Talk With a Friendly Human
Matt: Yeah, showering just once in your life is not going to cut it.
Attila: No, not these days.
Attila: Not these days.
Narrator: You're listening to the Cyber Secured Podcast, helping you become safer in every way.
Narrator: Now, your hosts, Matt and Attila.
Attila: Welcome to the Cyber Secured Podcast.
Attila: I'm Attila.
Matt: And I'm Matt.
Attila: And we're here to talk today about how to secure your Active Directory environment.
Attila: And Matt recently went to a workshop where he got some good insights.
Attila: We're here to share knowledge and share wisdom.
Attila: All of us here are students of cybersecurity.
Attila: That means that there's always something new to learn, and we want to share that with you.
Attila: And no matter how much you know, sometimes it helps to have a little reminder.
Attila: It's like taking a shower.
Attila: You know how to do it.
Attila: You know how to brush your teeth.
Attila: But you do it every day anyway to help improve your skills and keep your teeth clean.
Attila: So that's what we want to do for you.
Matt: Yeah, showering just once in your life is not going to cut it.
Attila: No, not these days.
Attila: Not these days.
Attila: Especially in the dating scene, I hear.
Matt: Yeah, yeah.
Matt: And security and Active Directory environment, Windows, it's the same.
Matt: You just can't look at your security settings once and pray that it's good.
Attila: And it keeps evolving.
Attila: You know, one thing that hasn't evolved too much, though, is the Active Directory environment.
Attila: There are so many corporations, employ thousands of employees.
Attila: They're all in Active Directory environments, and there's basic stuff that is not being done on these Active Directory servers.
Attila: That should be.
Attila: And Matt has the inside track on to what those things might be.
Attila: As a bit of a reminder from the last episode, we mentioned the Cyber Secured group.
Attila: That's cybersecured.ai.
Attila: That's for network defenders and others that are in the industry.
Attila: If you want to go to that website and request access, we're going to put all the resources that we discuss on to that place so that it can be easily referenced and found instead of you having to dig through hundreds of bookmarks trying to find it.
Attila: Six months from now, every month, you can go into CSG, maybe print out that checklist, and then go through your own Active Directory environment and make sure that you don't have a misconfiguration that could lead to disaster.
Attila: So Matt, what were some of these misconfigurations?
Attila: I know we talked about SIM and SOC, but I think none of that really works unless we have the equipment configured right in the first place.
Matt: Well, yeah.
Matt: So the very first one, and I've known about this for a long time, is called NTLM.
Matt: So when you have endpoints on a network that are communicating with your domain controller and a file server, there is a protocol called SMB, or known as CIFS.
Matt: I don't know what the acronyms stand for.
Attila: CIFS is Mac, no?
Attila: Or is that PC also?
Matt: No, CIFS is also SMB, Asamba.
Matt: Yeah.
Matt: Either way, the protocol has been around for a long time, and there's been different iterations of the protocol.
Matt: There's SMB1, SMB2, and SMB3.
Matt: And along with the protocol are the authentication methods.
Matt: So one of the original authentication methods for Windows is NTLM.
Matt: The problem with NTLM is it actually passes the information for the user's authentication over the network, and you can grab that.
Matt: And because you can grab that, it's really easy to take it and decrypt it.
Matt: And we did that in the class.
Matt: I've done this before in the wild.
Matt: It's really amazing.
Matt: The funny thing is I've heard other security practitioners that do this on a regular basis doing pen tests reveal the fact that sometimes when they crack these passwords, it reveals some personal things or things that they feel a little sensitive about revealing to management.
Attila: Oh, no.
Matt: Like, you know, the password is something about their boss or something about their personal life or just things that you would not expect someone to put into a password, but they do.
Attila: I scratched my boss's car.
Matt: Something like that is interesting.
Matt: Cypac, I'm not going to say easy to hack, but there's certain things about the way Windows like saves passwords and requirements for the link that just makes it not difficult to hack.
Attila: Well, why does it exist in the first place?
Attila: So NT Land Manager, NT.
Attila: Remember Windows NT?
Attila: NT stands for new technology.
Matt: Is that what it stands for?
Attila: Yeah, new technology.
Matt: I never looked that up.
Attila: Yeah, from like the 1990s.
Matt: Oh my God.
Attila: Yeah.
Attila: So what was out then?
Attila: Nirvana and new technology.
Attila: So there you go.
Attila: In the 1990s, Grunge was a thing in the 90s.
Attila: And so this outdated protocol, you were able to intercept and decrypt because it has weak encryption.
Attila: But why is it even floating around in the first place?
Attila: Is there legacy printers or something?
Attila: What uses this?
Matt: I don't know exactly, but he did point out that once you turn it off, you will likely, if you find it in an environment live, you will likely break something when you turn it off.
Attila: Like what's something?
Matt: There will be legacy shares on a network, maybe a printer that has a scanner built in.
Matt: And when you scan things, it goes to one of these SMB shares on the domain controller.
Matt: And if you don't work in IT, you won't know this.
Matt: If you do, you will, especially if you've done any security scanning.
Matt: Printers are notorious for having really outdated protocols and standards, VNC built into printers.
Matt: And the printer manufacturers are not interested or motivated to update this stuff.
Matt: So printers are actually a pretty common exploit target.
Matt: Also along with that, they will use outdated protocols.
Matt: And so it would be common and expected that you turn off NTLM and a printer that would be scanning to a network folder would just suddenly break.
Matt: And it might be in a sales department where you've got all these salespeople that are trying to scan to these folders so their boss can see the documents that they're scanning to prove they're actually working, and suddenly it doesn't work when they're pulling their hair out.
Matt: So that would be an example.
Attila: Well, the solution to that is most of these companies that do have those, you know, those big giant standalone, you know, office space looking printers, they're usually on a lease.
Attila: A lease means that every few years, you get a new one, and the new one should have the newer security protocols.
Matt: Yeah, this is true.
Attila: And the printers themselves, if they're owned, they're probably end of life anyway.
Attila: I mean, you know, five, ten years, you don't want something like that floating around on your network.
Attila: Did he recommend V-Lanning printers or was that?
Matt: Yes, absolutely.
Matt: So we didn't go too far into network security, but he did do a high level overview.
Matt: And this is stuff that we know and that we do, but yeah, V-Lanning and his recommendation is actually to over V-Lan, to over segment.
Matt: More than you think you should.
Matt: V-Lan your phones, V-Lan your printers, V-Lan your cameras, V-Lan your IoT devices, V-Lan your cell phones.
Attila: Well, let's back up and make sure everyone knows what a V-Lan is.
Matt: So V-Lans, if you don't know networking, it's like the rooms or segments of a boat, a flat network would be like a boat that just has...
Attila: Like a rowboat.
Matt: A rowboat, yeah, one deck.
Matt: And if you poke a hole, the entire boat is going to sink.
Matt: That's your network.
Attila: Got it.
Matt: V-Lans would be, you've got individual segments and rooms, sections that lead to specific other sections.
Matt: And maybe you've got some security protocols on those corridors between the sections.
Matt: So only certain personnel can go through or the personnel can go through, but they can only carry certain pieces of items, equipment with them.
Matt: That's one of the attributes and power of V-Lans.
Matt: And then if, God forbid, you get a hole poked in that boat with those V-Lans, you can close one of those corridors.
Attila: And everything we're talking about here is ethereal, meaning you'll never physically see it.
Attila: So the only thing you're going to see is a box with a wire coming out of it going to your computer and maybe another wire going to your phone or there's a daisy chain off your phone.
Attila: So physically, this all looks like a wire, but on that one wire, you can have multiple networks.
Matt: Yeah.
Matt: And if you're like me and you're into technology, there was a point in my career before I understood all this stuff where I remember my beginning days as a technician, I remember going onto my VoIP phone at work and I could see the IP, and I knew my computer was plugged into my phone, and somehow the IP on my computer and the IP on my phones were completely different.
Matt: One was like a 172.blah, blah, blah network.
Matt: The other one was like a 10.132, and it blew my mind.
Matt: How did that work?
Matt: I know now it was VLANs.
Attila: Yeah.
Matt: But at the time, I didn't know what that was.
Attila: And probably the simplest way to understand this is maybe a home network.
Attila: You might have all of your home computers on one subnet, and then you might have a guest network for when maybe those dirty cousins come over to play on your...
Attila: They want to watch YouTube with their tablets, those sticky cousins, right?
Matt: Well, everyone's got phones with Wi-Fi now, but yeah, if you're off the grid and your family needs access to the Internet or friends or whatever, yeah, a lot of times when you buy a consumer router, they have that option for the guest Wi-Fi.
Matt: And that's essentially what that option does, is it sets up a VLAN with the Wi-Fi connection.
Attila: And think about, you know, you go to Starbucks, they have free Wi-Fi there.
Attila: Do you think you're using the same Internet connection?
Matt: The network is there, yeah.
Attila: Is there point of sale?
Matt: Yeah, no.
Matt: No.
Matt: I mean, you shouldn't be.
Attila: Shouldn't be.
Matt: I did see that one time.
Attila: Well, that was their mistake.
Attila: And hospitals, same thing.
Attila: Yeah, hospitals, yeah.
Attila: So this is a common practice, but going back to what your instructor said, he said, go VLAN crazy.
Attila: So create lots of virtual networks.
Matt: Yep, go VLAN crazy.
Attila: Well, so wait, so hold on.
Attila: So you put your printer on one VLAN.
Attila: How are your salespeople gonna scan and print to it?
Matt: Well, so that's with your policy rules between VLANs.
Matt: So you can make VLANs so they cannot talk to each other whatsoever.
Matt: And you would, you know, potentially do that with your phones.
Matt: Your phones don't need to talk to your computer.
Matt: They just need access to the internet and possibly the server, if it's local, for the phone traffic.
Matt: But yeah, for the printers that they're on their own network, they would need a essentially kind of like a hole poked in the network that is specific to that traffic for the scans.
Matt: And there's specific ports that are associated with that traffic.
Matt: But then, you know, going back to our class and what we were doing for the penetration testing and the hacking, we have our penetration system device.
Matt: In the hacking world, it's generally Kali Linux.
Matt: And we ran one command and the command sat there and just watched as the network data flew by.
Matt: And there was a request with the user name and the hash for their password that flew by.
Matt: And it stored it on that application.
Matt: It was so simple.
Matt: And you grab that, and then you run another command that takes what you grabbed, and you de-hashed it.
Matt: And suddenly, we had a password.
Matt: It was two commands.
Attila: Was it a...
Attila: So it did the passive capture of network data?
Matt: Yeah.
Attila: But because it was on the same VLAN, you saw it.
Matt: Yes.
Attila: If it had been on a separate VLAN, you wouldn't have seen it.
Matt: No.
Matt: Yeah.
Matt: You have to be on that network, physically on the network, which we were.
Matt: So yeah, that was really fun to see.
Matt: Like I said, it's something I've done before.
Attila: And if you have the hash, you don't necessarily need to decrypt it to learn the password.
Attila: You can still take that hash and throw it at another system and see if it authenticates.
Matt: Yes.
Matt: That's known as passing the hash, which we actually did later on.
Matt: We got the administrator password for the domain controller as a hash, and it was too complicate for us to decrypt.
Matt: But we were able to pass the hash and then log in to the domain controller as the administrator of the domain controller.
Attila: And this was all using NTLM?
Matt: No.
Matt: So NTLM was only enabled for one or two users.
Matt: So yeah, there was a progression.
Matt: We were able to use one user, it was a low level user that NTLM was being passed on, decrypted their password, and then we used that to actually log in to the domain controller.
Matt: From there, we ran another app that actually mapped out using LDAP.
Matt: It mapped out all the users, all the service accounts, all the group policies.
Matt: And we took that and we actually put it into an app that we're able to look at almost like a mine cloud.
Matt: And one of the cool aspects of the app, it's called Bloodhound, we were able to actually put our user that we had access to, and then the domain control, the admin controller, or admin user for the domain controller.
Matt: And it mapped out sort of a plan, like how we would move and hop to be able to get to that user.
Matt: And so one of the things that showed us, yeah, there was a service account that we could get access to, because it was within a misconfigured group.
Matt: So we were able to get to the service account using Kerberosting, and the service account had access to be able to change passwords for users.
Attila: Ah, so that had elevated privileges.
Matt: Yeah.
Matt: So then we changed passwords for a user that had domain rights.
Matt: And then that allowed us to get the hash for the admin user on the system.
Attila: Fascinating.
Matt: Yeah.
Matt: And meanwhile, in the previous episode, I mentioned about having your audit settings for the security logs set up on the domain controller.
Matt: None of this, if we had a SIM monitoring the domain controller, none of this would have been reported to the SIM because all those settings by default turned off.
Attila: Oh, man.
Matt: Yeah.
Attila: Like how long did this take?
Matt: I mean, it was a class of like 45 people, so there was a little bit of troubleshooting and mistypes.
Matt: But I think if it was done by someone that knew what they're doing, how to type the commands, also assisted by AI, I think this could have all been accomplished in 30 minutes.
Attila: 30 minutes or less?
Matt: Yeah.
Attila: And you've taken ownership.
Matt: Taken ownership in 30 minutes.
Matt: Yeah.
Attila: Can you disable the event logs first?
Attila: Well, no, I guess you have to escalate.
Attila: You have to elevate your privileges first, and then you can disable it.
Matt: Yes, that is correct.
Matt: Yeah.
Matt: So you wouldn't be able to do it as a general user unless there's some kind of misconfiguration there.
Matt: I can't think of a misconfiguration that would allow that, but the teacher pointed out he's seen all kinds of bizarre things and networks.
Attila: And this all stems from...
Attila: I mean, you can't do any of this unless you have access to PowerShell.
Matt: PowerShell definitely played a key in it, but the main thing was having access to the network.
Matt: And getting access...
Attila: Like physical access?
Matt: Yeah, yeah.
Matt: So you would have to either breach a system that is on the network and run some of these tools on a system, which might be a little difficult if you have access, but it's got an EDR on it.
Matt: The best...
Attila: So good endpoint defense.
Matt: Good endpoint defense, yeah.
Matt: The best option would be to physically...
Matt: And when I say physically, it includes wireless.
Matt: Get access to the network so you can see the network traffic.
Matt: So I brought up wireless because you could potentially sneak a Raspberry Pi on-prem within range of the Wi-Fi.
Attila: Or with its own cellular connection.
Matt: Yeah, have its own cellular connection so you've got remote access to it, and then scan the Wi-Fi around it until you find the one that you're looking for.
Matt: And same thing as everything else that we're talking about.
Matt: There are ways of grabbing the hash for the Wi-Fi password and decrypting that.
Matt: Now, depending on how complicated that Wi-Fi password is, you may or may not be able to do that.
Matt: The tools are available to decrypt most passwords unless it's, you know, 18, 24 characters long.
Attila: So what we're talking about here is you would show up with a laptop within proximity of the company's Wi-Fi, and find the Wi-Fi name, the SSID, that would be like the corporate Wi-Fi, like employee Wi-Fi for ABC company versus guest Wi-Fi.
Attila: And then packet capture.
Matt: Packet capture, you grab that handshake, and then off-site, you would use an overpowered system with, you know, maybe four high-powered GPUs and decrypt that password.
Attila: Which you could lease for a half hour.
Matt: Yeah, you could lease for half an hour and probably decrypt that password within five minutes.
Matt: I've seen some passwords for corporate networks that could definitely decrypt within just a few minutes or less.
Matt: And then from there, then you access that network with your on-prem Raspberry Pi, and you start scanning the network and doing some of the stuff that we had in this class.
Matt: Once you have that, then you would, you know, move laterally to the domain controller or a system on the network, and, you know, plant a C2 connection to it, a command and control connection.
Matt: Maybe, you know, see if you can whitelist a directory so that you could run some apps in there without your EDR having any issues with it.
Attila: Or just disable the EDR.
Matt: Or disable EDR if you have that ability.
Matt: Yeah, there's just a whole multitude of things you can do.
Matt: This all requires a lot of planning, but the fact is it's all really easy.
Matt: And I've seen, you know, large, very prominent businesses that had, and I use this in past tense.
Attila: Had.
Matt: Had passwords for the admin Wi-Fi that were a variation of the business name.
Matt: I don't know why that is the common thing, but it's so common that businesses will have a variation of the business name for the password for the main network.
Attila: So it sounds like one of the big attack vectors is Wi-Fi here.
Attila: Yeah.
Attila: And what's the best defense?
Attila: I mean, obviously, a complex password helps, but that's once again, we're back to the inconvenience of having a long complex Wi-Fi password.
Matt: Yeah.
Attila: Is there, I mean, is there like Wi-Fi 7?
Attila: Is it more secure or?
Matt: No, Wi-Fi 7.
Matt: I mean, there are improvements in the newer Wi-Fi standards.
Matt: WPA3 is one of them.
Matt: It's much harder to grab a handshake with it.
Matt: The main thing for Wi-Fi that can make it more secure is going to be stuff like Radius.
Matt: Radius does rely on older technology and it is a bit of a pain to set up.
Matt: But then there's other platforms that can tie in to your Azure.
Matt: So your users will authenticate to the Wi-Fi instead of a password.
Matt: And then let's say, you know, you let XYZ employee go.
Matt: Once you remove them or disable their account in your Azure setup, they no longer would have access to the Wi-Fi.
Attila: Assuming that the Radius server isn't using NTLM or some other.
Attila: Well, I know a big one is MAC address whitelisting.
Narrator: Yeah.
Matt: So yeah, that's also another way of doing it.
Matt: You can spoof MAC addresses, but that is a way of doing it.
Narrator: Yeah.
Attila: I wonder is that sent over?
Attila: Can that be packet captured?
Matt: Yes, the MAC addresses can be packet captured.
Matt: That's one thing you see when you're doing the captures and the handshakes is the MAC addresses.
Attila: So that doesn't really help.
Matt: No, not necessarily.
Matt: With enough time, you'd be able to get past that.
Matt: The main one is authenticating through some other method besides WPA.
Matt: WPA works, and I'm talking about like WPA 2 or 3, not 1.
Matt: 1 is...
Attila: Oh, it's gone.
Matt: Yeah.
Matt: Yeah.
Attila: You don't even see that anymore.
Matt: Yeah.
Attila: You know, another thing that I've heard, which is helpful is to disable the Wi-Fi during off hours.
Attila: So scheduled on and off Wi-Fi.
Matt: Well, the thing about capturing the handshakes is you have to have active users.
Matt: You have to have active systems.
Matt: I have tried to capture things at night, and it doesn't tend to work because everyone's gone for the day.
Attila: Yeah.
Matt: Or put their systems to sleep.
Matt: But yeah, that is one method is having your Wi-Fi turned off at night, which can be really inconvenient if you're there working late.
Attila: Yeah.
Matt: But yeah, that definitely is one method.
Matt: I mean, there's a whole laundry list of things you can do.
Matt: The main thing is that you're paying attention to the setup and doing what you can to secure it and add as many hurdles as possible.
Attila: Well, the Wi-Fi security may also be related to physical security.
Attila: And if your Wi-Fi access point is, reaches to the road, as long as you have a security camera out front, that's probably a good indicator that someone is trying to do something.
Attila: But also, the other attack vector you mentioned is if they get access to machines, but they socially engineer their way into the network via a phishing e-mail, or they call up an impersonated vendor and convince you to install some software onto your system, or you fall for some sort of lure, for example, a lure that might offer you some free software, or a version of a paid piece of software for cheap.
Attila: Sometimes that's one way.
Matt: Well, and also websites are not 100% secure either.
Matt: I mean, we recently, they pointed this out in the class.
Matt: They recently showcased a Node.js hack that...
Matt: I don't know the specific details on it, but it sounds like they're able to get into the backend of Node.js.
Matt: And it's used everywhere.
Matt: Node.js and React are two of the biggest technologies used.
Matt: I think Teams is actually built on React and Node.js.
Attila: How does that affect a user?
Attila: How are they able to use Node.js to...
Matt: Well, if you're able to access a secure...
Matt: Secure is not the right word.
Matt: Reputable.
Matt: Companies, Node.js site, then you can inject all kinds of things into their code.
Attila: Oh, like a bank or something?
Matt: Yeah, and then you would use that to attack a person's system or use that to collect log in details.
Matt: And as much as we harp about using a password manager, we do it for a reason.
Matt: People still use the same passwords everywhere.
Attila: Password reuse, yeah.
Matt: They use it or variation.
Matt: And it's really common to do.
Matt: Once you have that, you can enumerate a person's user account information, and most large companies have VPN, and boom, you're in.
Attila: You know, all we're trying to do here is create lots of barriers.
Attila: More, more, more was that bulkheads to breach for the bad guys.
Attila: Because at the end of the day, this is the fun part, right?
Attila: If cybersecurity and security in general were easy, it wouldn't be challenging and exciting and something worth doing.
Attila: But because people have been laying siege to castles for generations, now the new digital castle is the ones that we're here to protect.
Attila: But yeah, interesting stuff.
Attila: And I do want to cover more of this in upcoming episodes if you guys are interested in it.
Attila: And if there's any other topic you're interested in hearing about, please reach out.
Attila: You can post a comment in the links below.
Attila: And we're always available at Cypac.com.
Attila: You can go on to our website and submit a request on our contact form.
Attila: But, yeah, we're out of time.
Attila: So thanks, everyone, for listening.
Attila: And stay tuned for our next episode coming in a few more days or weeks.
Attila: When we get to it, you'll be getting one.
Attila: I promise.
Attila: I'm Attila.
Matt: I'm Matt.
Attila: Stay safe out there.
Narrator: This episode was brought to you by Cypac.
Narrator: To learn more about keeping your business safe from threat, crime, and disaster, visit Cypac.com.