AD and DNS: A Match Made in Heck – Jim Sykora and Jake Hildreth
October 19 @ 11:00 am – 11:50 am MDT
Presented by: Jim Sykora & Jake Hildreth
Since the mid-80s, the Domain Name System (DNS) has been instrumental in improving the useability of computer networks and the Internet. In 2000, Microsoft released Active Directory (AD) which combined DNS with a Lightweight Directory Access Protocol (LDAP) database and Kerberos authentication to create a unified directory service platform. Since AD’s release, the fates of AD and DNS have been linked. In fact, you might say they are married. In this talk, we will discuss existing DNS attacks that can be used to compromise AD and the ways to mitigate AD-specific DNS vulnerabilities.
Initially, we will talk about something OLD: Kevin Robertson’s research into attacking DNS and the tool he created for this purpose: PowerMAD. Next, we will move onto something BORROWED: Dirk-jan Mollema and Elad Shamir have done extensive research into Resource Based Constrain Delegation. We will borrow some of this research to see how it can be applied to creating and modifying DNS records.
After discussing the existing research and our extensions to it, we move on to something NEW: a tool! We plan to release a tool later this year that will scan a network’s AD-integrated (ADI) DNS servers, identify the most common DNS vulnerabilities, and provide guidance on resolving the issues. Lastly, we will discuss something BLUE: We will walk through the process of integrating DNS logs into a Security Information and Event Management (SIEM) system – likely Azure Sentinel.
Jim Sykora is a Security Consultant at Trimarc Security, LLC. Jim has been doing sysadmin work & exposing security issues since the Apple IIe was new. Lumberjack of all trades, master of none. Jim worked at schools, ISPs, lumber yards, truck driving, MSPs, and financial institutions before starting to blend operational experience with security knowledge & rampant curiosity at Trimarc where he focuses primarily on identity security. In his free time, he enjoys thinking about new hobbies and spending time with family.
Jake Hildreth is the Active Directory Security Assessment Service Lead at Trimarc Security, LLC and maintainer of Locksmith, an open-source AD Certificate Services remediation tool. As a recovering sysadmin with over 20 years of wide-ranging experience in information technology, he’s configured, administered, or supported almost every technology used by small and medium businesses. His day-to-day work at Trimarc focuses on assessing the security of Active Directory configurations for Fortune 500 companies to help secure their environments. He currently holds the CISSP and Security+ certifications.