<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Forever, it seems, attackers have been loving Windows network
because of one thing: The domain server. The <a
href="https://support.microsoft.com/kb/3011780">latest
vulnerability Microsoft hot-patched</a> demonstrates how
mind-blowingly critical any weakness in the domain server is: and
because they offer a lot of features, domain servers have always
been the exposed scrotum of any modern IT setup. This is why I
always recommend they have an <a
href="http://immunityproducts.blogspot.com/2014/11/el-jefe-13-curious-case-of-3g-modem.html">El
Jefe client</a> placed on them! <br>
<br>
Often at Immunity we are boggled by what appears to be every single
domain's need for some crazyness, like a daemon that runs as domain
admin on every users' machine. Or the need for the helpdesk to sign
into every machine every day and run some program. <br>
<br>
Likewise, let's say you have a vulnerability in Windows 2012's SMB
stack. You can always use this same bug to talk directly to the
domain controller from the DMZ. Because otherwise, the boxes in the
DMZ cannot do authentication and your developers can't push new
code. <br>
<br>
With Windows 8.1, Microsoft has made themselves a domain server for
all Windows machines not on a domain, since you use your Windows
account to log in (essentially so they can also sell you useless
games from the app store - something no one does).<br>
<br>
So in short, anyone with a Windows domain has had someone log onto
it (via a client-side or stolen password) and then get domain admin.
The new bug makes this easier, in some cases, but it's always been
easy.<br>
<br>
-dave<br>
P.S. Don't forget now is a good time to submit a talk to INFILTRATE!
We are the only conference that does profit sharing with speakers!<br>
<br>
<br>
</body>
</html>