Leveraging IPv6 and Kerberos to Pwn Your Windows Environment in 15 Minutes
Talk given by @berrie_nick at the VASCAN 2020 virtual conference on October 1, 2020 showing how to leverage inherent flaws in IPv6 and Kerberos to take over Active Directory quickly and efficiently.
Over time, attackers have had to create novel ways of exploiting Active Directory environments to bypass modern security controls. Most notably, many modern environments are not susceptible to LLMNR/NBT-NS poisoning attacks like they used to be. This talk discusses how a penetration tester at Assura overcame this roadblock during a recent client engagement. The talk describes the “hacker’s” thought process when encountering a roadblock and a series of minor vulnerabilities which in combination can lead to the total compromise of an Active Directory environment.
Specifically, some of the vulnerable areas discussed are IPv6 prioritization over IPv4, Windows Proxy Auto-Detection (WPAD), Browser abuse (HTTP error 407 “Proxy authentication required”), Computer account attributes in Active Directory, Kerberos abuse, and Registry and memory attacks to gain access to password hashes.
Nick Berrie has worked in a range of industries including Customer Services, Corrections, Nuclear Energy, and now Information Security. Having done so provides Nick with an array of experiences and ways of thinking that lends itself well to solving the complex problems presented during penetration testing, referred to commonly as, “the hacker’s mentality.” Nick has been with Assura since 2018 as an Information Security Analyst and serves as the firm’s Lead Penetration Tester. Nick is a Certified Penetration Testing Professional (eCPPT) and also holds a CompTIA Security+. Nick has a Bachelor’s from Liberty University in Information Technology with a concentration in Cybersecurity and is currently pursuing a Master’s of Information Assurance with a concentration in Vulnerability Management from Norwich University in Vermont (expected June 2022).
by Assura, Inc.
windows server dns
