Spring Training 2018 - Active Directory attacks for Red and Blue Teams
From BruCON 2018
- 1 Active Directory attacks for Red and Blue Teams
- 2 Course contents
- 3 What would the attendees gain?
- 4 Target audience
- 5 Requirements
- 6 Hardware/software Requirements
- 7 Trainer Biography
Active Directory attacks for Red and Blue Teams
This training is aimed towards attacking modern AD Environment using built-in tools like PowerShell and other trusted OS resources. The training is based on real world penetration tests and Red Team engagements for highly secured environments.
Enterprises are managed using Active Directory (AD) and it often forms the backbone of the complete enterprise network. Therefore, to secure an enterprise from an adversary, it is inevitable to secure its AD environment. To secure AD, you must understand different techniques and attacks used by adversaries against it. Often burdened with maintaining backward compatibility and interoperability with a variety of products, AD environments lack ability to tackle latest threats.
This training is aimed towards attacking modern AD Environment using built-in tools like PowerShell and other trusted OS resources. The training is based on real world penetration tests and Red Team engagements for highly secured environments. Some of the techniques (see the course content for details), used in the course:
- Active Directory trust mapping and abuse.
- Privilege Escalation (User Hunting, Delegation issues and more)
- Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more)
- Abusing cross forest trust (Lateral movement across forest, PrivEsc and more)
- Abusing SQL Server trust in AD (Command Execution, trust abuse, lateral movement)
- Credentials Replay Attacks (Over-PTH, Token Replay etc.)
- Persistence (WMI, GPO, ACLs and more)
- Bypassing defenses (App whitelisting, Advanced Threat Analytics etc.)
The course is a mixture of demos, exercises, hands-on and lecture. You start from compromise of a user desktop and work your way up to complete forest pwnage. The training focuses more on methodology and techniques than tools.
Attendees will get free one month access to an Active Directory environment comprising of multiple domains and forests, during and after the training. This training aims to change how you test an Active Directory Environment
Day 1 – AD Essentials, getting a foothold and escalating privileges
- Introduction to Active Directory and Kerberos
- Introduction to PowerShell
- Domain Enumeration (Attacks and Defense)
- Trust and Privileges Mapping
- Local Privilege Escalation
- Credential Replay Attacks (Over-PTH, Token Replay etc.)
- Domain Privilege Escalation (Attacks and Defense)
- Dumping System and Domain Secrets
Day 2 – Lateral movement across trusts, persistence and defense bypasses
- Kerberos Attacks and Defense (Golden, Silver tickets and more)
- Attacks across domain trust
- Attacks across forest trust
- Delegation Issues
Day 3 – Persistence and defense bypasses
- Active Directory ACLs abuse
- Persistence Techniques
- Detecting attack techniques
- Bypassing Defenses (App whitelisting, Advanced Threat Analytics etc.)
- Abusing SQL Server Trusts in an AD Environment
- Defending an Active Directory Environment
What would the attendees gain?
1) One month access to the online Lab, solutions to exercises and Lab manual.
2) The attendees would learn powerful attack techniques which could be applied from day one after the training.
3) The attendees would understand that it is not always required to use third party executables, non-native code or memory corruption exploits on the targets in AD.
Coming soon ...
Students should :
- Basic understanding of how penetration tests are done.
- Basic understanding of Active Directory.
- An open mind.
Unless specified otherwise, students are required to bring the following :
- System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has 9+ years of experience in Penetration Testing for his clients which include many global corporate giants. He is also a member of Red teams of selected clients.
He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.
Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like Defcon, BlackHat, CanSecWest, RSA China, Shakacon, Troopers, DeepSec, PHDays, Hackfest, ClubHack, EuSecWest and more. He blogs at http://www.labofapenetrationtester.com/
Wed. 18 - 20 April 2018 (09:00 - 17:00) (3-day) - Novotel Ghent Centrum