DEF CON 27 - Marina Simakov - Relaying Credentials Has Never Been Easier
Active Directory has always been a popular target for attackers, with a constant rise in attack tools attempting to compromise and abuse the main secrets storage of the organization. One of the weakest spots in Active Directory environments lies in the design of one of the oldest authentication protocols - NTLM, which is a constant source of newly discovered vulnerabilities. From CVE-2015-0005, to the recent LDAPS Relay vulnerability, it is clear why this protocol is one of the attackers' favorites.
Although there are offered mitigations such as server signing, protecting the entire domain from NTLM relay is virtually impossible. If it weren't bad enough already, we will present several new ways to abuse this infamous authentication protocol, including a new critical zero-day vulnerability we have discovered which enables to perform NTLM Relay and take over any machine in the domain, even with the strictest security configuration, while bypassing all of today's offered mitigations. Furthermore, we will present why the risks of this protocol are not limited to the boundaries of the on-premises environment and show another vulnerability which allows to bypass various AD-FS restrictions in order to take over cloud resources as well. ... https://www.youtube.com/watch?v=JoSl5C2HOSc
Welcome to a data center! A place where the air conditioner never stops and the long line of tiny, red and blue LEDs dance chaotically over the sounds of the never-ending fans, playing in unison.
One thing is certain, everyone avoids data centers like the plague. And, like one of the greatest leaders of our time once said: "Behind every need, there is a right" (or in this case, a product).
Welcome to the world of Out of Band Power Management devices, where vendors decide to put an extra microprocessor inside the motherboard to allow you to remotely monitor heat, fans, and power.
We decided to take a look at these devices and what we found was even worse than what we could have imagined. Vulnerabilities that bring back memories from the 1990s, remote code execution that is 100% reliable and the possibility of moving bidirectionally between the server and the BMC, making not only an amazing lateral movement angle, but the perfect backdoor too.
...
https://www.youtube.com/watch?v=HRgh4U29cbE
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=cPbE4sh0C78
Sean Metcalf Founder & Security Principal, Trimarc
Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn't know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.
Let's go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.
Sean Metcalf is founder and principal security consultant at Trimarc (www.TrimarcSecurity.com), an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON , and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.
Twitter: @PyroTek3
...
https://www.youtube.com/watch?v=tEfwmReo1Hk
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=Yxd9_kNtoZg
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=mZ1LMWN_7Fc
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=QeSmflCEZeA
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=Uu_kXQo5rz4
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=rTCce1CcSUs
Despite high-profile failures, there can be no doubt that embedded security is improving. Yet, several dark clouds loom on the horizon – including side channel attacks and fault attacks. For many, they remain vague and undefined, with complicated analysis required to understand if they are even applicable to a target of interest, yet alone how to perform the attack.
This talk introduces a new open-source tool, called ChipWhisperer-Lint, that will solve at least one of these problems. It can be used with the open-source ChipWhisperer hardware to completely automate finding power analysis attacks in arbitrary devices. The initial tool supports the AES algorithm, and five microcontrollers with AES hardware acceleration (which have not been previously broken) will be demonstrated to be vulnerable to side-channel power analysis. These attacks mean products relying on their encryption to protect critical secrets could be easily compromised (such as happened with the Philips Hue attack).
This tool extends Colin's previous work in making power analysis attacks accessible to every engineer with open-source hardware and software. This latest tool is a leap forward in accessibility and laziness, by removing even needing to truly understand how the attacks works. Now truly there can be no excuse for using insecure devices in your products, as finding specific side-channel power analysis vulnerabilities can be performed in a few minutes across a wide range of embedded devices.
...
https://www.youtube.com/watch?v=CVfn0hbD-xg