In Microsoft Active Directory, computers also have their accounts. We used to consider them useless when they turned up during pentests, but recent research showed that successfully relaying a machine account can actually lead to completely owning the machine. This talk will explain the foundation of such attacks and end with a demonstration of how a non-privileged domain user can get SYSTEM privileges on remote machines.
Active Directory is notorious for using long-broken protocols and preserving them for ages because backwards compatibility. In recent years, pentesters are realizing more and more how terrible these protocols can be, and security experts are finding more and more abuse scenarios.
Take for example the NTLMv2 challenge-response protocol: It was first introduced back in Windows NT 4.0 SP4 and is still readily available on modern windows. Apart from not being very resistant to cracking (using just a few MD5s), it turned out it's not resistant to MITM attacks at all. An attacker in a MITM position can relay any authentication attempts to almost any target. There were some mitigitations for this over the years, but we are just now starting to see people actually starting to use them.
So when relaying came to existence, security researches focused on "what can we do with this"? Obviously, if you manage to succesfully relay a Domain Administrator account, you have won; but that's not always possible.
Another protocol used extensively in Active Directory is Kerberos. The Microsoft implementation has several delegation/impersonation techniques available. And now, we know how to combine all these to be able to impersonate any user to a computer, given we were able to relay that computer's authentication at least once.
The talk will cover these main areas:
- NTLM Relaying
- Kerberos delegation
- Getting machines to authenticate to us
All tools necessary to perform this attack will be released as impacket modules.
This talk is mainly based on research by @tifkin_ (Lee Christensen), @harmj0y (Will Schroeder), @enigma0x3 (Matt Nelson), @elad_shamir (Elad Shamir), @_dirkjan (Dirk-jan).