Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Graphs Changed The Way Hackers Attack

172 views

Published on

In April of 2015, John Lambert illustrated why hackers consistently defeat network security measures, stating: "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win."

One year later, Rohan Vazarkar, Will Schroeder, and I released BloodHound at the DEF CON 24 hacker convention. BloodHound is a free and open source tool that uses graph theory to show how attackers breach and take over modern corporate network.

Since its release, BloodHound has changed how professional offensive consultants and network defenders view these attack paths, using Neo4j to discover in seconds what used to take days or weeks manually.

With some information about the network — Who's logged in where? Who can administer what? Who's in what groups? Who has control over what objects? — we can model how attackers choose their targets.

The BloodHound attack graph exposes the hidden and often unintended relationships that may lead to Domain Admin, the keys to the kingdom in almost every corporate network in the world.

In this talk, we will show, with live demonstrations, the full history and evolution of BloodHound, starting with the frustrations of hacking without an attack graph, covering the spark that led us to an automated graph theory approach, building upon existing tools and tradecraft to create BloodHound, and capping off with BloodHound's newest improvements, schema additions, and future features.

Finally, see how defenders use BloodHound to gain critical insights from the attack graph were the good guy kind of hackers after all.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How Graphs Changed The Way Hackers Attack

  1. 1. How Graphs Changed the Way Hackers Attack Andy Robbins
  2. 2. Agenda • Prior Work • How Hackers Attack Corporations • The Post-Exploitation Problem • BloodHound • Future Work • Acknowledgements and Conclusion
  3. 3. About Me • Job: Adversary Resilience Lead at SpecterOps • Background: Professional penetration tester/red teamer for 5 years • Speaker: BlackHat USA, DEF CON, ISSA International, ISC2 World Congress, ekoparty, Paranoia • Trainer: BlackHat USA, BlackHat Europe, Private Offerings
  4. 4. About Us • BloodHound Co-creators: • Rohan Vazarkar - @CptJesus • Job: Senior Red Teamer at SpecterOps • Will Schroeder - @harmj0y • Job: Offensive Capability Engineer at SpecterOps
  5. 5. Prior Work
  6. 6. http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf
  7. 7. https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/
  8. 8. https://blogs.technet.microsoft.com/pfesweplat/2017/01/28/forensics-active-directory-acl- investigation/
  9. 9. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” - John Lambert, General Manager, Microsoft Threat Intelligence Center
  10. 10. How Hackers Attack Corporations
  11. 11. How Hackers Attack Corporations • Typical stages of an attack: 1. Recon 2. Initial Access 3. Post-Exploitation 4. Exfiltration
  12. 12. Recon
  13. 13. Initial Access
  14. 14. Attacker Target
  15. 15. Attacker Target
  16. 16. Attacker TargetWorkstation
  17. 17. Attacker TargetWorkstation HTTPS
  18. 18. Post Exploitation
  19. 19. Three Vital Tools • PowerView by Will Schroeder • Mimikatz by Benjamin Delpy • Beacon/Empire/Meterpreter
  20. 20. Image: https://www.adsecurity.org
  21. 21. Attacker TargetWorkstation HTTPS SMB
  22. 22. Exfiltration
  23. 23. Attacker TargetWorkstation HTTPS SMB Exfil
  24. 24. The Post-Exploitation Problem
  25. 25. The Post-Exploitation Problem • Exploits are risky • Situational awareness is time consuming • Effective privileges are complex • But a common, reliable pattern emerged…
  26. 26. DA 👤 👤👤 👤 👤 👤 👤
  27. 27. BloodHound
  28. 28. The BloodHound Graph Design • Design considerations: • Security group delegation • User credential theft • User credential availability • Design goals: • Keep it simple • Keep it flexible enough for future nodes/edges
  29. 29. The BloodHound Graph Design http://www.apcjones.com/arrows/#
  30. 30. Basic Queries
  31. 31. Basic Queries
  32. 32. Data Collection: SharpHound • Written by Rohan Vazarkar, based on original PowerShell collector by Will Schroeder • C# compiled binary (or PowerShell script) uses built-in Windows API function calls • Collects data from Domain Controllers and domain-joined workstations and servers • By default, any user can collect this information!
  33. 33. Data Analysis: The BloodHound UI • Built with Linkurious • Compiled into an Electron app • Interface with Neo4j via the Neo4j JS driver • Chunked CSV import via UI • Cypher query modal enables custom one-off queries in the BloodHound UI
  34. 34. Data Analysis: The BloodHound UI
  35. 35. Attack Path Automation • GoFetch by Tal Maor and Itai Grady https://github.com/GoFetchAD/GoFetch • AngryPuppy by Calvin Hedler and Vincent Yiu https://github.com/vysec/ANGRYPUPPY • The Industrial Revolution of Lateral Movement by Tal Be’ery and Tal Maor https://www.blackhat.com/docs/us-17/thursday/us-17- Beery-The-Industrial-Revolution-Of-Lateral- Movement.pdf
  36. 36. BloodHound 1.3 • Added 7 edge types to the graph design • This resulted in databases with 10x the number of edges as before • Some performance impact (as expected), but we have some ideas for this  • Number of attack paths exploded
  37. 37. http://www.apcjones.com/arrows/#
  38. 38. http://www.apcjones.com/arrows/#
  39. 39. For more about BloodHound 1.3, see our DerbyCon talk here: https://goo.gl/82RsjT
  40. 40. BloodHound 1.4 • Started adding much more information to each node type • This enables extremely interesting analytic queries for us • “Of all the users with a path to Domain Admin, which have the oldest passwords?” • “Find me an attack path that does NOT require going through a Windows server”
  41. 41. Future Additions
  42. 42. GPO/OU Nodes & Relationships
  43. 43. GPO/OU Nodes & Relationships
  44. 44. GPO/OU Nodes & Relationships
  45. 45. GPOs applied to an object
  46. 46. GPOs applied to an object
  47. 47. Acknowledgements • Sam Briesemeister for introducing me to graph theory! • Michael Hunger and Max De Marzi at Neo4j • David Rapin, Jean Villedieu and Sébastian Heymann at Linkurious
  48. 48. Thank you! • Andy Robbins • Twitter: @_wald0 • Co-creators: Rohan Vazarkar and Will Schroeder • Twitter: @CptJesus @harmj0y • https://www.specterops.io

×