Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Here Be Dragons: The Unexplored Land of Active Directory ACLs

3,390 views

Published on

Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.

See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4

Published in: Technology
  • Be the first to comment

Here Be Dragons: The Unexplored Land of Active Directory ACLs

  1. 1. About Us: Andy • Job: Adversary Resilience Lead at Specter Ops • Tool creator/dev: BloodHound • Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World Congress • Trainer: Black Hat USA, Black Hat Europe, Adversary Tactics: Red Team Operations • Twitter: @_wald0
  2. 2. About Us: Rohan • Job: Director of Technology at Specter Ops • Tool creator/dev: BloodHound, EyeWitness, Empire, etc. • Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesDC, BSidesDE • Trainer: Black Hat USA • Twitter: @CptJesus
  3. 3. About Us: Will • Job: Offensive Engineer at Specter Ops • Tool creator/dev: BloodHound, Veil-Framework, PowerView, PowerUp, Empire • Presenter: Cons on cons on cons • Trainer: Black Hat USA, Adversary Tactics: Active Directory, Adversary Tactics: Red Team Operations • Twitter: @harmj0y
  4. 4. Outline • Prior Work • Why care about this? • ACL Background • Abuse Primitives • Finding Misconfigs and Attack Paths • BloodHound Interface Demo • Complex ACL Attack Path Demo
  5. 5. Prior Work
  6. 6. Prior Work • Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack Graphs John Dunagan, Alice X. Zheng, Daniel R. Simon http://bit.ly/2qG0OvE • Active Directory Control Paths Lucas Bouillot, Emmanuel Gras, Geraud de Drouas http://bit.ly/1pBc8FN
  7. 7. Prior Work • Active Directory ACL Scanner Robin Granberg http://bit.ly/2faPdkz • Airbus BTA Philippe Biondi, Joffrey Czarny http://bit.ly/2faFFpX • Several AD ACL related blog posts Sean Metcalf https://adsecurity.org/?tag=ad-acls
  8. 8. Why care?
  9. 9. Why care? (part I) • Lack of awareness of impact from third party software/sysadmins • “Misconfiguration debt” from earlier installs, sometimes since your domain was stood up • General lack of defender awareness at impact/importance • Difficulty of auditing (especially at scale)
  10. 10. Why care? (part II) • Any authenticated user (by default) can enumerate these DACLs • Communication in nearly all cases is limited to the DC • Execution may not require pivoting to other systems at all! • Completely different forensic profile that most orgs are not prepared for
  11. 11. ACL Background
  12. 12. ACL Background • All securable objects in Windows and Active Directory have a Security Descriptor. • The Security Descriptor has a DACL and a SACL • The DACL is populated by ACEs, which define what permissions other objects do or do not have against an object.
  13. 13. ACL Background • Those are just the very basic moving parts of ACLs and the Windows security model. • For way more in-depth info, see our 67 page white paper from Black Hat this year here: https://specterops.io/assets/resources/an_ace_up_th e_sleeve.pdf
  14. 14. Abuse Primitives
  15. 15. The ability to change a user password without knowing the current password ForceChangePW Abuse cmdlet: Set-DomainUserPassword Cleanup method: mimikatz lsadump::setntlm
  16. 16. The ability to add any other user, group, or computer to a group. AddMembers Abuse cmdlet: Add-DomainGroupMember Cleanup cmdlet: Remove-DomainGroupMember
  17. 17. Full object control over user and group objects GenericAll Abuse cmdlets: Add-DomainGroupMember, Set- DomainUserPassword, Set-DomainObject & Kerberoast Cleanup cmdlets and method: Remove-DomainGroupMember, mimikatz lsadump::setntlm, Set-DomainObject -Clear
  18. 18. The ability to write any object property value GenericWrite Abuse cmdlets: Add-DomainGroupMember Set-DomainObject & Kerberoast Cleanup cmdlets and method: Remove-DomainGroupMember, Set-DomainObject -Clear
  19. 19. The ability to grant object ownership to another principal WriteOwner Abuse cmdlet: Set-DomainObjectOwner Cleanup cmdlet: Set-DomainObjectOwner (back to what it was before)
  20. 20. The ability to add a new ACE to the object’s DACL WriteDACL Abuse cmdlet: Add-DomainObjectACL Cleanup cmdlet: Remove-DomainObjectACL
  21. 21. The ability to perform any “extended right” function AllExtendedRights Abuse cmdlets: Add-DomainGroupMember, Set- DomainUserPassword, Set-DomainObject & Kerberoast Cleanup cmdlets and method: Remove-DomainGroupMember, mimikatz lsadump::setntlm, Set-DomainObject -Clear
  22. 22. Finding Misconfigs and Attack Paths
  23. 23. Finding Attack Opportunities •How to use PowerView for singular object ACL inspection – the domain object is a good candidate here •How to use SharpHound collector to gather ACLs for all objects •How to use BloodHound to find attack paths
  24. 24. Finding Attack Opportunities • While graph theory is the best approach for modeling the entire system, one-off analysis can still be useful • PowerView’s Get-DomainObjectAcl is our go-to for specific object enumeration and verification of BloodHound results • -ResolveGuids helps resolve GUID rights to human readable form :)
  25. 25. Who can DCSync?
  26. 26. Foreign GPO Edit Rights
  27. 27. SharpHound •A complete rewrite of the PowerShell Ingestor into C# •Lots of new features •Massive performance increases •Lots of bugs fixed •Completely fixed memory usage (200-250mb tops)
  28. 28. SharpHound •More and better threading! •Modular stealth enumeration! •Session Looping •Caching •Progress Output! (!!!!!!!!) •Locale independent Local Admin enumeration
  29. 29. SharpHound – Speed Improvements
  30. 30. SharpHound •For a full technical write-up and usage guide, see Rohan’s blog post here: http://bit.ly/2xVVoVc
  31. 31. Old Ingestor New Ingestor
  32. 32. Special Shoutout Thank you to all the users in the BloodHound slack channel participating in the beta. Your help has been invaluable!
  33. 33. Interface Demo
  34. 34. https://youtu.be/BAEfEdNWij0
  35. 35. Attack Path Demo
  36. 36. https://youtu.be/5USRboxxYUo
  37. 37. Future Work •More options for taking over computer objects •Set a temporary fine grained password policy on a single user to bypass NT history and minimum age check •GPOs…soon!
  38. 38. Thank You! • We are @_wald0, @CptJesus and @harmj0y - https://www.specterops.io • Thank you to the BloodHound community for your support, ideas and beta testing SharpHound. Get BloodHound at https://bit.ly/GetBloodHound and SharpHound at http://bit.ly/SharpHound • Join the BloodHound Slack at https://bloodhoundgang.herokuapp.com

×