 Can you guys hear me now? So, hello everyone. I am 800 Excel As already mentioned, I'm with DEF CON group 619 858 San Diego and just a few quick fun facts about me The first ever hacking movie they ever saw in the mid 80s was war games if you haven't seen it you should watch it My first computer and also inspiration for my handle was Atari 800 Excel Which I received at the age of 15 and that was quite a life-changing event for me that shaped my interest and passions going forward Just a note about Atari 800 Excel just to put things into perspective It was a an 8-bit computer with 64k of memory and that's how I learned how to program My first DEF CON And it's been quite a while that since then was DEF CON 14 and that was at the Riviera Hotel and Casino I believe that Casino is no longer around has been demolished and that was back in 2006 Now I think about DEF CON and the first DEF CON I clearly remember driving back home with a bit of sadness that the event was over and dreading You know how many months it will be before I can come back to Las Vegas and attend the next DEF CON conference the following year and You know as it turned out DEF CON groups was a perfect remedy for that and we'll get to that in a bit So a little bit about San Diego For those of you who don't know much about San Diego, it's located in southern, California on the border of Mexico and It is the 8th largest city in the United States with population approaching at 1.5 million We are known for great micro climates and it's you know beautiful beaches But it you know to be honest I only go to the beach like five times a year even though I'm close and As you know DEF CON group names are designated by dialing area codes and in San Diego the Origin dialing code was 619 and we also have 858 and 760 which is like a North County and Another fun fact is that we are 534 kilometers from Las Vegas, which means that you know when DEF CON Conferences on it takes about five hours, you know drive to get there or you can fly and that takes like 30 minutes group history The DEF CON group 858 was originally Founded by Tech Lord. I've actually never met him in person but I did read about the group on DEF CON forums after I went to DEF CON first time in 2006 and it was involved in DEF CON group 619 which was founded by Renan 01 Carl He founded the group in 2007. Unfortunately that group fell apart In 2009 to 2012 there was no activity from DEF CON groups and I decided in December of 2013 that it was time to revive it from an activity and You know been going very strong since then we are approaching our seven-year anniversary Our DEF CON group leadership You know the responsibilities include organizing and running the meetings organizing various events the DEF CON party that we have annually Solicit people for talks Which is probably the hardest part? Manager of social media present presents order pizza for the meetings, etc The three key people and other organizers of the for that for a group is mr. Bill He specializes in their social media and Twitter and Twitch Braxis and talk so shout out to you guys Which is in the North County of San Diego and On average we had approximately 30 attendees at each meeting sometimes even approaching as many as 40 Currently because of social distancing guidelines Which we follow? We conduct our meetings on zoom and we also stream the meetings to Twitch Every week mr. Bill also organizes virtual happy hours in between meetings we Collaborate on Slack our Slack has approximately 190 members Our team a vapor sec competes in various CTFs, and that's pretty much on that with like a weekly basis. It's very active group We have had occasional works workshops At least twice here we have lockpicking village we are we also have done wireless Workshop in the past Now one the other fun thing to do for us is usually around December We have a crap meets that this is when the members bring books electronics any kind of cool unwanted items for exchange or just give away And once a year we organize a party at Defconn for a group members and friends So, you know hopefully next year when we have in-person Defcon, you know, thank me how you get an invite Speaking of things that we do I should mention that two years ago. We had our DC 858 electronic batch and The project was led by Elwood and agar Now thanks to the batch sale proceeds It was possible to actually fund the pizza for our monthly group meetings for entire year and I should also mention that Elwood and agar made a Significant donation on behalf of DC 858 to the women in security and privacy organization, which is very cool Let's see I should mention some of the cool talks that we've had in the last 12 months The As you can see, you know talks cover a variety of topics We are lucky to have many active contributors and subject matters You know as members and I should also point out that It's you know when we have the meetings in person we had You know two to three talks at the same meeting, which is you know quite busy For starting growing your Defcon group and you know, I think we are you know, very successful and very active. I recommend advertising on Defcon forums, which is that way however The activity on the Defcon forums is cyclical usually it's more active more people visited right before Defcon and not so much afterwards but it's a good place to start and Obviously, you know utilizing social media and Twitter and hoping for Defcon groups retweets is a great way to get members to attend your meetings I also recommend to be very specific and have a you know a Topic for the meeting rather than just you know meet and greet or have beers I recommend you know to have a topic of some sort Don't be afraid to host Introductory one-on-one talks that your talks don't have to be advanced. It's also okay to have you know short lightning talk maybe Bring an idea or a topic to your group. Do you want or a project that you want to work on? Invite guest speakers. I think Now that we are we have all the groups engaged You know, it is it is possible for Somebody from different group to give a you know talk on your jump in on your zoom and give a talk as a guest speaker So you should reach out You can Get an invite to the unofficial Defcon groups Discord that we have and ask for a guest speakers there You know, I've already mentioned that having You know workshops such as lockpicking You know, it's a good good way to get people interested in your in your meeting and Also having the crap meet or something like war driving contest, you know simple Simple things that get people interested Where to meet? we've chose a local pizza area which has a private room and a couple TVs where we can project presentations, which is very convenience and also gives us a little bit of privacy Because we have our own own room and I think that particular, you know Wednesday of the month will probably like the the biggest first of the revenue for that pizza place Obviously, that's not possible now since we are following social distancing guidelines And we are doing virtual talks, but when things get back to normal most likely we'll go back there Frequency of your meetings, I guess it depends on how much content you have if you are in a really large group with a lot of talks and Lot of volunteers to give talks, you know, you may want to do it twice a month But if you have fewer people, you know, maybe quarterly doing those meetings quarterly is more appropriate You know, it's very important to keep the momentum going so, you know, definitely set up A chat, you know, Discord or Slack, you know, so your team members can communicate and collaborate in between meetings Also, you know, don't go at it alone. That will most likely lead to a burnout Build your leadership team, distribute responsibilities, delegate tasks as much as you can You know, sometimes real life will take over. You may not be able to participate and you want to keep your group going It's important that you have other people to fall back on And if you'd like to connect with Defconn San Diego, you can reach out to us on Twitter, you know, Facebook Watch our Twitch streams or email us And that covers the introduction to Defconn San Diego Up next, we have a DC858 member, Smoochie, who will give his talk So let's welcome Microsoft how to save yourself from their active directory and identity and access management design So with most of my talks, I always like to remind everybody that we are definitely in a privileged group that may get a little numb to The phishing campaigns and the jokes out there For example, the Nigerian Prince and the IRS calling you Those are stuff that we make fun of, but people fall victim to it I personally had to do with that with my in-laws Microsoft called them directly and wanted to fix a problem of theirs And that ultimately caused an issue that I had to help resolve So these things that we're aware of, just speak out about obvious things Make sure you're in-laws, you're family that are non-technical That this isn't something that happens in the real world Microsoft is not going to reach out to you because you're a valued member And IRS is not going to call you and tell you that they're going to sue you If you don't send $100 this very instance And of course, no main business does any type of commerce in Apple gift cards So that should be a dead giveaway Okay, so in broad strokes, what we're going to talk about is What's wrong with Microsoft, good or bad And how you can design a system, secure your system, protect your system against these by default settings and design decisions by Microsoft One of the biggest ones that you need to take into account as you design any system is to always assume a breach There are no safe zones anymore With the rapid change of software and hardware that's out there There are going to be bugs and there are going to be unintended backdoors There are going to be unintended consequences that no person's going to be able to keep track of So as you design any system or as you upgrade any system Or as you review any system always assume compromise Assume that at some point the thing that you're touching is going to have somebody on it that you don't want to have on it So how can you help mitigate that concern When it does happen and limit the impact and success of that attacker or Anybody who's just making mistakes could have on your environment And again, it's not a it's not an if but a when of when you're going to have some issues You know the old adage the script kitties are just out there poking around having fun But that's still the case, right? There's it doesn't take much to go find tools that are out there Calibre Linux is is well advertised You do a couple keyword searches into Google and you can find yourself going down the rabbit hole And identifying tools that'll just do this for you, right? And people are out there unaware of the the ethical challenges of You know banging on the front door of someone's network, right? You can look at the the twitter that The twitter compromise that just happened is 17 year old kid, right? How many years before that was he just playing around before he actually got deep Into the sc and the actual fishing aspect And then separation of duties so It I know it's very easy to just say hey, I'm your admin. I need full god rights on everything Well That's not how things should be operating, right? You should have very specific controls You should have separation of those responsibilities, you know, for example your Exchange or email administrator probably shouldn't be the same person as your domain administrator, right? Because the the impact that person could have Is significant now in smaller shops that you're unable to do this you can start to to Separate those duties with accounts so you can have an exchange administrator account your domain administrator account And your user account just to make sure that any one account or any one person can be audited and Does not have that wide blast or easy radius if something does go bad And when installing anything on your your network at home or at work Taken to account the install permissions It's far too easy to say. Hey, I need root rights or hey I need domain admin rights and the installs just go great But there's unintended consequences with service accounts being created or permissions on files being Set up in that process that may cause harm in the future so on average it takes Takes about 24 to 48 hours From the first heart being compromised before someone's able to escalate their privilege to domain administrator or root rights Now once that person has domain administrator rights on your network Your network is essentially theirs domain administrator for those that are not used to Microsoft and active directory. That's full god rights. That's modifying accounts. That's changing passwords That's removing computers from the domain. That's modifying files. That's Anything and everything that they would want to do within the kingdom And the persistence of a user once they have those able to identify them normally with Tools that are there out there in network land today So a lot of these things have to have outside help to come identify those FBI has been reaching out when they've identified traffic from you know, the the the nation state actors You know russia, iran all of those guys so A lot of these companies don't even know that they're there and it's these third parties that come in and say Hey, we've seen this traffic Can you value like that this is valid for your company or they confirm that they have actually been compromised And those could once those credentials are compromised Expelling data. They're modifying data. So it's it's very important that we get a tight reign on those elevated permissions so The way that microsoft does password hashing is not unique to every domain. So You have a user The username is user their password is password one Well, microsoft will take that combination of username and password Create a hash based on their algorithm Either for landman, which is the old way of Fetiqueting or ntlm, which is the new land manager and you get a hash Now the great thing is That no matter what domain you're on That combination will always have the same hash. So if you're at uh Alt space domain and you put in user one password one That hash that you get an ntlm will be the exact same when you go to microsoft and put in user and password one Which is an issue in itself, right? Because you can start to build this domain domain knowledge of standard usernames and Start to create those passwords and because microsoft doesn't doesn't solve the passwords does not create that um blank data in it Again, it's not unique across people's domains so What can be done and and what is available is you can start to calculate these hashes right so for a username administrator Password one that creates a unique cast password to password three password four um And then you can also pull hashes and start to look up within that database or the rainbow table and know what the password is So it's it's not a lot of effort and again, there are tools out there that do this for you and Basic process for a lot of people You know, they use the administrator account with the administrator name. They don't change the the name itself, right? There's still the guest account. There's still a lot of built-in stuff that they don't change that are pretty consistent Across the board and we're actually going to get into that with one specific account Um and why that's important Taking the the passwords and the hashes so where where can you find outside of having those hashes? So within group policy objects People hard code in username and passwords for for ease of use for installation of capabilities or just a pure laziness so map network drives within those group policy objects Account on the box that's running in specific application while that password is in clear text most of time for those accounts data sources printer configurations update services schedule tasks all those require authentication and that password username have to be stored somewhere and Nine times that attendance going to be stored in clear text within group policy objects Um sysfall for batch files. So if you very very create a custom batch file to delete a file on log on or to Create a folder structure on log off. That's going to take some credentials Those passwords are probably within that batch file itself to run Um on the domain controller So you can use a volume shadow copy and create a copy of the actual domain database itself the ntds dot dip And on that same domain controller that you pull that dip file off The decrypt key is actually in the registry Now The good thing is is that the the decrypt key is tied to the actual machine itself. So it's not one Universal decrypt key for every domain. It's for domain Controller one has one decrypt key domain controller two has a separate one. Uh, and they are unique in that regard And then you can run uh tools out there. So hopefully you all are aware of these ones So mini cats is is one of the holy grail tools out there. It kind of does everything. It's a swiss army knife for how to take over domain That's uh, created and deployed by it. Uh, general wicked activity Uh, there is kremming And uh dc sync which is a capability for you to basically synchronize data from a domain Authentication within active directory. Uh, it's pretty straightforward. Uh, kerberos has been around for quite some time But in broad strokes you have a youth here that says hey, I need access to something here Here's who I am the domain controller validates that and says yep. Here's a ticket. You are who you say you are Workstation says cool. I want to go do this get access to this server. Go check out this website Whatever kerberos enabled Server says cool. Yep, you are authorized to do that based off your groups and your rights Send this over to the server server set or your application server and you just have that back and forth Like tcp packets Sounds good, right? You have separation of duties within the authentication You don't have one machine saying who they are who they say they are everybody validates who they are to circle the trust everything's great But those tickets that are created by the domain controller Are signed by a specific account And that account is the kerberos ticket granting ticket account And the hash that it uses For encryption is the hash of that username and password just like microsoft Does for every single account That I talked about before so using tools like mini cats You're able to impersonate whoever you want to impersonate once you have that hash of the Kerberos ticket granting ticket. So essentially you use mini cats you read the domain which is Read only to every single account on the domain. So as long as you're on the domain you can read that information You use mini cats is a very simple command to Pull that hash once you have that hash you use mini cats to create that golden ticket At that point you are able to sign and create any ticket that you want So the ticket that Would normally go from user station to domain controller saying hey i'm an admin Here's my hash Give me a ticket that says I can do what I want That's essentially gone As the user you're passing that ticket that says i'm already authenticated as a administrator. Let me do what I want to do so How would this kind of all work in the grand scheme of themes? So starting on the left as patient zero will go through the black Um patient zero is infected. You've clicked on a bad link. You've installed some malware You're subject to a fishing campaign. Whatever the case may be It's of that happening. So starting the lap on the left They have access to that machine Well any good attacker is going to set up a c2. So they're going to beacon back using some type of remote console Most likely netcat, but essentially the traffic is going to initiate From that post out to your command and control center Once they have that foot hold within the machine on the machine itself Again, it can read all of active directory because it's read only by default They can start to install keyloggers and look what data is on that local machine They can also grab the credentials with the lsaf service, which is the service that stores the hashes on every So what I was saying was as as I talked about in the beginning slides, you know, we're going to design for compromise We're going to understand that The endpoint is going to be compromised at some point because of zero days because of fishing because of All of the multitude of vulnerabilities that are out there that could be used to take over that host, right? least The very least right somebody shares their username and password or they put it underneath their keyboard Whatever the case may be there's a patient zero Now that that patient zero machine on your network That person's going Any good attacker is going to try and set up a command and control setup and it's going to be a remote console So the communication is going to initiate from that host out to the command and control System out into the internet So most firewalls out there or ports and protocol firewalls and it's saying hey anything initiating from the internet Do not come into my network, right? Anybody that's saying hey, I'm four four three Going out on four four three Nine times out of ten. That's already permitted. So and you're not going to know the difference between then going to to google HTTPS Or some other server HTTPS because there's no breaking inspect, right? We're not looking at that traffic that the encryption happens between the host and server Once we're there have that foothold within that host You're able to pull all of the active directory credentials Sorry, you're able to pull all of the active directory information because active directory is read only So you can pull those gpo's you can pull the user names you can understand structures You can pull your organizational units your OU structure And start to build that greater recon on the hope on that domain that you're on And then of course actually on the host themselves you can put on keyloggers You can look at the data that's stored on there and you can pull those credentials Now using any type of privileged escalation path. So a vulnerability Or an exploit or that user's already logged in as an administrator. You're able to get admin rights on that box And so from there you're able to pull hashes. You're able to look at active credentials You can change passwords on the host. You can do anything you want to do on that single host now the money is able where you're able to Reach out and gain access as a privileged user within the domain And so everything that's within the the yellow at this point is is assumed local user or non-privileged user When you pass the hash on the host out to another Server or system Again, that hash is your username and your password in a single string And so the other servers can adjust that and say yep Give me that hash. Great. Um pass the hash attacks are well documented out there And you're able to get access as impersonating that user Now the the trick for escalation Is really nuts and bolts in the separation of duties, right? So we don't want people logging into their daily driver machines the machines that they check their email with the machines That they go to the internet on as a domain admin Sad to say that's still very much happening And that's that and I understand why it's good or bad You know as a domain admin you can do whatever you want. There's nothing restricting you You don't have to act for access acts for access. Everything's presented to you From there You can use tools like mini cats to Grab credentials to grab the hashes and then you can start to create your Golden ticket and at that point you can impersonate anybody that you want and your persistence is pretty much guaranteed Um, so what can you do about this, right? This this is built-in Microsoft capability. They're all about collaboration and integration so This is these are the trade-offs that they've made as a solution to say Uh, we want this to move fast and we want things to work together quickly over security so As an individual, uh, you can implement breaking You go to htps.google.com You're swapping, uh, certificates with that server that says I am you know google.com Here's my, uh, public key Send me data. We will encrypt this communication When you pass that through any of your next Next generation firewalls, they can't see anything but encrypted htps and f5 device to Essentially terminate the encryption, right? So your f5 device essentially impersonates google You can see that htps traffic and then Move on to encrypting that with the serve and server that you're communicating with In that way you can look at the payload Now This is different. Um, breaking inspect and tls offload is different from your your normal load balancing where Your load balancing your host comes in and makes that connection with your f5 device and then traffic isn't clear back to your server So it's really about what we're looking to protect. Are you protecting your data? Users connecting to your stuff or are you trying to connect your users connecting out to other servers? It's a trade-off that you're going to have to make there's obviously implications on speed and throughput and devices like f5 are notoriously expensive The other thing to be implemented if you are windows 8 or above is credential guard And credential guard is taking that lsask capability that stores those hashes And virtualizing it virtualizes it. So if they take over that host They're unable to pull any hashes that have been used on that machine Um, and that's very very important because if a domain administrator has logged into that machine That may not be the user that's currently logged in the hashes still stored in in lsask um And that's very important because a lot of the times domain admins or people with privilege um escalated privilege logging machines to fix a problem or to install software Using credential bars allows you to virtualize that and Keep that isolated from somebody who has compromised that local machine and this Fundamentally breaks mimicats and like I said before mimicats is the The bread and butter for taking over active directory You can also do 80 segmentation. So uh Partitioning out where that information is going to live. So, um, having domain Live within a completely separate domain. It's completely separate force From where the data lives. Um, so that way when a user is ultimately compromised What they're able to access and what they're able to view and what they're able to pool is extremely limited Um, because again designed for compromise with all the threats that are out there and the changing in the software It's very hard. If not possible to keep up on everything and have everything patched To a level of that accounts for all of the the new stuff that's out there and so What you effectively do is that you take your privileged accounts your enterprise admins your Your domain admins In a completely separate domain Meaning that isolated domain controllers isolated servers isolated virtual environments Because you can backdoor into windows domain through if you're using vmware You can use vmware capability to get escalated rights within your domain control if it's virtualized and then take over the domain itself So you're really trying to draw a clear line between What your users can access and what can be accessed in a de ferris manner And then using microsoft's uh suggested terminology. So they have their tiers where Tier zero is your highest level your your forest domains your enterprise domains And and those live separate and they can communicate within But you don't talk down, right? So you don't log in as a forest domain into a resource within a tier zero You can always escalate up. You never escalate down And that's to keep those credentials isolated from any of those hosts that ultimately May become compromised, right? And so again that idea that a enterprise domain or domain controller wouldn't log into an endpoint because that's That's going to be the first line of attack and What are some of the standard stuff that that ultimately lead to compromise is Your access control lists Users out there your your group membership, you know, your your help desk persons Never going to need to to take over accounts, right? They may need to reach the password Best practice would be to put something in between that right and a service account that you would have heavily monitored that whenever it's used It needs to be tied to a help desk ticket Something that you can start to to draw those parallels in your logging to you can so you can understand anomalies That are happening a path for reuse this one happens a lot where you have Good isolation. You have a domain admin account. You have your exchange account. You have your user account And they're maybe joe dot admin joe dot exchange joe joe dot user, but the password's all password one So that that one's going to get you and again, it's all about not solving So it's the same hash. So if they they have an administrator account with password one It's going to be easily found because every other domain that has the same username and same password has the same exact hash service accounts So service accounts are are meant to be targeted use quote unquote user accounts that you would create That execute a specific purpose and that specific purpose needs to be locked Are created for a specific capability and it's just set it forget it and Sometimes those passwords are shared among other service accounts. Sometimes those passwords are written down Sometimes those passwords are are default from the vendor And elevated permissions on the workstation So again that user logging into the machine with the elevated permissions that goes to the internet that checks their email If they go to nefariously crafted link or they download a bad file that file is being ran under that user's permission So we really want to isolate that that account to just what it should be doing Meaning that if it's a user it's user rights they have enough rights to log it in the machine To boot up whatever applications they need to boot up and nothing more anything that they need to do on top of that Say developers or whatnot. They should be elevating To another account to do that specific capability And then application whitelisting so most of the time Your secretary's machine Never going to need to run power shell, right? You see power shell running on that box. It's a dead giveaway. There's some things wrong Maybe on your developers you have a little bit of leeway Because they're doing other things, but you really need to understand who's out there What are they doing on the machines and only allowing the specific applications that you want them to allow And in that instance if they do download an application, let's just say they think they're downloading spotify Or zoom and it's not what it's supposed to be They execute that it's not authorized to run that that binary never kicks off Um and in land hash so like I spoke to earlier in the presentation, uh land manager is a old way of Hashing username and passwords and it's very very easy to crack. It takes really no process for time at all. So It's only in place today for uh legacy applications So if you do have a legacy application out on your network, that thing probably has some issues as well So you really should identify Why you need that enabled if you do Identify why that thing still needs to be on the network why that application still needs to be on the network and probably look at some type of deployment plan to getting that on to a A newer operating system or a a different capability or Maybe even a software as a service solution. So that way you really start to lower your risk to your network Um an enumeration is is understanding What's out there, right? If somebody who stood up that network put every single user in the domain ad and writes group because that was the easiest thing to do Uh your your risk is off the charts, right? So you need to look at your groups. You need to look at your users, um on a Pretty regular basis to make sure that nothing's changing. Um, if you're in a position to be able to Deploy new solutions or maybe to procure stuff. There's a lot of There's a lot of products out there that you could download open source or buy That can heavily monitor group Uh membership and notify you of any changes and in some instances they can even block it based on business rules Um volume shadow copy on domain controllers You know domain controllers themselves replicate within themselves You don't need to do volume shadow copies Of a file structure on your domain controller to another server You just need to disable that and if you do Have a scenario which you need volume shadow copy. Please reach out to me. I would love to understand that that problem Um Understand who's reading that who's pulling the information Um and who has access and and and monitor that with any type of login capability and send you alerts as soon as Something's out of the norm is down on that If You can block peer-to-peer communication. So uh end user machine to end user machine you should I understand that there's a lot of solutions out there That would require peer-to-peer capability But if you can block the adversary from leapfrogging to other hosts You know your your peers that are generally less secure Um, you should do that and then of course log and whitelist and block if you can power shell power shell is extremely Powerful you can do a lot of things with that And again, I don't think the secretary would ever need to run a power shell script Um and any of your developers that might you you would look to to see what access they they truly need And give them an account to do that in very specific scenario All right with that that is my presentation. Thank you very much