 I'm Justin and I'm going to be going over AD and how you can own it using management software. And so we'll get started here. So introduction, it's going to pretty much, it's going to go over isolation and how you need to isolate AD from everything else and the management environment of AD and how it's handled. And so I'm specifically going to be looking at SCOM, HP ILO and Hyper-V and how they can be used to own AD essentially. And there's no vulnerabilities, we're just going to look at how it's abused if they're not managed right essentially and not configured properly. So the software used to manage the domain controllers is often overlooked and as you know it handles all the hashes which if you're after an environment you want to get all the hashes because once you get all the hashes you can own any box in the domain and so it's the crown jewels of the environments and recommendations usually look at IDSEG and so they only look at Active Directory and the OS level IDSEG and they don't look at everything that interacts with Active Directory. And so background I'm going to go over SCOM which is used for monitoring and of course if it's a high-valued asset you want to monitor it right and so you're going to use some sort of monitoring and in this instance we're going to look at SCOM. There's a SCOM security guide that is available on the internet, it's really long, nobody probably read it, they probably just hit next, next, next and there's also out of band management devices so which is network level network devices that allow out of band management so if the machine is off then you can restart it up, it's used for imaging, et cetera and so we're going to look at HP ILO in this instance and then Hyper-V as well so if you host which Hyper-V is a virtualization and so if you host AD on a Hyper-V host then you also need to look at the Hyper-V host and there's warnings online about it but it's often overlooked and everybody ignores the host and only looks at the OS level IDSEG. And so first we'll look at SCOM and it's used for monitoring and alerting of health and the SCOM SDK service is what it uses to interact with the agents and everything and it's opened up on 5723 and 5724 is what it uses and these are required, these need to be open if you want to access the SCOM management like if you actually want to look at the alerts and everything these have to be open and so often times organizations have these open in the firewall in order to look at alerts and everything out of the environment because they want to act upon them right and then in-map for instance won't scan for these so if you use in-map then you'll need to add these to the list and you'll see why in a minute and the SCOM agent as well which runs on every monitored machine it runs as local system and so it's great because it's admin access so if you'll see in a minute. So abusing the functionality of SCOM so SCOM has this beautiful feature called task and they let you run arbitrary db script on every monitored or every monitored machine and so obviously if you can own the SCOM app or the machine then you can run arbitrary script as local system on every managed machine and see and then you have to be a member of the SCOM administrators or authors role which is application level roles within SCOM and you're able to then run these obviously and so if you have a SCOM instance then you need to have another instance that only monitors AD and then one instance that monitors everything else so obviously they need to be isolated that's the whole goal here so here's an overview of the architecture which was on MSDN or one but anyway so it uses the SDK which then executes on the root management server and and then that runs the script on the agent managed machines and it usually runs as whatever the agent is running as and by default it runs as local system which I already mentioned and so they have an operations manager console as well and that uses the SDK as well but you can also use their libraries that they have as well and so here's just a screenshot of the installation and as you can see by default it runs as local system and there's many warnings out there on the internet that it can be very dangerous and it's bad but nobody reads them of course so we're going to abuse it so demo time hopefully this is showing here so we got a few demos okay not demo time the demo gods are not with me today all right there we go we have something now it's only on that screen so I got to look down and all right well okay cool all right so pretty much here's the SCOM operations manager so we're going to use it to auth using a low privileged account and that's in the SCOM administrators role because that's the way it was added and it's usually how it's added and so the SCOM console lists all monitored machines in this example one machines is a domain controller our new SCOM we're gonna what we're gonna execute is going to execute a reverse HTTPS show and the VB script is written out to hard disk and then executed in the SCOM task so as you can see there we're just running arbitrary PowerShell and then running the script that's gonna start our reverse shell so we'll copy that create a new SCOM task under the authoring and so next yeah we'll just call it interpreter and you can hide the name if you're you know gonna be sneaking and then we're gonna we want to run it on all Windows computers and so increase the timeout value to half an hour that way we have plenty to migrate and do another process and then so we create the task and so this SCOM SD so the actual user who's executing that has access into this is it only has access on the SCOM machine and it's so obviously it's not an admin on an AD so and then so we're gonna run the task so we ran them against each of the machines one's a domain controller and you see we got the shells back and so it runs as local system and so we're just gonna open a session on the domain controller we get the yeah we migrate yeah we're not migrating yet so yeah it runs as local system by default and then we're just gonna list the processes migrate into spooler because after half an hour it'll end because that's what we have our execution as it'll so you want to hurry up and migrate and then and migrate processes empty the hashes end of story there we go there you go there's the hashes and now we've owned that that domain and then you can also do it you can also write arbitrary exes you can also write a reverse shell in VB script as well which works there's and so in this instance we're just going to write an arbitrary exe so I'll skip ahead to well I also mentioned here so here's the SCOM administrators and as you see there's the SCOM SDK users that is that is admins in the SCOM app and not you know not in AD obviously and so so if you're an admin in the SCOM app then you're essentially you know an admin on the DC and so we just create another one here and it's pretty much the same thing I'll skip through it except it's writing out an arbitrary exe and then executing it and runs it and you can run this across however many machines there are so it'll it'll spin up an instance on every agent or in every agent so and then it just runs and empties the hashes out and one last example here that I had was the SCOM so or 5724 is used by the SCOM SDK and the operations manager uses 5723 and so if that's not open but 5724 is open then you can still use the SDK libraries that they have and and you can execute everything using that as well you just have to implement it on your own and so in this example we're going to import a new management pack whoops and it's just going to run arbitrary commands and this is just a little app that I wrote that uses the SDK really shitty app but it works and so it imports the management and then yeah you'll just see you kind of have a interactive you know you can execute whatever you want against it and so just another example so recommendations here let me switch this back okay I'll just move on so recommendations is that the SCOM servers used to monitor AD need to be isolated and not to allow SCOM SDK ports open so if they are they need to be closed off SCOM administrators and authors should be limited to only the admins obviously so you'll need another instance that only monitors AD move engineers and everybody else into the read-only or operator roles and that won't allow them to execute new agent and also to reduce the agent as well so it doesn't need to run as local system and there's a official security guide to that you can read my bad all right so for evasion so SCOM task all need to be audited obviously that way if there's any if there's any hidden task in there they need to be audited so it also has the execution logs in SCOM and by default it's one week and so but you can edit that so which is really good if you want to increase it or if you're the bad guy and you want to remove the execution logs you can also edit it and then it also logs every auth and the operations manager operations manager event log and so here's just a screenshot of the history and so you can obviously edit it to be zero days and then nobody will know what ran or you can edit it for one month and if you want audit all right so next we're going to go over out of band management devices and every machine usually has out of band management hardware used for monitoring and maintenance and so it's used for imaging for restarting if you run out of hard to space etc etc it's for emergencies essentially and so the admin interface is usually accessed over each or it's over SSL SSH or IPMI HTTPS as well and it's equivalent to actually having the actual box like in your office in your hands right so and many of them that will all except for HP have really shitty default passwords and so most of time organizations might not update those and so you can use that as access and there's also about a month ago rapid seven released some really nice remote route exploits that allow that allow admin access without off and so that's really useful now as well so and they're up they're often hard to update because you have to it's usually very manual and so organizations might not update and there's here's an example of HP ILO they have an overhead switch that is actually on the actual machine and if it's if it's enabled then it then then you don't have to off at all so it's you know it's awesome if you're after that machine so here's a list of common usernames and I was the only one that is actually updated all the rest of so one more demo of mouse isn't coming over give me one sec it's not cooperating so this is just this is HP ILO here and what's going to happen is we're going to mount an ISO and we're going to start into nopics and so and then do sticky keys and that's pretty much it so so you mount the ISO in the HP ILO integrated remote so oops let me skip back here all right so we met we mount the ISO here within the admin interface we start the machine up and rather than making you watch it start up I'll skip ahead here so it starts into nopics and we sticky key the box that way we can get access so we're just going to replace the set C.exe with CMD.exe and and that's just one way of many to easy way to get access if you actually have access to the box so we'll rename it CMD.exe except it doesn't and then override it restart the box so we unmount the ISO restart it back up restart it back up hit the shift key five times and there you go so obviously you guys know how it works do we hit the shift key five times and then we got a shell I have system sorry it's nothing new and then here you can just add another user or whatever you want right empty the hashes etc etc so we just add a user and then we get access to the box sticky keys off no it's all right we'll move on here run out of time okay so recommendations update the default password it should always be updated obviously have regular patching for the out of out of band devices monitor audit logs for unauthorized access to configure who factor off if if you're able to and you should also have a another management environment you know for all these out of band devices and there's an article online as well that you can read that helps with that and so next we'll go over hyper V and it's just virtualization software that hosts virtual machines administrator on the host is has admin rights on all the VMs that it hosts obviously so here's another example where you can also start into a live disk and steal the VHD file or either or I guess and so here's just how you mount an ISO and then once you're in it you can steal the NTDS and so and then you have all of active directory and you can extract the hashes offline essentially and so all will know that is the machine unexpectedly restarted obviously unless they look at the host audit logs but so recommendations the hyper V the hyper V host they need to be isolated with 80 exactly like everything else and the admins on it should only be admins so it's easy principle and also you need to protect the V protect the VHD files as well and so if so yeah only admin should have access to those and it should also be in a another management network available and there's another article and then lastly vulnerable vulnerability scanners as well organizations usually do off scanning and so those are and those usually have admin rights on every box and so if you're scanning your domain controller with a domain admin creds the nested box or the coolest box or whatever you're using should be treated as a domain controller I mean it's you know and so yeah you can obviously if you own one of those and you own 80 as well if there isn't isolation so conclusion is everything that interacts with 80 needs to be looked at so management stuff also has to be properly secured and so that's about it and here's my here's my information and I'll have everything up online next week