Fun with LDAP and Kerberos: Attacking AD from non-Windows machines

You don’t need Windows to talk to Windows. This talk will explain and walk through various techniques to (ab)use LDAP and Kerberos from non-Windows machines to perform reconnaissance, gain footholds, and maintain persistence, with an emphasis on explaining how the attacks and protocols work.

This talk will walk through some lesser known tools and techniques for doing reconnaissance and enumeration in AD environments, as well as gaining an initial foothold, and using credentials in different, stealthier ways (i.e. Kerberos).

While tools like Bloodhound, CrackMapExec and Deathstar have made footholds and paths to DA very easy and automated, this talk will instead discuss how tools like this work “under-the-hood” and will stress living off the land with default tools and manual recon and exploitation.

After discussing some of the technologies and protocols that make up Active Directory Domain Services, I’ll explain how to interact with these using Linux tools and Python. You don’t need a Windows foothold to talk Windows - everything will be done straight from Linux using DNS, LDAP, Heimdal Kerberos, Samba and Python Impacket.

Detailed Outline:

Outline: * Intro and Background on AD-DS, LDAP, MSRPC and Kerberos * Discovering Windows domains and services through DNS * Fingerprinting DCs with unauthenticated LDAP metadata lookups * Underprivileged (non-admin) enumeration using LDAP and MSRPC * Using rpcclient effectively and common commands SAMR, NETLOGON, LSARPC queries * Enumerating local administrators through SAMR+LSAT * Using Impacket to talk MSRPC with underprivileged users * Practical ldapsearch queries * Enumerating users and group memberships * Enumerating computers and OS versions * Enumerating services * Enumerating GPOs * Enumerating Users with SPNs (for Kerberoasting) * Enumerating computers/users with unconstrained delegation or protocol transition * Setting up Heimdal Kerberos to talk to AD * Overview of Kerberos * Realm discovery and configuration * Checking out TGTs * Using Kerberos with Samba and Impacket * Password guessing with kinit and why it’s stealthier and faster than other techniques * Effective NTLM relaying with underprivileged users - RID Cycling and SAMR lookups * Combining Responder with ntlmrelayx for a quick foothold * Not “wasting” good SMB sessions with non-admins * Combining ntlmrelayx with RPC commands to enumerate admins and domain objects through RID cycling * Using Kerberos from Linux when NTLM Auth is disabled (incl. over-pass-the-hash techniques) * Using Kerberos ticket caches with Impacket scripts * Over-pass-the-hash with NT hashes and AES keys to get * TGTs with ktutil and Impacket’s GetTGT.py * Privilege escalation with Kerberoasting * Explanation of Kerberoasting * Practical example using GetUserSPNs.py * Overview of Golden/Silver Ticket Attacks * Performing Golden/Silver Ticket attacks from Linux

I’ll be demoing several scenarios, including scripts and modifications to popular tools that I’ve made (including ntlmrelayx), and walk through practical usage examples of several popular tools and techniques for gaining footholds and using Kerberos authentication to gain code execution.

This talk is for anyone who wants a better understanding of some of the core technologies in AD and how to “speak” to them. The slides are example and content heavy and can be used as a cheatsheet for all the techniques used. Even experienced Windows pentesters will benefit from learning a few new tricks for their pentester bag.

Research and Tools that inspired this talk: https://github.com/CoreSecurity/impacket http://carnal0wnage.attackresearch.com/2010/06/more-with-rpcclient.html https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ https://blogs.technet.microsoft.com/pie/2017/06/30/credential-theft-made-easy-with-kerberos-delegation/ http://passing-the-hash.blogspot.com/2016/06/nix-kerberos-ms-active-directory-fun.html http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/