kirbi You do not need anymore an account to access the AD.The attack is invisible using classic account supervision2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring11
Active Directory trusts One kerberos ticket can have a field containing a « SID History » record. Used for migration butnot only (used to contain forest group membership) One golden / silver ticket can have a field« SID History » forged (example: forest admin SID) Without SID Filtering, these tickets works on other domainsNo SID Filtering inside a forest One domain can compromise other domains2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring12
Account enumeration without domain access You canenumerate all theusers of yourbastion using SIDenumerationif there is a trustAbuse kerberos error code (test: Krbguess, Nmap krb5-enum-users)100% of the domains vulnerable, few % of users enumerated Null session: authenticating to a domain with user « » password « » (test: rpcclient)— Allowed by default on Windows 2003 via MS-LSAT— Check Anonymous and everyone are in the group Pre-Windows 2000 Compatible Access— Check DsHeuristics has fLDAPBlockAnonOps enabled (forest wide setting)2 methods:MS-SAMRMS-LSAT— Check the registry key TurnOffAnonymousBlock is set10-30% of domains vulnerable, 100% of the users, including trusted domains enumeratedConsequences:Block all the accounts if a locking policy is in place (including those in trusted domains)Locate weak accounts and bruteforce passwords2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring13
Monitoring the domains(that we don’t control)
Our recipe1) Build an « audit script » withminimal requirements (nodomain admin rights, no needto run on a DC, run only once, )2) Easy to understand KPI3) Sell it to the top managementas « it is a 5 minute job »Run an audit script is a « 5 minutes job »2017-06-124) Wait for the result and followthe deploymentFirst Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring15
What’s look like Max (all scores)2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring16
The script: example of rules Stale objectsTrusts— User / computer not used (and never used)— SID Filtering— Check for ms-DS-MachineAccountQuota 0— Login script from another domain— Presence of SID History Anomalies— Duplicate accounts ( DUPLICATE )— Krbtgt password changePrivileged accounts— Presence of admincount 1 for non admins— Check for flag « this account is sensitive and cannotbe delegated »— GPP password— Account « domain administrator » used— Owner of domain controller objects— Password change for Smart cards— Root certificate weak module or algorithmMore than 50 rules in the audit scriptV1: powershell ; 5 minutes per runV2: c# ; less than 1 minute per run2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring17
Abusing trusts to discover domainsWhat you canaccessYour domainWhat youcan discoverYour forestTechnics:Kerberos clients can traverse a maximum of 10 trust links to locate a1) Object type « trustedDomains »requested resource in another domain (source)2) msDS-TrustForestTrustInfoLimit is on UPN routing. Not trusts !3) CN partitions,CN Configuration2017-06-12 trust kz.comFirst Conference2017 - First Conference2017 - Active directory : How to changea weak point into a leverage for security pat.com- source)4) SID in FSP LsaLookupSid DSGetDC
Domain discovery in practiceTrusts without SID FilteringForest 1Trusts with SID FilteringInternal forest trustInactive trusts With only 2 reports:— More than 2 forests discovered— 36 additional domains foundAdminbastion— Link between the 2 forests discovered— Admin bastion discovered (without any directtrust)Forest 2Golden rule:Assign the « discovereddomains » to the AD owning thetrust (and then to the BU)2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring19
Management vision about ADBefore: 90 domainsAfter: 300 domainsSimplified view No trust with external companies2017-06-12Trust with 10 unknown companies,including 2 multinationalsFirst Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring20
Management findings Running AD audit script is not a 5minutes job (a 3 then 6 months project) Several AD (30%) without formalidentified owner Multiply by 3 the number of AD owned Several trusts with external companies(without SID Filtering) Several GPP passwords or OU withdelegation to everyone or NULLSESSION domain controllersIf one AD is compromised, it can lead to the compromise of several othersSID Filtering is a quick remediate, but works only if the corporate put pressure.2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring21
How to secure thedomains ?
First glance risk approachGroup risksLocal risksA local domain can compromiseanother domain (mitigation: SIDFiltering)Domain is not available (down)Domain is compromisedDomains without identified owner –nobody to manage security incidents(mitigation: request script results)« Secure the domain » is hereTrust with an entity that we don’tcontrol (external companies, )(mitigation: trust removal)Group risks are easier to mitigate (and they have the higher impact)2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring23
ENGIE strategy about securing Active DirectoryRun the “audit tool” (PingCastle) on all domains weeklyAssessmentBuild / Deploy monitoring solutionMonitoringWe talkedabout thisHardeningAccess Securisation studyA 3 years securisation project included in the « One Security » program2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring24
3 priorities for BU CIO and CISO defined in 2017Enable SID Filtering on all trusts(except migration)Deploy the audit script on100% of the domainsThenImprove the score (min: 50/100)4th May2016Restricted - One security WOSM25
Top 5 Active directory vulnerabilitiesCheckVulnerableDomainsNon admin users can add upto 10 computers to a domainA User (including from trusted domains) can introducean unsupervised workstation in the network and bypassall security policies46%The « administrator » accountis used at least once permonthPassword is well known and/or stored in the registry. Itcan be retrieved & used as a backdoor34%The krbtgt password isunchanged for at least 40 daysIt should be changed twice per month to avoid silentcompromise or silent compromise using Golden ticketattacks69%Null session is enabled in atleast one domain controllerThis NT4 settings can be used to enumerate all accountswithout an account and bruteforce them or use thisinformation to lock every account in the domain AND inthe trusting domains.28%At least 2 accounts are in thedomain admin groups andhave a password whichdoesn’t expire.Service accounts are far too over privileged and theirpassword can be captured with minimal privileges66%First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoringExploitability / Remediation facility2017-06-12Rationale26
Market orientationAD Specific solutionsMonitoringGapWith what login isassociated that IP ?Change monitoringAttack detectionGeneric solutions2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring27
Monitoring gap: no vulnerability analysisNormal adminsPersonal accountowner of theprovisionning serviceaccountNormal domain adminsPersonal adminaccount put in domainadminsHelpdeskUsers owning GPOapplied to admins https://github.com/ANSSI-FR/AD-control-paths - bloodhound2017-06-12Bonus: who can owns the CEOaccount ?First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring28
A possible strategy based on risksBastion ADGroupapplicationADUser hackers’ riskFocus (and limit the budget) to high value AD – accept the risk for ohers2017-06-12First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring29
Hackers’ roadmapAlready (almost) well ke-mimiktaz)Not well knownKekeo« Mimikatz 2 »Golden ticketNetSyncAoratopwDCSync withNetlogon RPC(Python) ResponderPowershell empirePassword change withonly kerberos keyBypassing SID Filtering with forest trustby abusing non removed SID History2017-06-12DCSyncSmart card logonwith authenticationin the futurePKINIT MustinessDoS on kerberosauthenticationKerbStromRDP attacksMakeMeEnterpriseAdminDCSync / Goldenticket inc#/powershellFirst Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring30
Hardening roadmap What AD Guys think:Credential guardRed forestAdmin bastion2 factor authentication“Enabling Credential Guard on domaincontrollers is not supported” (source) What the security thinks:Priority #1Control the number ofadministratorsMore than xxx users can becomedomain admin (150,000 users)Google PIV /GIDS smartcardHardening is not always a technical measure.How much administrators have signed the admin charter ?2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring31
Conclusion
Lessons learnedYou can “infiltrate” a castle:- Internally using the Active Directory- Externally using Threat Intelligence (compromisedemails or blacklist registers of internet ip)You can quickly build a big picture:- How much AD, the map and their risks- Get support to remove old domains / OSBuilding a « monitoring » process can be achieved at a relatively low cost2017-06-12First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring33
ConclusionMany services rely on Active Directory,lots of vulnerabilities and few security.Active Directory is an efficient way to gettop management supportThere is a lot of quick wins to beperceived as a solver and not a blockerby the managementKrásna Hôrka castle 20122017-06-12It can be linked with the SOC for bettermonitoring of AD vulnerabilities.First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring34
Questions ?How much ponies did you see ? (including this one)Tool: http://www.pingcastle.com
Bonus slide: Some KPIDomain cleaningInitial deadlineSwitch to continuous auditingmode at 87% and after 9months95% of the total domains known in 2 monthsScripts submission flows only on management pressureSID Filtering KPI was changed from “enabled only” to “not enable” (3 states: Yes, No, Not applicable). SID Filtering evolution ismost of the time related to a direct order of the corporate.2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring36
Bonus slide: Owning trusted domain(Bypassing SID Filtering - and unidirectional trust)1) Installing a backdoor and wait for connectionsMinikatz after a login or installing a rogue security package (Note: password in clear text forRDP)2) Enumerate users of Inbound trusts via LsaLookupSids3) Deciphering a TGS with KerberoastMost vulnerable: service account with no password expiration 20 charactersrecommended !See this. 200MH/s with hashcat GTX1080. From 6 months to 1 day, offline, with a 8 charpassword.4) Exploring domain configuration for vulnerabilities GPP Password (almost in clear text) Login script hosted in other domains Restricted group (local admin) with Everyone or Authenticated Users or NTAUTHORITY\INTERACTIVE OU/container with write access to Everyone / Authenticated Users2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring37
Bonus slide: SID FilteringAlgorithm to know if it is active: SID Filtering NA Inbound trust or Intra forest trust SID Filtering Active If forest trust and not inter forest trust Yes ; else if quarantined domain YesEnabling it: Forest trust: enabled by default netdom /enableSIDHistory NO Domain trust: disabled by default netdom /quarantine YES Do not enable Quarantine on a forest trust !!! (users from child domains in the forest won’t beauthenticated anymore)2017-06-12First Conference 2017 - First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring38
2017-06-12 First Conference 2017 - Active directory : How to change a weak point into a leverage for security monitoring 3 . password in batches or copy ntdis.dit backup) Built-in Administrators Server Operators Print operators Account operators Backup operators. Focusing on AD vulnerabilities . — Allowed by default on Windows 2003 via MS .
![[MS-ADFSOD]: Active Directory Federation Services (AD FS .](/img/1/5bms-adfsod-5d.jpg)
