Conference Talks – June 2021

This month, members of NCC Group will be presenting their work at the following conferences:

  • Dirk-Jan Mollema, “Walking your dog in multiple forests – Breaking AD Trust Boundaries Through Kerberos Vulnerabilities”, to be presented in a Black Hat Webcast (Virtual, June 3 2021)
  • Michael Gough, “Incident Response Fails – What we see with our clients, and their fails, preparation will save you a ton of $$$, heartache, maybe your sanity and job”, to be presented at BSides SATX (Virtual June 12th)
  • Balazs Bucsay, “SOCKS Over RDP and Citrix – How to Pentest over Jump Boxes”, to be presented at the Cyber Security Global Summit by Geekle (Virtual, June 29-30 2021)

Please join us!

Walking Your Dog in Multiple Forests – Breaking AD Trust Boundaries through Kerberos Vulnerabilities
Dirk-Jan Mollema
Black Hat Webcast – Virtual
June 3rd 2021

In larger enterprise environments multiple Active Directory forests are often in use to separate different environments or parts of the business. To enable integration between the different environments, forests trusts are set up. The goal of this trust is to allow users from the other forest to authenticate while maintaining the security boundary that an Active Directory forest offers.

In 2018, this boundary was broken through default delegation settings and Windows features with unintended consequences. In 2019 the security boundary was once again established through a set of changes in Active Directory. This research introduces a vulnerability in Kerberos and forest trusts that allows attackers to break the trust once again.

The talk will provide technical details on how Kerberos works over forest trusts and how the security boundary is normally enforced. Then the talk will discuss a flaw in how AD forest trusts operate and how this can be combined with a vulnerability in the Windows implementation of Kerberos to take over systems in a different forest (from a compromised trusted forest).

The talk will be accompanied by a proof-of-concept and a demonstration of abusing the vulnerability.

Incident Response Fails
Michael Gough
BSides SATX – Virtual
June 12th 2021

As an Incident Response Principal, we respond to our clients’ incidents and we see a pattern. I have done many a presentation from a Blue Team perspective recommending you do some things, so let’s take a look at what we regularly see that our clients fail at, that either caused the event, made it worse, or why it went undetected. This is a teaching moment that I want to share with you to take back to your organization to prepare for an inevitable event.

I talk about the 3 Cs’ Configuration, Coverage, and Completeness and this helps us to understand what kind of process that is needed to address the whole of the problem and how these map to your security program and why organizations suffer so badly during a security event.

How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default are NOT enabled? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? What is that we Incident Responders need and use to investigate an incident and what are the typical recommendations we make to all our clients that they fail to do? Sadly a lot of what we need, you already have and is free, nothing to buy, just process and procedural improvements.

This talk will describe these things and how to prepare, and be PREPARED to do incident Response, or if you hire an outside firm, what they want and need too. The attendee can take the information from this talk and immediately start improving their environment to prepare for the inevitable, an incident.

SOCKS Over RDP and Citrix – How to Pentest over Jump Boxes
Balazs Bucsay
Cyber Security Global Summit by Geekle – Virtual
June 29-30 2021

In 2021, some penetration testers are still struggling with what should be basic tasks, such as testing over jump boxes; which is quite a common request from clients. Although there have been many attempts to try to solve this issue in different ways, there is nothing that could be used effectively from the perspective of time and effort. At the moment Balazs is assembling a tool that creates a virtual channel over an RDP connection and spins up a SOCKS5 proxy on a remote host, just like SSH’s –D switch. This solution could easily and effectively resolve the recurring pain points that penetration testers experience when trying to test via such restrictions.