[Dailydave] The fallacy of the domain

Dave Aitel dave at immunityinc.com
Wed Nov 19 12:35:59 EST 2014


Forever, it seems, attackers have been loving Windows network because of
one thing: The domain server. The latest vulnerability Microsoft
hot-patched <https://support.microsoft.com/kb/3011780> demonstrates how
mind-blowingly critical any weakness in the domain server is: and
because they offer a lot of features, domain servers have always been
the exposed scrotum of any modern IT setup. This is why I always
recommend they have an El Jefe client
<http://immunityproducts.blogspot.com/2014/11/el-jefe-13-curious-case-of-3g-modem.html>
placed on them!

Often at Immunity we are boggled by what appears to be every single
domain's need for some crazyness, like a daemon that runs as domain
admin on every users' machine. Or the need for the helpdesk to sign into
every machine every day and run some program.

Likewise, let's say you have a vulnerability in Windows 2012's SMB
stack. You can always use this same bug to talk directly to the domain
controller from the DMZ. Because otherwise, the boxes in the DMZ cannot
do authentication and your developers can't push new code.

With Windows 8.1, Microsoft has made themselves a domain server for all
Windows machines not on a domain, since you use your Windows account to
log in (essentially so they can also sell you useless games from the app
store - something no one does).

So in short, anyone with a Windows domain has had someone log onto it
(via a client-side or stolen password) and then get domain admin. The
new bug makes this easier, in some cases, but it's always been easy.

-dave
P.S. Don't forget now is a good time to submit a talk to INFILTRATE! We
are the only conference that does profit sharing with speakers!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141119/b2a039de/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141119/b2a039de/attachment.sig>


More information about the Dailydave mailing list