2021-11-19, 16:30–17:20, Sponsors - Workshops
In this talk we will go through a common approach used in assessing Windows based enterprise implementations. It will describe the common security misconfigurations that adversaries positioned on the internal network can exploit to compromise authentication credentials and enumerate hosts within the network.
In this talk we will start off by providing an overview of legacy and modern Microsoft network authentication and name resolution protocols. How these protocols can be exploited in order to gather domain usernames and password hashes. We will work through examples of using hostname resolution poisoning attacks and rogue services to perform man in the middle attacks. These attacks focus on exploiting NTLM’s challenge-response protocol in order to gather usernames and password hashes for offline cracking. We will then discuss some of the additional methods which can be used to further evaluate domain password policies, such as using compromised accounts to enumerate domain controllers for usernames and password policies. Using this data to further evaluate domain password policy strength by performing password spraying on the domain controller. Finally we will wrap up with some remediation recommendations and preventative measures.