I gave a presentation at Defcon 21 on gaining domain admin by abusing commonly used management software:

https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Hendricks

The talk discussed domain controller isolation principles and how commonly used management software like System Center Operations Manager (SCOM), Out-of-band management devices (ex. HP iLO), Hyper-V, and security scanners can be abused in order to gain access to domain controllers.

Here are the slides and videos from the talk:

So You Think Your Domain Controller Is Secure

So You Think Your Domain Controller Is Secure? 

Justin Hendricks

Security Engineer

Twitter - @Script_happens

Introduction 

Background 

Background 

Background 

Monitoring Software 

Abusing Functionality 

SCOM SDK Architecture

Default SCOM Agent Credentials

Security Warnings 

Demo 

Recommendations 

Detection and Evasion 

SCOM Task History

Out-Of-Band Management Devices 

HP ILO Security Override Switch

OOB Device Default Passwords 

OOB Device Default Username Default Password
Dell Remote Access Card (DRAC) root Calvin
IBM Integrated Management Module (IMM) USERID PASSW0RD
HP Integrated Lights Out (iLO) Administrator <Random 8 char string>
Fujitsu Integrated Remote Management Controller admin admin
Supermicro IPMI (2.0) ADMIN ADMIN
Oracle/Sun Integrated Lights Out Manager (ILOM) root Changeme
ASUS iKVM BMC admin admin

Demo 

Recommendations 

Hyper-V 

Booting Into Linux Live Disc

Stealing NTDS.DIT and SYSTEM hive

Recommendations 

Vulnerability Scanners 

Conclusion 

Contact Info 

Using System Center Operations Manager To Start a Reverse Shell and Dump Domain Hashes:

Using HP Integrated Lights Out To Boot Into a Linux Live Disc and “Sticky Key” the Server:

Using System Center Operations Manager To Run Executable On Monitored Server To Dump Hashes:

Using System Center Operations Manager SDK to Run Arbitrary Commands On Monitored Servers: