So You Think Your Domain Controller Is Secure?

I gave a presentation at Defcon 21 on gaining domain admin by abusing commonly used management software:

https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Hendricks

The talk discussed domain controller isolation principles and how commonly used management software like System Center Operations Manager (SCOM), Out-of-band management devices (ex. HP iLO), Hyper-V, and security scanners can be abused in order to gain access to domain controllers.

Here are the slides and videos from the talk:

Download (PPTX, 1.19MB)

Using System Center Operations Manager To Start a Reverse Shell and Dump Domain Hashes:

Using HP Integrated Lights Out To Boot Into a Linux Live Disc and “Sticky Key” the Server:

Using System Center Operations Manager To Run Executable On Monitored Server To Dump Hashes:

Using System Center Operations Manager SDK to Run Arbitrary Commands On Monitored Servers: