Exploiting Active Directory Administrator Insecurities

The presentation discusses the flaws in Active Directory administration and the challenges in securing admin credentials. It also explores methods for identifying and exploiting these insecurities.

• Admins are being dragged into a new paradigm where they have to more securely administer the environment.
• The talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches.
• New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses.
• The presentation also covers challenges and problems with multi-factor password vaults and how to bypass and subvert past results.
• The vaulted admin forced aka the red forest is discussed as well as how to attack read-only domain controllers to compromise AD.

The speaker emphasizes the importance of capturing both domain admins and administrators group as the latter has full AD admin rights. He also notes that there are no domain admins in some environments, but this does not mean that the administrators group should be overlooked. The presentation provides a command to enumerate the members of domain admins and administrators group. The speaker also mentions that organizations should not assume that using a password vault makes them secure as there are still vulnerabilities that can be exploited.

Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer? Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process. This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement.Some of the areas explored in this talk: