./kedeshur

Dave Mayer specializes in red teaming and pen testing. This talk came out of only having a limited number of ports (135, 139, and 445) available on a domain controller during a pen test. Null sessions were identified, domain users were dumped, and the only account recovered was the Backup Operators account in the Backup Operators security group. Typically these accounts have been around for years, haven’t had their password changed since creation, are used to back up a large number of systems across the domain, and may have been migrated from one backup solution to another. Let’s look at how to abuse these permissions to obtain unauthorized access.