SlideShare a Scribd company logo

Breaking Forest Trust Boundaries with Unconstrained Delegation

Will Schroeder
Will Schroeder

1. The document discusses breaking trusts between Active Directory forests by leveraging compromised unconstrained delegation and the "printer bug" to coerce authentication across forest boundaries. 2. It explains how a compromised server with unconstrained delegation in one forest can be used to extract ticket granting tickets (TGTs) that can then be reused to access resources in a separate, trusting forest. 3. The "printer bug" allows remotely forcing authentication and is used to extract TGTs from the separate forest to circumvent typical cross-forest security restrictions. This bypasses the assumption that forests provide a security boundary when two-way trusts exist between them.

Internet
1 of 48
Download to read offline
Not A Security “Boundary” Breaking Trusts
Red teamer and offensive engineer SpecterOps.io I write lots of code :) 2
Red teamer, hunter, researcher SpecterOps.io I love shiny things :) 3
4 Microsoft’s “What Are Domains and Forests?” documentation
What If... Full ticket-granting-tickets could move across the trust from ForestA to ForestB 5 A computer in ForestA authenticates* to a computer ForestB We had a way to easily extract and reuse these TGTs while in ForestB? *bonus if we can force the authentication step :)
Kerberos in 60 seconds OK maybe a few minutes ;) 6 1.
Kerberos tl;dr ✘ Kerberos is dense, and we don’t have time to explain the entire protocol ○ Instead we’ll focus on a few key terms and points that are necessary to understand the nuances of the trust attack ✘ For a more in depth explanation, see Sean Metcalf’s post at https://bit.ly/2JhbAXl 7
Kerberos tl;dr 1. An account authenticates to a domain controller (DC/KDC) by encrypting some data with with a key derived from the user’s password (e.g. RC4_HMAC(NTLM hash) or AES128/256_HMAC keys) 2. If auth is successful, the DC returns a ticket granting ticket (TGT) to the user that contains a privileged attribute certificate (PAC) ○ The PAC is encrypted with the hash of the krbtgt (Kerberos ticket- granting-ticket service) account and contains auth information like the user’s SID and groups they’re in. 8
Kerberos tl;dr 3. The account requests a service ticket to a particular service principal name (SPN) by presenting the TGT to the domain controller 4. The DC returns a service ticket with the same auth info as the TGT. 5. The user sends the service ticket to the target service/machine, which decides whether to grant the user access. 9
10
2. Delegation When You Need to be Someone Else 11
The Reason Delegation is Needed 12 User Front End Back End Auth To Front End Service “Pretend” to be User
Unconstrained A user requests a forwardable TGT and sends it to the remote service with the service ticket. The remote service extracts the TGT from the service ticket and uses it to impersonate the user. Traditional Constrained The service requests a ticket to itself as another user (S4U2self) The service uses this ticket to request a service ticket to another service as that user (S4U2proxy). Service must be specified in msDS-AllowedToDelegateTo Resource-based Constrained ACL in a field (msDS- AllowedToActOnBehalfOfOthe rIdentity) on the target resource that dictates who can perform S4U2proxy to the resource 13 Delegation Types
Unconstrained Madness ✘ UNCONSTRAINED DELEGATION IS DANGEROUS! ✘ If an attacker can compromise a server with unconstrained delegation, they can obtain the TGT for any (non-protected) user who authenticates to that server ✘ In modern domains, only domain controllers are configured for unconstrained delegation by default ○ But we often see “misconfigurations” in the field :) 14
15
3. Domain Trusts: Crash Course 16
Trusts 101 ✘ Trusts link up the authentication systems of two domains ○ This allows authentication traffic to flow between them ✘ This is done by each domain negotiating an “inter-realm trust key” that’s used to encrypt Kerberos referral tickets ✘ Access is passed around with via these referrals and “inter-realm ticket granting tickets" 17
Trusts 201 ✘ Trust directions/transitivity: ○ One-way - one domain trusts the other ○ Two-way - both domains trust each other (2x one-way trusts) ○ Transitive - A trusts B and B trusts C, so A trusts C ✘ The main trust type categories we care about: ○ Intra-forest - parent/child, cross-link (all transitive) ○ Inter-domain - forest (transitive), external (non-transitive) 18
Privilege Attribute Certificates (PAC) ✘ Recall: When you first authenticate, you receive a TGT ○ Inside each TGT is a PAC ○ A TGT’s PAC contains the user/group SIDs that identify the user 19 Ticket Granting Ticket Privilege Attribute Certificate (PAC) User S-1-5-21-2532535433-4733566781-1284343941-1001 Groups S-1-5-21-2532535433-4733566781-1284343941-1353 S-1-5-21-2532535433-4733566781-1284343941-2604 ExtraSids S-1-5-21-3416895347-7456555532-9337766299-519 CORPitadmin CORPFileShareAccess CORPHelpDesk ACMEEnterprise Admins
SID Filtering ✘ During auth to another domain, the remote domain (the “trusting domain”) analyzes the SIDs in the TGT’s PAC ✘ Depending on the trust type, the remote domain removes (“filters”) SIDs under various circumstances (see MS-PAC section 4.1.2.2) ✘ E.g. when authenticating from ForestA to ForestB, the PAC from ForestA should not contain SIDs for a default set of privileged groups in ForestB. ✘ Other cross-domain/forest group memberships can be exploited 20
Intent of SID filtering Stop a compromised trusted domain/forest from compromising a trusting domain/forest. How well does this work in practice? Let’s find out... 21
Why The Domain != A Security Boundary 22
Why The Domain != A Security Boundary ✘ The SID for “Enterprise Admins” is NOT filtered out by default for inter-realm tickets if both domains are within the same forest ○ So if you can set your sidHistory to be “Enterprise Admins” (i.e. ExtraSids in the PAC), you can escalate from a child domain to the forest root domain! 23
Forests == A Security Boundary? 🤔 ✘ SID filtering of sensitive groups DOES protect across Forest boundaries ○ Hence, people have assumed that Forests were a security boundary :) 24
Sidenote: “Authenticated Users” in Referrals 25
Sidenote: Delegation and Trusts 26
So what? Let’s review ✘ Delegated TGTs (like some TGTs found on unconstrained servers) are usable across Forests boundaries. ✘ A compromised unconstrained delegation server means an an attacker can extract TGTs of users who auth to that machine, even if that user connects from another forest! ✘ Hmm…...can we coerce accounts to authenticate to an unconstrained delegation server? 27
28
4. The “Printer Bug” Our Final Ingredient 29
Printer Bug Overview ✘ Abuses the old enabled-by-default Print System Remote Protocol (MS-RPRN). ✘ RPC Methods: RpcRemoteFindFirstPrinterChangeNotification(Ex) ○ Purpose: “<ComputerA>, please send <ComputerB> a notification when ____ happens” (e.g. when there’s a new print job) ○ When invoked, ComputerA will authenticate to ComputerB ✘ This a way to coerce authentication. There are others and likely more to come. 30
Reference: Printer Bug Details ✘ Print System Remote Protocol (MS-RPRN) ○ SMB-RPC (TCP 445) ○ Named Pipe: pipespoolss ○ RPC UUID: 12345678-1234-ABCD-EF00-0123456789AB ○ Opnum 62 - RpcRemoteFindFirstPrinterChangeNotification ○ Opnum 65 - RpcRemoteFindFirstPrinterChangeNotificationEx ✘ The RPC server is accessible by “Authenticated Users” on Windows >= 8 if the Spooler service is started (Server & Workstations have it enabled by default). ○ Supposedly this will change in the future…. ○ On Windows < 8 , seems possible if hosts have shared a printer. ○ Independently discovered by Elad Shamir (@elad_shamir) 31
Weaponization ✘ SpoolSample - https://github.com/leechristensen/SpoolSample 32 LABDC01$ authenticated to WIN10
5. Breaking Forest Trusts Smash Smash Smash 33
Scenario ✘ An attacker completely compromises ForestB ○ This includes ForestB’s DC with unconstrained delegation ;) ✘ ForestB shares a two way forest trust with ForestA ✘ Tools Used: ○ Rubeus TGT monitoring/extraction ○ SpoolSample coerced authentication (the “printer bug”) ○ Mimikatz DCSync m/ 34
DCB DCA <- two-way forest trust -> Compromised Forest (FORESTB) Victim Forest (FORESTA) The “printer bug”
tl;dr 37 The compromise of any server with unconstrained delegation (domain controller or otherwise) can not only be leveraged to compromise the current domain and/or any domains in the current forest, but also any/all domains in any foreign forest the current forest shares a two-way forest trust with!
Public Reaction? (mostly good, but…) “Still a security boundary as long as it is not a two way trust AD forest/domain” 38 “Step 1: Have forest root domain admin credentials. Step 2: Have things be grossly misconfigured.” “I just don't think I've heard anyone claim a boundary still exists when a 2-way trust is in place.”
Why This Matters ✘ This attack works with default, modern configurations for Active Directory forests as long as a two-way forest trust is in place. ✘ The security of ForestA is now completely dependent on the security of ForestB (think acquisitions…) ○ Even if ForestA has *near perfect* security it can be completely compromised by the takeover of a single unconstrained delegation server in ForestB! 39
Microsoft: A Great Example ✘ We reported this to MSRC in the fall of last year ○ The associated Microsoft engineering teams determined that it wasn’t a vulnerability they would patch, but it would be something they might harden in the future (i.e. v.Next) ✘ After we published details (and defensive guidance) they decided this decision was a mistake, and soon released an advisory (and eventually a patch!) ✘ We applaud Microsoft/MSRC at admitting their error and handling the resulting situation in the best way possible! 40
41
6. Defenses Preventing and Detection 42
✘ “Selective authentication is a security setting that can be set on interforest trusts. It provides Active Directory administrators who manage a trusting forest more control over which groups of users in a trusted forest can access shared resources in a trusting forest.” ✘ However, this is focused on administrative users ○ Domain controller objects often need the “Allowed to authenticate” right on foreign domain controllers in order for the system to work correctly Selective Authentication 43
Disabling Kerberos Full Delegation Across Trusts 44 ✘ To prevent ForestA from accepting delegated TGTs from ForestB: ○ netdom trust foresta.local /domain:forestb.local /EnableTGTDelegation:no ✘ This flips the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION bit to prevent delegated TGTs from transiting the forest boundary ✘ This has to be done on each end of the trust(s)!
CVE-2019-0683 Details 45 ✘ As mentioned, Microsoft recently recognized this issue as CVE- 2019-0683 ✘ A patch is being slowly rolled out (see next slide) that disables TGT delegation across forest trust boundaries by default ✘ On the roadmap (July 2019) ○ “...adding a new safe default configuration for unconstrained Kerberos delegation across Active Directory forest trusts.”
CVE-2019-0683 Timeline 46 ✘ March 12, 2019 ○ Kerberos full delegation block is backported to Server 2008[R2] ✘ May 14, 2019 ○ A new trust flag will be introduced in case you need full delegation across trusts ○ "EnableTGTDelegation” set to “no” for all new trusts ✘ July 9, 2019 ○ Start of enforcement of new trust flag ○ "EnableTGTDelegation” ignored from this point forward
thanks! Any questions? [will | lee]@specterops.io @harmj0y | @tifkin_ 47
References ✘ Breaking Forests Trusts (Red) - https://bit.ly/2Ck1HlW ✘ Breaking Forests Trusts (Blue) - https://bit.ly/2Y2Etd5 ✘ Attack Demo Video - https://bit.ly/2ULitRW ✘ Microsoft Advisory - https://bit.ly/2ObHAv2 ✘ Microsoft Updates Timeline - https://bit.ly/2ugBZdM ✘ CVE-2019-0683 details - https://bit.ly/2CopVLR 48

Recommended

Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 

Recommended

Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 

More Related Content

What's hot

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 

What's hot (20)

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 

Similar to Breaking Forest Trust Boundaries with Unconstrained Delegation

DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingNCCOMMS
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Active Directory and Virtualization
Active Directory and VirtualizationActive Directory and Virtualization
Active Directory and VirtualizationAniket Pandey
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesPriyanka Aash
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1milkux
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloYossi Sassi
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
R2D2 slides from Velocity Conference London 2013
R2D2 slides from Velocity Conference London 2013R2D2 slides from Velocity Conference London 2013
R2D2 slides from Velocity Conference London 2013Oby Sumampouw
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 

Similar to Breaking Forest Trust Boundaries with Unconstrained Delegation (20)

DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessing
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Mamouth white paper
Mamouth white paperMamouth white paper
Mamouth white paper
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Active Directory and Virtualization
Active Directory and VirtualizationActive Directory and Virtualization
Active Directory and Virtualization
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 
R2D2 slides from Velocity Conference London 2013
R2D2 slides from Velocity Conference London 2013R2D2 slides from Velocity Conference London 2013
R2D2 slides from Velocity Conference London 2013
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

More from Will Schroeder (17)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Recently uploaded

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 

Recently uploaded (20)

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 

Breaking Forest Trust Boundaries with Unconstrained Delegation

  • 2. Red teamer and offensive engineer SpecterOps.io I write lots of code :) 2
  • 3. Red teamer, hunter, researcher SpecterOps.io I love shiny things :) 3
  • 4. 4 Microsoft’s “What Are Domains and Forests?” documentation
  • 5. What If... Full ticket-granting-tickets could move across the trust from ForestA to ForestB 5 A computer in ForestA authenticates* to a computer ForestB We had a way to easily extract and reuse these TGTs while in ForestB? *bonus if we can force the authentication step :)
  • 6. Kerberos in 60 seconds OK maybe a few minutes ;) 6 1.
  • 7. Kerberos tl;dr ✘ Kerberos is dense, and we don’t have time to explain the entire protocol ○ Instead we’ll focus on a few key terms and points that are necessary to understand the nuances of the trust attack ✘ For a more in depth explanation, see Sean Metcalf’s post at https://bit.ly/2JhbAXl 7
  • 8. Kerberos tl;dr 1. An account authenticates to a domain controller (DC/KDC) by encrypting some data with with a key derived from the user’s password (e.g. RC4_HMAC(NTLM hash) or AES128/256_HMAC keys) 2. If auth is successful, the DC returns a ticket granting ticket (TGT) to the user that contains a privileged attribute certificate (PAC) ○ The PAC is encrypted with the hash of the krbtgt (Kerberos ticket- granting-ticket service) account and contains auth information like the user’s SID and groups they’re in. 8
  • 9. Kerberos tl;dr 3. The account requests a service ticket to a particular service principal name (SPN) by presenting the TGT to the domain controller 4. The DC returns a service ticket with the same auth info as the TGT. 5. The user sends the service ticket to the target service/machine, which decides whether to grant the user access. 9
  • 10. 10
  • 11. 2. Delegation When You Need to be Someone Else 11
  • 12. The Reason Delegation is Needed 12 User Front End Back End Auth To Front End Service “Pretend” to be User
  • 13. Unconstrained A user requests a forwardable TGT and sends it to the remote service with the service ticket. The remote service extracts the TGT from the service ticket and uses it to impersonate the user. Traditional Constrained The service requests a ticket to itself as another user (S4U2self) The service uses this ticket to request a service ticket to another service as that user (S4U2proxy). Service must be specified in msDS-AllowedToDelegateTo Resource-based Constrained ACL in a field (msDS- AllowedToActOnBehalfOfOthe rIdentity) on the target resource that dictates who can perform S4U2proxy to the resource 13 Delegation Types
  • 14. Unconstrained Madness ✘ UNCONSTRAINED DELEGATION IS DANGEROUS! ✘ If an attacker can compromise a server with unconstrained delegation, they can obtain the TGT for any (non-protected) user who authenticates to that server ✘ In modern domains, only domain controllers are configured for unconstrained delegation by default ○ But we often see “misconfigurations” in the field :) 14
  • 15. 15
  • 17. Trusts 101 ✘ Trusts link up the authentication systems of two domains ○ This allows authentication traffic to flow between them ✘ This is done by each domain negotiating an “inter-realm trust key” that’s used to encrypt Kerberos referral tickets ✘ Access is passed around with via these referrals and “inter-realm ticket granting tickets" 17
  • 18. Trusts 201 ✘ Trust directions/transitivity: ○ One-way - one domain trusts the other ○ Two-way - both domains trust each other (2x one-way trusts) ○ Transitive - A trusts B and B trusts C, so A trusts C ✘ The main trust type categories we care about: ○ Intra-forest - parent/child, cross-link (all transitive) ○ Inter-domain - forest (transitive), external (non-transitive) 18
  • 19. Privilege Attribute Certificates (PAC) ✘ Recall: When you first authenticate, you receive a TGT ○ Inside each TGT is a PAC ○ A TGT’s PAC contains the user/group SIDs that identify the user 19 Ticket Granting Ticket Privilege Attribute Certificate (PAC) User S-1-5-21-2532535433-4733566781-1284343941-1001 Groups S-1-5-21-2532535433-4733566781-1284343941-1353 S-1-5-21-2532535433-4733566781-1284343941-2604 ExtraSids S-1-5-21-3416895347-7456555532-9337766299-519 CORPitadmin CORPFileShareAccess CORPHelpDesk ACMEEnterprise Admins
  • 20. SID Filtering ✘ During auth to another domain, the remote domain (the “trusting domain”) analyzes the SIDs in the TGT’s PAC ✘ Depending on the trust type, the remote domain removes (“filters”) SIDs under various circumstances (see MS-PAC section 4.1.2.2) ✘ E.g. when authenticating from ForestA to ForestB, the PAC from ForestA should not contain SIDs for a default set of privileged groups in ForestB. ✘ Other cross-domain/forest group memberships can be exploited 20
  • 21. Intent of SID filtering Stop a compromised trusted domain/forest from compromising a trusting domain/forest. How well does this work in practice? Let’s find out... 21
  • 22. Why The Domain != A Security Boundary 22
  • 23. Why The Domain != A Security Boundary ✘ The SID for “Enterprise Admins” is NOT filtered out by default for inter-realm tickets if both domains are within the same forest ○ So if you can set your sidHistory to be “Enterprise Admins” (i.e. ExtraSids in the PAC), you can escalate from a child domain to the forest root domain! 23
  • 24. Forests == A Security Boundary? 🤔 ✘ SID filtering of sensitive groups DOES protect across Forest boundaries ○ Hence, people have assumed that Forests were a security boundary :) 24
  • 27. So what? Let’s review ✘ Delegated TGTs (like some TGTs found on unconstrained servers) are usable across Forests boundaries. ✘ A compromised unconstrained delegation server means an an attacker can extract TGTs of users who auth to that machine, even if that user connects from another forest! ✘ Hmm…...can we coerce accounts to authenticate to an unconstrained delegation server? 27
  • 28. 28
  • 29. 4. The “Printer Bug” Our Final Ingredient 29
  • 30. Printer Bug Overview ✘ Abuses the old enabled-by-default Print System Remote Protocol (MS-RPRN). ✘ RPC Methods: RpcRemoteFindFirstPrinterChangeNotification(Ex) ○ Purpose: “<ComputerA>, please send <ComputerB> a notification when ____ happens” (e.g. when there’s a new print job) ○ When invoked, ComputerA will authenticate to ComputerB ✘ This a way to coerce authentication. There are others and likely more to come. 30
  • 31. Reference: Printer Bug Details ✘ Print System Remote Protocol (MS-RPRN) ○ SMB-RPC (TCP 445) ○ Named Pipe: pipespoolss ○ RPC UUID: 12345678-1234-ABCD-EF00-0123456789AB ○ Opnum 62 - RpcRemoteFindFirstPrinterChangeNotification ○ Opnum 65 - RpcRemoteFindFirstPrinterChangeNotificationEx ✘ The RPC server is accessible by “Authenticated Users” on Windows >= 8 if the Spooler service is started (Server & Workstations have it enabled by default). ○ Supposedly this will change in the future…. ○ On Windows < 8 , seems possible if hosts have shared a printer. ○ Independently discovered by Elad Shamir (@elad_shamir) 31
  • 32. Weaponization ✘ SpoolSample - https://github.com/leechristensen/SpoolSample 32 LABDC01$ authenticated to WIN10
  • 34. Scenario ✘ An attacker completely compromises ForestB ○ This includes ForestB’s DC with unconstrained delegation ;) ✘ ForestB shares a two way forest trust with ForestA ✘ Tools Used: ○ Rubeus TGT monitoring/extraction ○ SpoolSample coerced authentication (the “printer bug”) ○ Mimikatz DCSync m/ 34
  • 35. DCB DCA <- two-way forest trust -> Compromised Forest (FORESTB) Victim Forest (FORESTA) The “printer bug”
  • 36.
  • 37. tl;dr 37 The compromise of any server with unconstrained delegation (domain controller or otherwise) can not only be leveraged to compromise the current domain and/or any domains in the current forest, but also any/all domains in any foreign forest the current forest shares a two-way forest trust with!
  • 38. Public Reaction? (mostly good, but…) “Still a security boundary as long as it is not a two way trust AD forest/domain” 38 “Step 1: Have forest root domain admin credentials. Step 2: Have things be grossly misconfigured.” “I just don't think I've heard anyone claim a boundary still exists when a 2-way trust is in place.”
  • 39. Why This Matters ✘ This attack works with default, modern configurations for Active Directory forests as long as a two-way forest trust is in place. ✘ The security of ForestA is now completely dependent on the security of ForestB (think acquisitions…) ○ Even if ForestA has *near perfect* security it can be completely compromised by the takeover of a single unconstrained delegation server in ForestB! 39
  • 40. Microsoft: A Great Example ✘ We reported this to MSRC in the fall of last year ○ The associated Microsoft engineering teams determined that it wasn’t a vulnerability they would patch, but it would be something they might harden in the future (i.e. v.Next) ✘ After we published details (and defensive guidance) they decided this decision was a mistake, and soon released an advisory (and eventually a patch!) ✘ We applaud Microsoft/MSRC at admitting their error and handling the resulting situation in the best way possible! 40
  • 41. 41
  • 43. ✘ “Selective authentication is a security setting that can be set on interforest trusts. It provides Active Directory administrators who manage a trusting forest more control over which groups of users in a trusted forest can access shared resources in a trusting forest.” ✘ However, this is focused on administrative users ○ Domain controller objects often need the “Allowed to authenticate” right on foreign domain controllers in order for the system to work correctly Selective Authentication 43
  • 44. Disabling Kerberos Full Delegation Across Trusts 44 ✘ To prevent ForestA from accepting delegated TGTs from ForestB: ○ netdom trust foresta.local /domain:forestb.local /EnableTGTDelegation:no ✘ This flips the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION bit to prevent delegated TGTs from transiting the forest boundary ✘ This has to be done on each end of the trust(s)!
  • 45. CVE-2019-0683 Details 45 ✘ As mentioned, Microsoft recently recognized this issue as CVE- 2019-0683 ✘ A patch is being slowly rolled out (see next slide) that disables TGT delegation across forest trust boundaries by default ✘ On the roadmap (July 2019) ○ “...adding a new safe default configuration for unconstrained Kerberos delegation across Active Directory forest trusts.”
  • 46. CVE-2019-0683 Timeline 46 ✘ March 12, 2019 ○ Kerberos full delegation block is backported to Server 2008[R2] ✘ May 14, 2019 ○ A new trust flag will be introduced in case you need full delegation across trusts ○ "EnableTGTDelegation” set to “no” for all new trusts ✘ July 9, 2019 ○ Start of enforcement of new trust flag ○ "EnableTGTDelegation” ignored from this point forward
  • 47. thanks! Any questions? [will | lee]@specterops.io @harmj0y | @tifkin_ 47
  • 48. References ✘ Breaking Forests Trusts (Red) - https://bit.ly/2Ck1HlW ✘ Breaking Forests Trusts (Blue) - https://bit.ly/2Y2Etd5 ✘ Attack Demo Video - https://bit.ly/2ULitRW ✘ Microsoft Advisory - https://bit.ly/2ObHAv2 ✘ Microsoft Updates Timeline - https://bit.ly/2ugBZdM ✘ CVE-2019-0683 details - https://bit.ly/2CopVLR 48