Best of Enterprise and AD Exploitation at Black Hat / DEFCON

August 22, 2016, Marcello Salvati, Senior Security Researcher, Coalfire Labs

Lots of hacks, lots of people, lots of content, and lots of parties. That basically sums up this year’s BlackHat and Defcon. The two conferences seem to get bigger every year with no sign of slowing down, which emphasizes how cybersecurity is becoming more and more of an issue for everyone:  governments, fortune 1000 companies, small businesses and single individuals alike.

Recently, I've taken an interest in enterprise security and went out of my way to attend a few talks that I thought might be interesting, and they did not disappoint. If you’re a red teamer, blue teamer, or anywhere in between and deal with enterprise security and/or active directory in any way, I highly recommend checking out these talks in particular:

 

AMSI: HOW WINDOWS 10 PLANS TO STOP SCRIPT-BASED ATTACKS AND HOW WELL IT DOES IT
(https://www.blackhat.com/us-16/briefings.html#amsi-how-windows-10-plans-to-stop-script-based-attacks-and-how-well-it-does-it)

Nikhil Mittal gave a really good breakdown on Microsoft’s new AMSI (AntiMalware Scanning Interface) feature, primarily built to deal with malicious PowerShell scripts executed in memory.
I’ve recently seen this feature being integrated in several endpoint protection solutions and was curious on how effective it was.

TL;DR: Although AMSI is a good effort by Microsoft to address the huge attack surface that PowerShell has opened on all modern Windows systems, it has flaws which enables attackers to bypass it with a single line of code. However, this measure does highlight that Microsoft isn’t simply ignoring these issues and is actively trying to improve things by implementing more and more security features with every update.

BEYOND THE MCSE: ACTIVE DIRECTORY FOR THE SECURITY PROFESSIONAL
(https://www.blackhat.com/us-16/briefings.html#beyond-the-mcse-active-directory-for-the-security-professional)

Sean Metcalf, once again, delivers an awesome summary of what every Fortune 1000 company should be doing to properly secure its Active Directory environment; the talk covers key Active Directory components that are critical for security professionals and how to leverage appropriate defensive technologies.

TL;DR: This talk particularly resonated with me because the issues he brings up in his presentation are what I see on a regular basis in the “trenches” in almost every enterprise pentest. Sean also covers upcoming AD security enhancements that Microsoft plans on implementing this year (such as Windows Passport). A must see in my book.

BADWPAD
(https://www.blackhat.com/us-16/briefings.html#badwpad)

Maxim Goncharov gave an excellent presentation and showed his research on how the WPAD protocol can be abused by an Internet-based attacker to intercept traffic from an internal network.

TL;DR: I’m kind of surprised this talk didn’t get more attention. From an enterprise standpoint, this subject is definitely something to be concerned about as it allows attackers to intercept internal network traffic by setting up WPAD ‘honeypots’ and taking advantage of bad DNS queries. If you’re using WPAD in your environment (and even if you aren’t, since by default all Windows systems have automatic proxy discovery turned on), definitely check this out.

STARGATE: PIVOTING THROUGH VNC TO OWN INTERNAL NETWORKS
(https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Klijnsma-Tentler-Stargate-Pivoting-Through-VNC.pdf)

Yonathan Klijnsma and Dan Tentler present on an aptly named vulnerability which allows attackers to pivot into internal networks from externally available VNC instances.

TL;DR: If you’re running outdated VNC servers externally, this issue should be setting off your alarm bells. The vulnerability allows attackers to access internal network hosts and resources from the Internet by abusing a design flaw in the VNC protocol.

BEYOND THE MCSE: RED TEAMING ACTIVE DIRECTORY
(https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory.pdf)

Another awesome talk by Sean Metcalf, this time talking about Active Directory from a more offensive perspective.

TL;DR: Another must see. It will be useful from both offensive and defensive sides since he provides an in-depth explanation of all the current AD offensive techniques.

SIX DEGREES OF DOMAIN ADMIN - USING GRAPH THEORY TO ACCELERATE RED TEAM OPERATIONS
(https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six-Degrees-of-Domain-Admin.pdf)

Andy Robbins, Rohan Vazarkar and Will Schroeder are talking about their latest tool called Bloodhound (https://github.com/adaptivethreat/BloodHound): by applying graph theory to the concept of derivative admin (the chaining or linking of administrative rights), they’ve created a tool which can automatically find the shortest path a pentester has to take to compromise any account (among other things), and display all the information in a pretty graph.

TL;DR: I’ve used BloodHound on a pentest recently and I can attest to its awesomeness. It gives the assessor an unprecedented level of insight into any Active Directory environment, and it is now on my list of tools that I use on every assessment. From the defensive side, this tool is invaluable since it can be used to quickly identify accounts with excessive permissions/privileges and lots more.


Finally, I had the honor of presenting CrackMapExec (https://github.com/byt3bl33d3r/CrackMapExec) at the BlackHat Arsenal and Defcon demo labs this year, and as usual it was an extremely fun and humbling experience. I had a chance to talk to with the creators of Bloodhound and we plan on integrating the two tools together with the hopes of creating a ‘one-click’ Active Directory pentesting tool which I will be detailing in an upcoming post.

Marcello Salvati

Author

Marcello Salvati — Senior Security Researcher, Coalfire Labs

Recent Posts

Post Topics

Archives