After a weekend, full of computer enthusiasts and knowledge transfer at the Defcon 26 in Las Vegas, I am working again and wanted to share a few things I learnt there. There were a few things shown about administering active directory. In this post, I want to tell you about the presentation that caught my attention the most.
The content of this post has been altered from the original presentation to better suite the audience of this website. The original presentation was more oriented towards the attacker and pen tester. This blog post is more oriented towards system admins, to show the security holes the attackers exploit.
First things first. How did we use to administer in an active directory and where would be the vulnerabilities there?
Log in to a workstation as an administrator
- The login credentials are stored in in LSASS which can be read out with simple tools
Starting MMC tools with “Run As…”
- The same problems as in point one
RDP to Domain Controllers to manage them
- Keylogger can be used on the local computer and then the credentials are stored in the LSAS on the remote system.
How have these methods changed?
Nowadays, most administrators do have two accounts. A user account, which is used to do normal tasks and an admin account for administrative tasks. Also, administrators don’t use “Run As…” anymore. Instead of directly connecting to the Domain Controller, jump hosts are used to administer servers. To secure the jump host connection often MFA is used. And to make things even harder to crack, there might be restrictions, from where and when an admin can log into a specific administrative server or DC.
What to look for, when you are using Password Vaults.
It is a good idea to use Password Vaults since you don’t have to remember your passwords and therefore you can use more secure and complex passwords. But there are some things to look out for, which can easily be exploited, if you misconfigure them.
Oftentimes, administrative accounts will be used to log in to the PV (Password Vault). As I stated above, this can be traced back with a simple keylogger. To make it worse, connections to the PV often don’t require 2FA/MFA.
If you change the PV login to the administrator user account, the attacker cannot do a lot of harm, even if the user account is compromised. And by adding 2FA/MFA to the PVs login, even if the account is compromised, the attacker will still not be able to access the PV.
Additionally, PV servers can often be accessed from the whole network. This makes it easy for the attacker to access the PV as soon as they have the login. But the security aspect of this can also be easily upgraded to only allow access from the administrator’s workstation or the jump host.
Also keep in mind, that copying the credentials to the clipboards enables the attacker to read out the RAM. The best idea would be a PV solution which enables you to never use the credentials, and which opens the wished connection by itself.
Even Admin Servers/Jump Hosts are not completely secure.
The easiest way to get to the credentials which are used to connect to the jump host is to use a keylogger. As Sean Metcalf showed during his Presentations, it is easy to make a script, which creates a scheduled task, which is triggered by starting “mstsc.exe” and calls the keylogger which is written in PowerShell (remember how easy it is to bypass PowerShell execution policies from Scheduled Task).
Remember: If the attacker compromises the jump host, he has unrestricted access from the jump host to all the servers to which the administrators had access to.
Therefore, it is important to make security for this host a priority. One simple way towards this goal is to use MFA.
The latest “best” way to administer AD
Several organisations have implemented an Admin Forest in their Domain. This is a great way, since even if the attacker compromises the productive domain and gets a user account, it is harder to find the administrator accounts. But be careful, here are also a few trip mines, attacker use to get around it.
A one-way trust to a different forest can be discovered with PowerShell. Don’t think that it is hidden. Organisations who implemented this solution and have gone through pen-testing or have already had an attacker compromising them, often didn’t fix their prod domain but only focused security on the admin forest. Another way to get around this method was to compromise service accounts, since they have been forgotten to transfer the admin forest.
Using user insecurities to bypass MFA/2FA
Using MFA in a company enhances your security a lot but even this can be breached. Most of the times, insecurities from the administrators are used to bypass this. Attacker can time their login, so that it matches the login time from the admin. This leads to two MFA requests. Your administrators can not check which of them both are legitimately his request and thinks, that he has to accept both of them. Teach your users not to simply accept MFA requests if they get a second request. Also, attacker use self-serving portals to change the phone number of an admin temporarily, so they get the SMS token and the admin will not even know that there was an MFA request.
As stated, MFA is a really good way to enhance your security. But only if you teach your users to inspect the queries before they accept them. It is important to keep in mind how the workflow for MFA works and secure the whole workflow.
We are in a constant race between the blue team and the red team and in this race, it is important to keep up to date with the methods of the red team and patch the holes they use to bypass our securities.
Upon asking, how a company secured their infrastructure against attacker, Dave Kennedy, a pen tester, answered: “It wasn’t just one thing, it was layers of things” and “Once we did get around their protection, the detection was awesome”.
This also reflects the security strategy of Microsoft as they try to add multiple layers of security and not only to focus on one thing and to make sure an attacker gets detected even if he breaches on layer.
If you are interested in this topic you can visit: http://defcon.org. They have their media server linked on their homepage, which contains all the presentation from Defcon 1 through till Defcon 26 which happened this year.