11min chapter

The Cyber Threat Perspective cover image

Episode 46: Reducing Active Directory Security Risks from a Hackers Perspective

The Cyber Threat Perspective

CHAPTER

Enhancing Active Directory Security

This chapter focuses on the security vulnerabilities associated with legacy protocols like SMB1 and LMNR in network environments, particularly regarding Active Directory. The speakers discuss the urgency of disabling outdated protocols to mitigate risks and emphasize the need for continuous monitoring and improvement of security practices. They also introduce techniques like kerberoasting and guide listeners on utilizing external resources to bolster their security posture.

00:00
Speaker 2
Yeah, I think the only other thing I'll add is I think we're also going to keep it focused right now to just on-prem AD. I know there's Azure AD. I know, in fact, Microsoft, they actually, you can even do your AD in the cloud now as a whole completely separate service which which is pretty cool uh but as google too i don't know if you saw yeah google yeah google now has
Speaker 1
you know like managed active directory uh we should do an episode on that we should like explore it a little bit because they just announced it like a few weeks ago i think
Speaker 2
they dropped google domains but now they're like, you can manage your domain with us. I know, right? But here's
Speaker 1
all these new domains. Oh, by the way, we're going to send it to whatever that website was. Yeah. Yeah. So yeah, we're going to be talking about on-prem Active Directory, as we all know and love, and not on Azure or Azure Active Directory. And I think the common phrase for Azure is Azure Active Directory is neither Azure nor Active Directory is what I commonly refer to hear people talking about it. It's
Speaker 2
a whole it's a whole other thing. And I think it definitely warrants its whole dedicated episode for sure.
Speaker 1
Yeah. Yeah. And we'll definitely talk about Azure AD in the future. So the first kind of category here that I want to talk about was legacy protocols. Now, probably the most famous example of this is WannaCry. If y'all remember WannaCry and SMB worm, SMB vulnerability, that was pretty prolific. Uh, if you, you know, remember all of the hysteria, uh, around that, that exploit exploited a flaw in SMB one. Uh, and so, you know, SMB one is, has been deprecated for a while now. Uh, it's, it's very insecure. Uh, it's not recommended to be used. It's like 30 years old,
Speaker 2
right? It's 30 plus.
Speaker 1
Yeah. But interestingly, we still see it enabled in environments for backwards compatibility because there's environments still running Server 2003 and Server 2008, believe it or not, You know, running legacy applications that rely on older versions of SMB. So that's the first one is, you know, it's a pretty low hanging fruit change. Most modern organizations probably won't have a lot of trouble disabling SMB1. However, I do say that with a grain of salt. Right, Darius? like yeah nothing we say here is just you know turn you know just go go disable the checkbox or check the checkbox and your problems are solved it's not that simple right yeah
Speaker 2
and i think and i think you know the biggest issue with smb is the fact that you can pretty much you know there are compensating controls you could put in place right but the biggest thing is you can still very much have data transmitted in clear text, even with those mechanisms in place. And that's the big reason why you don't want to use it.
Speaker 1
right? There's no signing in SMB1, which means that you can take an NTLM hash and you can relay that hash, pass that hash, and achieve access to another system, right? Use it for lateral movement using SMB1 because it's enabled. So inherently weak protocol, there are a ton... I don't want to say a ton. That might be misleading. There's there's good resources on the Internet for tackling this. Right. Along with the other protocols that we're going to talk about. So if you have things like SMB1, LMNR, NBNS, MDNS, NTLMV1, LM, there's resources online. If you go and you look for how to disable those things, people that have talked about doing it before in their environments so i encourage people that are listening to go seek those out but like we were saying before there's not as far as i know there's not like a one-stop shop for like hey go to this website it's going to tell you how to disable all your legacy protocols and like you're good uh i don't i don't believe that to exist this is a hard thing to do um it's time consuming but it definitely is worthwhile agree
Speaker 2
especially with um into ntl mv1 like that's that's one that you know i've seen in a couple different environments it's hard to just be able to turn it off um it's like it's always it's like playing whack-a there's always you know there's always something um let's kind of shift it back to more of a hacker perspective. So let's say you're doing an internal, and you notice that these legacy protocols are in use. Spencer, what are your next steps? What goes on in your head?
Speaker 1
Yeah, for sure. And this goes with every internal. We'll look for AlNR, link local, multicast, name resolution, which is a precursor to DNS, right? And so if you don't have DNS configured in your environment, this would fall, you could fall back to LMNR. And with, with LMNR, you can essentially man in the middle of traffic. You can spoof the traffic and you can capture hashes that way. So me as an attacker or bad guy, if I'm on a network, there's security tools that you can run like Responder or Inve that can get in the middle of that traffic, intercept it, spoof the requests and capture NTLM hashes ntlm v1 hashes if they're enabled ntlm v2 hashes you know kerberos tickets all things like that so if i'm an attacker i can use that to my advantage to capture hashes that i can then you know take offline and try and crack them with a password cracker or if you, you know, like we were talking about a few minutes ago with SMB, if there's weak SMB controls in the environment, I could then potentially take those hashes and send those to another computer to allow me to log into that computer. It's called relaying. So I take a hash from that I've obtained from one system, I send it over here to the other one, and then I log in with that hash, that NTLM hash. So that's kind of what, you know, I see as being an attack or one of the methods of attack to these protocols is capturing, relaying, or capturing and cracking, because these are inherently weak protocols. And
Speaker 2
I'll say, you know, we're saying all of this, and it, you know, on the surface level, it can sound, it sounds very technical and impressive, but I think, you know, the one of the cool, you know, cool for us, but also, you know, as if you're, you know, a system admin somewhere, the scary thing about it is it's not a hard thing to do. Especially if you don't have other, you know, controls in place. If your EDR solution, if you don't even, if you don't have an EDR solution in place or if the one you have isn't, you know, up to snuff, I mean, they're literally script. It's go to GitHub and then pull it down and then run it. Like it's, it's not, it's super technical deep thing.
Speaker 1
Yeah. It's not, you know, the, the, gritty of the NTLM protocol and authentication, Windows internals, super technical stuff, right? But like you're saying, if you do want to learn how this technique works, I would recommend Heath Adams' Practical Ethical Hacking course on YouTube. His course on YouTube will walk you through this exact attack chain, where you run a tool called Responder, you capture the hash, and then you relay it with something called NTLM RelayX. And that's a whole thing. You can go look at it for free on YouTube and learn how that attack works. You could reproduce it in your environment and then learn how to detect that. So really good way to kind of learn how that's done and how that can be abused and what an attacker might do with those protocols enabled in an environment. Yeah, so in terms of advice, right, Darius, obviously our advice is, you know, disable legacy protocols, but at a broader level, you know, run some of these tools in your environment. I would encourage people to run some of these tools in your environment and see what they look like. See if there's ways you can detect those with your current security tools, right? A lot of these tools will leave a signature. They'll leave some sort of artifact, either on the network or on the endpoint, something that that you can use to detect uh and then you know build out kind of your monitoring from that as well um so that that's something i recommend as well as you know fix these things but also learn how to identify them as well for
Speaker 2
sure and in those and also add you know before we move on to the next thing, fixing it may not always be easy, but you know, some progress is always better than none. So, you know, even if you, you know, disable it in the majority of your environment, but there's still a few places where you have to have it. Yeah. That's improvement. Yeah. And so definitely want to encourage everyone, you know, small, how to eat an elephant one bite at a time exactly exactly
Speaker 1
and it you know progress is is made by doing not by thinking about it so exactly what you said darius is just little improvements every day um you know even if it's even if it's just you know this isolated thing you know like an as400 for example um maybe you can isolate that in its own network or DMZ or something and you kind of reduce a lot of that risk. So very good point. Oh,
Speaker 2
yeah. So then, you know, I guess to say, if you're going to tackle it, the first step is identifying, right? Like identify everywhere it is, it's being used first. And then, you know, that makes the next part so much easier. Yeah.
Speaker 1
It goes back to the CIS controls, right? Like step number one is, you know, inventory. What assets do I have? What software do I have? That goes with protocols too, right? You know, what, what protocols do I have enabled in my environment? What legacy protocols are enabled? Um, and Elmanar, NBNS, MDNS, those can all be used, uh, to abuse, you know, uh, network quite heavily. And that's something we look for quite often.
Speaker 2
And it could be your excuse to get rid of that legacy application that you just despise because no one else you're supposed to support it. And the guy, the guy who wrote it or the guy who got guy or gal who wrote it is no longer there. So, you know, it's just like, hey, there's your excuse right there.
Speaker 1
There's no better time to rip that thing out than now you know what they say the the the first best time was yesterday the second best time is now or whatever that saying is yeah yeah so
Speaker 2
next we we have a little bit of kerber roasting right like that's the next kind of big thing um as far as you know, fortifying AD, right?

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.
App store bannerPlay store banner

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode