ing. ondřej Ševeček | gopas a.s. | mcsm:directory | mvp:enterprise security | ceh:certified...
TRANSCRIPT
Ing. Ondřej Ševeček | GOPAS a.s. |
MCSM:Directory |MVP:Enterprise Security |
CEH:Certified Ethical Hacker |CHFI:Computer Hacking Forensic Investigator |
[email protected] |www.sevecek.com |
Infrastructure(in)security
Agenda
Where antimalware fails? Where admin fails!
Custom code Antimalware detects only well-known code
signatures– heuristics?
PowerShell, C#, ASP, …
Take a look at this…
Limited user Hardware keylogger * Software keylogger *
– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=416
Never type sensitive passwords on insecure machines
What to do with a password? Try if any other account does not have the
same password *– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=387
Never use the same password twice
UAC will keep me secure No
– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=404
It works only locally– code started manually *
Do not work under sensitive accounts Use personal limited accounts
That guys are local admins! Hack local admin *
– system partition unencrypted– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=213
Any workstation is compromised Encrypt system with BitLocker and TPM
– users must not know the password
UAC will keep me secure No It works only locally
– code injected through "autorun" *
Do not work under sensitive accounts on insecure machines
Audit tools? Antimalware? Autoruns?
– does not verify PowerShell code *– trusts in what you yourself trust *– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=235
Every tool can be fooled
Web servers Third party suppliers Local limited admins
– impersonation *– basic delegation *– Kerberos delegation *
• https://www.sevecek.com/Lists/Posts/Post.aspx?ID=101
Never access applications with privileged accounts
RDP is plain-text authentication Unfortunately
– passwords can be extracted from LSASS memory *
– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=360
Use MMC, RPC, DCOM, WMI, C$, Admin$, REGEDIT or SCCM Remote Tools instead– authenticates with Kerberos
LSASS extraction made nice Just let the admin access your web site
– passwords can be extracted from LSASS memory *
Again, never access applications with privileged accounts
Stolen CA NTAuth CAs issue logon certificates
independently from DCs– never appears on CRL *
Do not let them take your CA
Thank you!
and also come to GOPAS:– GOC169 - Auditing ISO/IEC 27001 and 27002– GOC171 - Active Directory Troubleshooting– GOC172 - Kerberos Troubleshooting– GOC173 - Enterprise Cryptography and PKI– GOC175 - Advanced Windows Security