Loading…
CONFERENCE STATUS

All systems go.
Back To Schedule
Thursday, October 1 • 2:00pm - 3:00pm
Leveraging IPv6 and Kerberos to Pwn Your Windows Environment in 15 Minutes - Nick Berrie - Assura

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

During a recent penetration testing engagement I was running out of ideas when it came to getting into the target’s active directory. The usual stuff wasn’t working – traditional NTLM relaying with responder, privilege escalation within compromised devices, passing the hash, etc. That’s when I remembered working with an IPv6 DNS spoofing tool during a lab some time ago where I was able to chain a series of vulnerabilities together to get domain admin. I figured it was worth a shot. This proposal is an overview of that attack chain, why it is likely present in most environments, and what we as security practitioners can do to prevent it.
What I will discuss:
•Starting with Windows Server 2008/Windows7, Microsoft has IPv6 enabled by default. IPv6 is also the preferred protocol over IPv4 meaning all DNS queries go there first.
•To prevent traditional Windows Proxy Auto Detection (WPAD) abuse Microsoft implemented a mitigation in MS16-077 that prevents any device other than the DNS server from providing the WPAD.dat file to clients. Microsoft also prevents clients from automatically authenticating against NTLM requests with this patch.
•HTTP response code 407 “Proxy Authentication” elicits an NTLM authentication response by most modern browsers.
•By spoofing ourselves as the IPv6 DNS Server, proxying traffic through the attacking device, and then serving a 407 “Proxy Authentication” response to the victim we can successfully relay NTLM credentials in an otherwise secure environment.
Beyond explaining the above attack I will explain how this can be leveraged with inherent Kerberos vulnerabilities to create the perfect storm – Domain Admin within 15 minutes.
After explaining the attack I will explain root-causes and the mitigations for such attacks.

Thursday October 1, 2020 2:00pm - 3:00pm EDT
Room B