Enabling Active Directory DNS query logging

Quick Tip: Enabling Active Directory DNS query logging for Windows Server 2012 R2.

DNS query logging isn’t enabled by default in Windows Server 2012 R2 within the DNS server role. DNS ‘events’ are enabled by default just not activity events which capture lookup’s from users machine for example. This is super useful for incident response type scenarios, investigations, troubleshooting and not to mention malware or crypto type ware that’s looking to phone home to command and control. We can enable it like so:

Firstly there is a hotfix that needs to be applied to Windows Server 2012 R2 this can be found here http://support.microsoft.com/kb/2956577 you can read more about this here. This essential adds query logging and change auditing to Windows DNS servers.

Next go to the event viewer, under ‘Application and Services’, ‘Microsoft’. ‘Windows’, right click on ‘DNS-Server’ select ‘View’ following it across and select ‘Show Analystic and Debug Logs’ like below:

(Note you will actually need to left click on ‘DNS-Server’ first then right click on it otherwise the view option won’t show up.)

This will display the Analytical log, right click on this and select properties, enable logging and Do not overwrite events. Like below:

Click ok and your done.

We can verify the query logging is working in our lab by simple making a DNS request from a workstation, we will see the query in the event view under the ‘Analytical’ log like below:

Super. Now we can see which workstation IP address has made the query, and what exactly is being queried. In the above example we can see that a destination address, 10.0.2.25 a Windows 7 domain joined workstation has requested adamcouch.co.uk. Dns query Logs, yay! Hope this helps.

Facebooktwittergoogle_pluspinterestlinkedinmail

Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016

Reversing wdigest configuration in Windows Server 2012 R2 and Windows Server 2016. Wdigest is an authentication protocol used in Windows. It enables the transmission of credentials across a network in MD5 format or message digest. It was designed to increase security over basic authentication initially used back in Windows Server 2003 for LDAP and Web authentication. By today’s standards, since Windows Server 2012 and Windows 8.1 Wdigest is disabled by default, the functionality was also back ported to earlier versions of windows, such as Windows 7 for you to disable via reg key. The problem with wdigest is it stores usernames and passwords in clear text. Tools such as mimikatz/wce were/are able to dump clear text passwords out from LSA  and where wdigest was used , clear text passwords would be obtained.

The question is: As this is now disabled by default can wdigest simply be enabled by attackers adding the reg key and still used to dump clear text creds?… The short answer is yes it can. See below:

The reg key to disable wdigest in earlier operating systems is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest creating a DWORD ‘UseLogonCredential’ setting the vlaue to 0 disables it. 1 enables it.

Using a vanilla install of Windows Server 2012 R2, dumping creds we can see no clear text password is displayed in the wdigest field when running mimikatz.

Lets add the reg key and ‘Enable’ by adding a value of 1.

I immediately retried mimikatz and had the same result as before (no clear text password), I did kind of expected this however wanted to go through the motions to test. Next a log off and back on and retest. Then reboot and retest.

So, I log off and back on first:

Oh dear.

OK so what about Windows Server 2016? Lets try:

Now for the reg key, to enable :

As we know 2012 needed a log off and back on, presumably to cache the credentials, lets assume the same is needed with 2016.

Oh dear oh dear.

Ok so what can we do to prevent this. There are several methods such as, protecting the LSA and LSASS process in Windows 8.1 and Server 2012 R2 which I have talked about this here. Enabling Credential Guard, new for Windows 10 and Server 2016. Protected Users in AD. From here reducing the credential foot print of users on machines, ie blocking users from rdp’ing into other machines, disable Domain Admin’s from logging in to workstations, user a ‘Server Admins’ group instead. Having dedicated user privilege separation. Monitor for the above reg key changes. All the time we are trying to reduce the ability for an attacker to escalate privileges by dumping credentials, then moving on laterally through the network, reducing their ability to gain access to higher privilege accounts.

Facebooktwittergoogle_pluspinterestlinkedinmail

Protected Users Group in Microsoft Active Directory

In this post we will be discussing the Protected Users group in Microsoft Active Directory. This is to try and raise awareness of this security feature built into Microsoft Windows Active Directory (AD) 2012 R2 Domain environments. The Protected Users group in AD gives its members additional security features and protection when logging into Windows Server 2012 R2, Windows 8.1 and above.

If an account is made a member of the group. The user account can only authenticate using the Kerberos protocol. We will demystify this shortly with an example, however in brief it means that this user will not be able to authenticate with NTLM, WDigest Authentication, or CredSSP. Which means using one of these Security Support Providers (SSP) will fail. This is a win,  as we know the NTLM hash is obtainable and is very crackable, Digest Auth stores credentials in clear text in memory, CredSSP also stores clear text credentials however is an interesting one as this may break applications that use it. However you might argue as you would probably only use this for high privilege accounts, (as Microsoft advises here) it might not be so much of an issue, and would probably be re-evaluated on a case by case basis after testing.

In addition to the above, the account will not use DES or RC4 in the pre-authentication stages. The domain therefore must support AES.

There are a couple of caveats that you should be aware (you can read about these here) of when using this as an option to help mitigate credential theft:

This will only take affect on Windows 8.1 and Windows Server 2012 R2, so no change for Windows 7 and Server 2008 I am afraid. So when logging into Windows 7 or Server 2008 variants your don’t get the protection from Protected Users membership.

Windows Server 2012 R2 Domain Functional Level is required.

Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs) as well as computer objects can not be added to the group. (technically they can, however it will break things).

What does all this mean then in actual protection terms, what does it look like?

I feel an example coming on:

Lets test with Windows Server 2012 R2. If we dump creds on a vanilla install with mimikatz this is typically what we would see. So no wdigest as this is disabled by default however what we can see and retrieve is the NTLM hash for the account ‘Adam2’, which as we know can be cracked off-line.

Now if we add our account to the Protected Users group and test, lets see what happens. Lets log off and back on and re-run mimikatz:

No NTLM hash, this is because members of the protected users group will only authenticate with Kerberos and not with NTLM. Great. This seems like a win for high privilege accounts. More to come on this soon.

 

 

Facebooktwittergoogle_pluspinterestlinkedinmail

Protecting the LSASS.EXE process with RunAsPPL

Protecting the LSASS.exe process with RunAsPPL is in an important part of hardening Windows Server 2012 R2 and Windows 8.1. Credential theft is trivial with Administrative level privileges, I have blogged about the use of mimikatz several times in the past. This post is here to try and raise awareness of what we can do to help protect against adversaries getting there hands on creds. Doing everything we can to try to protect against credential theft is clearly important. There are now advances in Windows 10 and Server 2016 that help mitigate this with Credential Guard, however earlier versions of windows are still vulnerable. The Local Security Authority Server Service (LSASS) process in windows is responsible for authenticating/validating users that login via local console or remote desktop. Tools such as mimikatz interact with the lsass process to extract credentials, whether that’s directly on the server or workstation at the time of attack or dumping the lsass process to a file and extracting credentials off line at a later stage.

With Windows Server 2012 R2 and 8.1 there is a feature called LSA (Local Security Authority) Protection according to the following Microsoft page we are able to run LSASS as a protected process. This essentially prevents mimikatz from working correctly out of the box. In addition to this it will prevent you from being able to dump the lsass process to a file through task manager. With some tweaking you can get around this however a driver or signature verification code would need to be added into the mix for it to work properly and be able to interact with the lsass process as a protected process (this can be monitored though through the event log). The following registry change can be added to enable the protection at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa adding a new DWORD entry of “RunAsPPL”  with a value of 1. This does require a reboot however.

Lets see it in action on Windows Server 2012 R2. Before the change you can see I am able to dump the lsass process to a file from task manager:

This file could then be used with mimikatz on or offline to extract NTLM password hashes for cached credentials.

Lets make the change, and reboot:

And after:

Good! And if we try to run mimikatz on the server:

This doesn’t offer total protection however if we can slow down our adversaries and try to stay one step ahead we are in a better place than before. Clearly if you have plugins in your environment that need to interact with the lsass process this may break things so testing is a must, there is an auditing mode highlighted here that will help identify any that fail.

Hope this helps.

Facebooktwittergoogle_pluspinterestlinkedinmail

Quicktip: VirtualBox VM boot on host startup

To enable a virtual machine in VirtualBox to start automatically on host startup do the following:

(For Windows 10 host OS)

On the host OS right click on your start menu and type ‘shell:startup’ like below:

 

 

 

 

 

 

This will open up your startup folder. From here go into VirtualBox right click on your VM and select ‘Create shortcut on Desktop’ like below:

 

 

 

 

 

 

 

 

 

Then copy the shortcut from your desktop into the startup folder like below:

Simple, hope you enjoyed this quick tip.

Facebooktwittergoogle_pluspinterestlinkedinmail

Top Three Command and Control Exfiltration methods

Just a quick post to list out some of my favourite Command and Control (C2) exfiltration methods.

  1. Standard TCP connect using ‘Invoke-PowerShellTcp’ from Nishang framework. This is a super easy comprising of a netcat listener for the server and PowerShell for client side makes this a very accessible exfil method read about it here. How do we prevent this: block TCP access on the boundary firewall. No excuses for this one. In addition there is a whole host of client side mitigation, such as PowerShell logging and denying PowerShell execution etc.
  2. DNS tunnelling using dnscat. Well what can you say about this, if all else false this will probably get you off the network in most places. Read about this here. How do we prevent this: This is more challenging, first verify if DNS is actually required, for example if this is a server subnet, azure or AWS do your servers really need to resolve address that can’t already be taken care of by internal DNS Server not resolving names to the outside or could you use a static hosts file? Secondly various IDS and firewalls can be tuned to detect this type of DNS traffic, so for example does that DNS request really need to be that big/long, wow that is a lot of DNS traffic from that box? no probably not – its DNS tunnelling.
  3. ICMP tunnelling again using the Nishang framework, Mittal has written a nice client side PowerShell method for connecting, read about this here and the backend server here. How do we prevent this: block ICMP access on the boundary firewall. Its unlikely that you will need ICMP off the network.
Facebooktwittergoogle_pluspinterestlinkedinmail

Creating and mangling custom word lists!

Creating custom word lists:

In this post we are going through how to generate custom word lists with extra combinations based on an initial set of predefined words or generated words using John The Ripper. Why would we want to do this. Well you probably already have giant word lists that you can download from the internet such as the famous ‘rockyou’ list. Or passwords lists from breaches etc. What these huge lists don’t have are tailored words to suit your target specifically. For example we could use a tool called Cewl to spider a website and scrape all words on this site with a minumim length of 6 and a max of 10.  We could also add words manually that relate to that target specifically. We then have a very custom set of words to do with that target, in which to generating new words for. (Obviously for a penetration test of which you have authoirsation to test). We could then use another program such as John The Ripper (JTR) to generate iterations of those words, for example adding the year to the end of the word. (this is a classic)

In this example we will use the list ‘list1.txt’ as our starting point. We will then use commands to output a new file called ‘newlist1.txt’. We will use JTR in Kali to do this. JTR has a set of predefined rules that will generate us new words based on the original words in any given list. We will add custom rule sets in JTR to generate different combinations of the original word(s). This configuration is found in /etc/john/john.conf.

Lets get started with an example.  If we start with the list ‘list1.txt’ and add one word to keep things simple so we can see the words being generated by JTR and our custom rules. Lets start with the below rule which we will append to the bottom of our john.conf file like below:

Append the below text to the bottom of our john.conf file:

#My Custom rules.
[List.Rules:Rule1]
cAz”[0-9]”

like so:

custom rules in john.conf

Now use JTR to generate words using the below command:

john –wordlist=list1.txt –rules=Rule1 –stdout > newlist1.txt

Which looks like:

new words generated by JTR rule1

As you can see this simple rule adds numbers 0-9 to the end of the word and adds it to the new list called newlist1.txt.

Lets try a few more rules how about the below, append the text to the bottom of your john.conf.

[List.Rules:Rule2]
cAz”[0-9]”
cAz”[£!$@#]”
cAz”[0-9][0-9]”
cAz”[£!$@#][0-9]”
cAz”[0-9][0-9][0-9]”
cAz”[0-9][0-9][0-9][0-9]”

custom rules in john.conf 2

Which will in turn generate us the below:

new words generated by JTR rule2

As you can see I have had to tail the newlist.txt file as john has created a huge list, 11176 to be precise.

There are multiple sets of rules available across the internet, for example Korelogic have rules check them out here. See below for some further example rules:

#My Custom rules.
[List.Rules:Rule1]
cAz”[0-9]”
cAz”[£!$@#]”
cAz”[0-9][0-9]”
cAz”[£!$@#][0-9]”
cAz”[0-9][0-9][0-9]”
cAz”[0-9][0-9][0-9][0-9]”

#Replace letters for numbers
[List.Rules:Rule2]
>2!?Aso0
>2!?Asb8
>2!?AsB8
>2!?As1!
>2!?AsA4
>2!?Asa4
>2!?Ase3
>2!?Aso0se3
>2!?Aso0se3si1
>2!?Asi1
>2!?Ass5

Enjoy.

Facebooktwittergoogle_pluspinterestlinkedinmail

Active Directory Delegation of Control

No you don’t all need ‘Domain Admin’ rights, that includes you Mr IT Manager!

Users in the IT Helpdesk don’t all need ‘Domain Admin’ rights to perform daily tasks like password resets, user group changes and logging into users workstations for fixes. In addition to this they should also elevate rights and authenticate with another account in order to perform Active Directory (AD) administrative tasks, I wrote about this here. We can delegate special permissions to a security group in order for that group of members to be able to reset passwords and perform other AD related tasks. We can delegate this level of control on specific Organisation Units (OU), so for example all users under that OU can be managed by different levels of IT Support and there corresponding AD security group, i.e. a group for 1st line IT Support called ‘IT Helpdesk ‘, ‘2nd line IT support’ and ‘3rd line IT support’ and so on, so we can have different levels of control. This means we give the permission to a group and in turn members of that group can perform special functions on the users that reside in that particular OU. Thankfully Microsoft have thought about this and there is a fairly straightforward way of achieving it by setting a set of stock permissions on the OU. To do this we can use the ‘Delegation of Control’ wizard in AD Users and Computers.

Delegation of Control Wizard

Ideally we want to split out our standard domain user accounts for standard non privilege duties like reading email and using Microsoft Word, then have a separate admin accounts ie ‘Adam-adm’ or ‘Adamadmin’ for the administrative privileges. These admin accounts can then be used to rdp directly to a separate management server which has the various tools installed. Tools like the Remote Server Administration tool set which has Active Directory Users and computers, DHCP and DNS etc.

Don’t use security groups you already have in your environment, create new groups. This might seem like it adds an extra complexity and more groups. However, if you botch your permissions on a group you are using for another function its not going to end well. If you later need to reverse changes or delete the group you can without fear of affecting other functionality.

Create a group for the help desk ie ‘IT Helpdesk’ for 1 st line staff. This should be used for password resets and group modifications etc.

Create a group for 2nd line support ie, ‘2nd line IT Support’. This should be used for all of the above including all other additional user account modification activities.

You may want to combine the first two groups into just one ‘IT Support’ group for smaller IT Teams. The point here really is to split out the duties so your helpdesk staff don’t have Domain Admin rights, and you’re not running elevated domain rights on your daily laptop/desktop, the principle of least privilege first should apply here. Only give the minimum required, no more.

Create a group for full Admins/3rd line support ie ‘3rd line IT Support’. This should effectively be used for all of the above tasks and any additional.

Keep the below points in mind when using the Delegation of Control wizard in Active Directory:

  • Always delegate permissions on a new AD group, not on one that is already in use.
  • Once applied to an OU there is no wizard to undo the changes. Changes will need to be manually undone.
  • You can re-run the delegation wizard again on the same OU to add additional permission, just not take away.
  • You can remove a newly added group from the security tab of an OU if needs be, (effectively reversing the changes).
  • Avoid setting permissions on individual user objects even if there is only one user, add the user to a group and make the changes on the group not the user. This is in case you need to revert changes. In addition to this you can always remove the user from the group.

Lets walk though an example.

As an example of how we can achieve this lets walk through the below lab. In this example we are going to delegate control in AD for password resets and user group changes for the ‘IT Helpdesk’ group, so that members of this group can carry out these tasks on domain users in the HR OU.

Right click on the HR OU and select the top option ‘Delegate Control…’ the wizard should pop up like below:

AD Delegation of Control Wizard

Select Next, and you will be prompted to add the group you want to grant the permissions too. In this case we will grant permissions to ‘IT Helpdesk’ as below:

AD Delegation of Control Wizard add group

Select Next. Now we will add the specific permissions that we want the ‘IT Helpdesk’ to have on users in the HR OU.

In this instance we are going to select the top five check boxes as these are a reasonable set of tasks that we would want our helpdesk staff to be able to perform. This obviously may be different from organisation to organisation depending on size and separation of duties. We will go with this as an example for now. Microsoft makes this very easy by grouping these tasks together in the form of the check boxes. We can go more granular than this if needs be,  however for now we will continue with the pre-defined options.

AD Delegation add permissions

Select Next, then Finish.

You can verify your permissions be selecting the OU right clicking on properties, selecting the ‘Security’ tab, the group in question should have ‘special permissions’, select advanced, your will then be able to view the permissions. The top four Access Control Entries (ACE) will have been added.

AD Delegation permissions

In addition to this, select the ‘Effective Access’ tab, add the group and verify that the four permissions Create/delete Group objects and Create/delete User objects have a green tick next to them. (they are spread out, so scroll down)

AD Delegation permissions

AD Delegation permissions

As opposed to an alternative OU such as our ‘Admin’ OU which doesn’t have any delegation on it. The default permissions are as below:

AD Delegation permissions

AD Delegation permissions

 

The next thing to do is test the effective permissions to ensure the new ‘adm’ users of the ‘IT Helpdesk’ group can for example change a password of a user under the HR OU. It also worth testing this on a user account that isn’t in that OU so you can see the difference and error message that you will receive if you don’t have permission.

Et voila. I hope this helps. Remember test test test.

Facebooktwittergoogle_pluspinterestlinkedinmail

Privilege Separation please…

No please don’t run ‘Domain Admin’ for daily tasks like reading email… use separate accounts and enforce privilege separation.

Separate user accounts should be used to perform Administrative tasks in Active Directory. Its far from ideal to be logged in to your daily work laptop as a Domain Admin to perform your business as usual tasks like reading email and surfing Facebook at lunchtime…

Ideally we want privilege separation for our accounts. Split out standard domain user accounts for standard non privilege duties like reading email and using Microsoft Word, then have separate admin accounts ie ‘Adam-adm’ for administrative privileges. These admin accounts can then be used to rdp directly to a separate management server which has the Remote Server Administration Tools installed for programs like AD Users and Computers, DHCP and DNS.

In Addition to having separate Admin accounts, don’t automatically add the account to the ‘Domain Admins’ group if it doesn’t need this level of privilege, (it most likely doesn’t) . Use the principle of least privilege first and delegate control using the AD Delegation of Control wizard. Its pretty straightforward to use. I wrote an article about delegation of control in Active Directory here.

Facebooktwittergoogle_pluspinterestlinkedinmail

MiTM Thick Client Web Services Testing.

This post walks through MiTM Thick Client Web Services Testing designed for testing thick client web applications for web services using burp and iptables on an internal engagement.

Scenario:

So you need to man in the middle web traffic for application testing on an internal test. This could be either a thick client application for web services that has no proxy settings. Or a client device that is using the system proxy settings (ie proxy settings controlled from Internet Explorer). Or proxying traffic from a client device through the browser as any other usual web application test.

In this scenario the thick client application is installed on a corporate device. So we look to setup some sort of MiTM (Man in The Middle) scenario to watch and alter the traffic as we see fit. The client device IP address must remain the same (ACLs are in place for example or you are unable to change the IP address on the client device). A simple solution to this is two use two virtual machines on your testing laptop to get around having two default gateways with the same IP on one device. With some clever iptables rules we can essentially do a double nat type affair and spoof the client device on the corporate network, at the same time spoofing the gateway for the client device. Bingo MiTM nobody is non the wiser. I talk a bit more about iptables in this post.

If DHCP is used on the client device this is significantly simpler. Rather than using the same ip address range as the corporate network you can set this to an alternative IP and thus removing the need for two virtual machines supporting the double NAT scenario.

They say a picture paints a thousand words… so to bring it all together it the scenario looks similar to this:

Example 1 Configurable proxy settings on client device:

In this example the application on the client system is using the proxy settings configured for IE or Firefox. You are able to modify these and so you can redirect traffic to the proxy of your choice on 8080 for example like so. Note Chrome uses IE system settings:

Network Configuration:

Caution: Don’t use network-manager for this. Dual homing interfaces does not play nice in network manager. Stop the network-manager service first, verify it is stopped then continue to work in the standard networking service with the interfaces file.

service network-manager status

service network-manager stop

service network-manager status

service networking status

Now continue to work using just the interfaces file with the standard networking services.

Set the mac address of the eth0 on VM2 the same as the PC mac address

Ifconfig eth0 down

macchanger –mac 08:00:27:8D:CD:53 eth0

ifconfig eth0 up

On both VM2 and VM1:

echo 1 > /proc/sys/net/ipv4/ip_forward

VM2 interfaces file:

**Gateway is always set on the forwarding interface.

VM2 iptables:

iptables -t nat -A POSTROUTING –out-interface eth0 -j MASQUERADE

VM1 interfaces file:

**Gateway is always set on the forwarding interface.

VM1 iptables configuration:

iptables -t nat -A POSTROUTING –out-interface eth0 -j MASQUERADE

Using burp set your proxy to the listening IP and port.

Example 2: No proxy Settings/Thick client App or Web Services etc..

In this example you have a thick client app that doesn’t allow you to set a proxy and doesn’t use the system proxy settings. You can use ‘prerouting’ in IP tables on VM1. This will route traffic destination port 443 and ‘redirect this to port 8081 with this command:

iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 8080

iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 443 -j REDIRECT –to-port 8081

Then using burp configure your proxy to listen on all interfaces for 8080 and 8081 do this for as many destination ports as required. In addition to this ensure ‘Support for ‘invisible proxying’ is enabled.

 

 

Things to Remember!:

After every reboot IP forwarding and iptables will reset so check both on a restart:

cat /proc/sys/net/ipv4/ip_forward

iptables -t nat -L -v -n

To make IP forwarding persistent you can do the following:

Edit /etc/sysctl.conf and uncomment the ‘net’ line:

# Uncomment the next line to enable packet forwarding for IPv4

#net.ipv4.ip_forward=1

 

DNS: hostnames will need to resolve on both the client and proxy machine.

Its is useful to create a bash script for your config for each machine. Then on a reboot there is no faffery looking for the right commands simply run the bash script. Note – the nameservers are pushed to the resolve.conf to save bringing down and back up the interfaces, and restarting the networking. A sample script might look like the below:

 

On the proxy VM:

This is definitely a labs worth! Hope this helps!

Facebooktwittergoogle_pluspinterestlinkedinmail