I gave a presentation at Defcon 21 on gaining domain admin by abusing commonly used management software:
https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Hendricks
The talk discussed domain controller isolation principles and how commonly used management software like System Center Operations Manager (SCOM), Out-of-band management devices (ex. HP iLO), Hyper-V, and security scanners can be abused in order to gain access to domain controllers.
Here are the slides and videos from the talk:
So You Think Your Domain Controller Is Secure
So You Think Your Domain Controller
Is Secure?
Justin Hendricks
Security
Engineer
Twitter - @Script_happens
Introduction
Presentation covers
basic domain controller isolation principles.
Recommendations for securely
configuring software used to manage domain controllers (SCOM, HP iLO,
and Hyper-V).
No vulnerabilities are
discussed.
Only demonstrations
on how features could be abused if not configured properly.
Background
Domain Controllers
Handle authentication
of domain accounts in Windows.
Stores password hashes
for all domain accounts.
The crown jewels of the
domain.
Recommendations for securing
domains focus on pass-the-hash and account segmentation
Software used to manage
DCs is often overlooked.
Background
System Center Operations
Manager (SCOM)
Software used to monitor
server health.
Great SCOM security guide
available:
Out-Of-Band Management
Devices
Used to monitor and manage
servers over the network regardless of the server state.
Guidance on securing OOB
devices:
Background
Hyper-V
Windows Server Virtualization
Software
Running domain controllers
in Hyper-V:
Monitoring Software
System Center Operations
Manager (SCOM) is used for monitoring and alerting of server health.
SCOM management server
hosts the SCOM SDK service on port 5723 and 5724.
Required to be open
in order to pull data across environment boundaries. Firewalls often
configured to allow these ports.
Default NMap scan does
not check these ports.
SCOM agent which runs
on monitored servers typically runs as SYSTEM.
Abusing Functionality
SCOM “tasks” allow
you to run VBScript on monitored servers.
Any account in the SCOM
‘Administrators’ or ‘Authors’ roles can run VBScript on any
monitored server.
Code runs under the
SCOM agent which is configured to run as SYSTEM by default.
SCOM servers that monitor
domain controllers should be treated as domain controllers.
SCOM SDK Architecture
Default SCOM Agent Credentials
Security Warnings
Many existing articles
warn users of the dangers of running tasks under high-privileged accounts:
Demo
Creating SCOM tasks to
run arbitrary code.
Recommendations
Segregate SCOM servers
used to monitor domain controllers.
Close off SCOM SDK ports
(5723 and 5724).
Reduce SCOM ‘Administrators’
and ‘Authors’ roles to only domain admins.
Move support and engineers
to ‘Read-Only’ or ‘Operator’ SCOM roles.
Reduce SCOM agent privileges.
Follow the official SCOM
security guide:
Detection and Evasion
SCOM tasks should be audited
to detect hidden malicious tasks.
SCOM stores task execution
logs in the SCOM database.
Default retention is
7 days, but can be changed.
SCOM SDK connections logged
in “Operations Manager” event log.
SCOM Task History
Out-Of-Band Management Devices
Servers usually have OOB
management hardware used for server monitoring and maintenance.
HP Integrated Lights Out
(iLO), Dell DRAC, IBM Integrated Management Module (IMM), etc
Equivalent to physical
access to a server.
Admin interface accessed
over HTTP/HTTPS, SSH, IPMI.
Commonly have default
passwords set.
Remote Root Vulnerabilities:
Difficult to patch.
HP ILO Security Override Switch
OOB Device Default Passwords
OOB Device
Default
Username
Default
Password
Dell
Remote Access Card (DRAC)
root
Calvin
IBM
Integrated Management Module (IMM)
USERID
PASSW0 RD
HP
Integrated Lights Out (iLO)
Administrator
<Random
8 char string>
Fujitsu
Integrated Remote Management Controller
admin
admin
Supermicro
IPMI (2.0)
ADMIN
ADMIN
Oracle/Sun
Integrated Lights Out Manager (ILOM)
root
Changeme
ASUS
iKVM BMC
admin
admin
Demo
Using HP iLO to mount
Linux live disc.
Recommendations
Change default passwords.
Have regular patching
process for OOB devices.
Monitor audit logs for
unauthorized access.
Configure 2FA when possible
Set up separate management
VLAN for OOB devices.
SANS paper on securing
OOB devices:
Hyper-V
Windows virtualization
software that hosts virtual machines.
Administrator on the host
is equivalent to admin rights on all guest virtual machines.
Can boot into a Linux
live disc or steal the VHD file to compromise domain controller VM.
Booting Into Linux Live Disc
Stealing NTDS.DIT and SYSTEM hive
Recommendations
Segregate Hyper-V servers
that host domain controllers.
Only domain admins should
have access to:
Hyper-V servers hosting
domain controllers.
Domain controller VHDs.
Host should be in a separate
management network when possible.
Additional guidance:
Vulnerability Scanners
Organizations typically
perform authenticated vulnerability scanning.
The account used is typically
very high privileged and has admin access to domain controllers.
These servers should be
treated as a domain controller if they use domain admin credentials.
Conclusion
Management software and
hardware is often highly privileged and can be abused if not properly
secured.
Segregate management of
domain controllers from other categories of servers.
Contact Info
Using System Center Operations Manager To Start a Reverse Shell and Dump Domain Hashes:
VIDEO
Using HP Integrated Lights Out To Boot Into a Linux Live Disc and “Sticky Key” the Server:
VIDEO
Using System Center Operations Manager To Run Executable On Monitored Server To Dump Hashes:
VIDEO
Using System Center Operations Manager SDK to Run Arbitrary Commands On Monitored Servers:
VIDEO