Conference Talk – B-Sides London 2018

Earlier this year, I was honoured to be accepted to speak at Security B-Sides London 2018 on the Rookie track. I presented the research I completed for my Masters degree in the use of Unencrypted WiFi networks by business users. They recorded the session and it is now available on YouTube:

https://www.youtube.com/watch?v=00-jugDe1qM

My work builds on top of known attacks and existing software to attempt to establish whether or not it is possible to extract NetNTLM hashes from computers connected to unencrypted WiFi networks.

Slide Deck “How to: Actually attack computers at cafes”

Creating a new child domain – Microsoft Windows 2016 Server

Well that was several hours of my life I won’t get back.

TL;DR;

– Microsoft error messages still suck in Windows Server 2016
– Add the member server that will become the child-domain domain-controller to the parent domain before promoting it to a DC.

I was recently on a non-standard job. My client was interested in having a brand new Active Directory domain built to the best possible standards of information / “cyber” security. I haven’t done much blue-team work for a little while, but I am always up for a challenge and this felt like a good opportunity to get my head around some of the challenges of setting up Windows 2016. First of all, a side note: I hate Windows 2016 Core (aka non-GUI), I’m going to leave that there. Moving on…

For reasons that are not best-described here, my client wants a silo’d active directory domain architecture. Essentially, the ability to have different parts of the wider business belong to different container shells, whilst still having overarching control over the whole lot. This means a parent-domain (or root in *nix parlance), this parent domain sits at the top of the Active Directory forest hierachy. Each child-domain then inherits “stuff” (technical term) from the parent domain and can set it’s own controls. As a red-teamer, one goal in this scenario would be to become Enterprise admin, as this is the group that by default is truely in charge.

Long story short, I battled for hours trying to work out how to get this Windows 2016 vanilla-build server to become a domain controller for a child domain within the forest. No joy. I kept getting a message “auth problem XXX”. Some research indicates that authentication is nothing to do with the problem, and in fact DNS is the problem. Go Microsoft with the useful error messages! Having spent loads of time on the DNS configuration I got nowhere. I tried everything from the abvious pointing the bhild at the parent for DNS, manually making DNS zones on the parent and child, and everything in between. Literally hours of different combinations and I was still not getting anywhere.

I wish I could claim that this was my idea, however, in a state of despair, I called a friend and explained the situation. His response was “Well you have tried everything I would have thought of and I’ll be honest, I’ve never done it before so I am not sure….” he trailed off and as I was responding he suddenly interupted me saying “have you joing the server that will become the child domain controller to the parent domain and then tried promoting it?”. The answer was no. At first glance, this doesn’t make much sense as you are trying to add the machine to a sub-domain, however, when you think a little deeper it does make sense – the child would then appear in DNS correctly on the parent DNS service, and they would have a basic trust relationship in palce already making authentication “easier”.

So the very short version, to create a new child-domain domain-controller, add the member server that will be promoted to the parent domain first.

Machine rebooting, rather than powering off after poweroff command

Mostly just a post so I don’t lose this information again in the future…  I have a headless machine that I use as a file server amongst other things and I have found that after a system update it now reboots after a two second delay when issued with the “poweroff” command.  This post is the answer:

http://askubuntu.com/a/294086

The article is a bit out-of-date and not directly relevant to my circumstances, but the script provided works perfectly:

#!/bin/bash

case “$1” in
stop) for i in /sys/bus/*/devices/*/power/control ; do echo on > $i ; done
;;
esac

exit 0

Put this in “/etc/rc0.d/K32power-control-on” and give it execute permissions and it works like a charm.  Many thanks to the user “Inspired”.