Successfully reported this slideshow.
Your SlideShare is downloading. ×

How Graphs Changed The Way Hackers Attack

Feb. 26, 2018
2 likes 948 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
Loading in …3
×

Check these out next

Firebird Interbase Database engine hacks or rtfm
qqlan
Elasticsearch quick Intro (English)
Federico Panini
Bridging the Gap
Will Schroeder
Introduction to Elasticsearch
Jason Austin
A Survey of Elasticsearch Usage
Greg Brown
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
Иван Новиков «Elastic search»
Mail.ru Group
1 of 57 Ad

How Graphs Changed The Way Hackers Attack

Feb. 26, 2018
2 likes 948 views

Download to read offline

Technology

In April of 2015, John Lambert illustrated why hackers consistently defeat network security measures, stating: "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win."

One year later, Rohan Vazarkar, Will Schroeder, and I released BloodHound at the DEF CON 24 hacker convention. BloodHound is a free and open source tool that uses graph theory to show how attackers breach and take over modern corporate network.

Since its release, BloodHound has changed how professional offensive consultants and network defenders view these attack paths, using Neo4j to discover in seconds what used to take days or weeks manually.

With some information about the network — Who's logged in where? Who can administer what? Who's in what groups? Who has control over what objects? — we can model how attackers choose their targets.

The BloodHound attack graph exposes the hidden and often unintended relationships that may lead to Domain Admin, the keys to the kingdom in almost every corporate network in the world.

In this talk, we will show, with live demonstrations, the full history and evolution of BloodHound, starting with the frustrations of hacking without an attack graph, covering the spark that led us to an automated graph theory approach, building upon existing tools and tradecraft to create BloodHound, and capping off with BloodHound's newest improvements, schema additions, and future features.

Finally, see how defenders use BloodHound to gain critical insights from the attack graph were the good guy kind of hackers after all.

In April of 2015, John Lambert illustrated why hackers consistently defeat network security measures, stating: "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win."

One year later, Rohan Vazarkar, Will Schroeder, and I released BloodHound at the DEF CON 24 hacker convention. BloodHound is a free and open source tool that uses graph theory to show how attackers breach and take over modern corporate network.

Since its release, BloodHound has changed how professional offensive consultants and network defenders view these attack paths, using Neo4j to discover in seconds what used to take days or weeks manually.

With some information about the network — Who's logged in where? Who can administer what? Who's in what groups? Who has control over what objects? — we can model how attackers choose their targets.

The BloodHound attack graph exposes the hidden and often unintended relationships that may lead to Domain Admin, the keys to the kingdom in almost every corporate network in the world.

In this talk, we will show, with live demonstrations, the full history and evolution of BloodHound, starting with the frustrations of hacking without an attack graph, covering the spark that led us to an automated graph theory approach, building upon existing tools and tradecraft to create BloodHound, and capping off with BloodHound's newest improvements, schema additions, and future features.

Finally, see how defenders use BloodHound to gain critical insights from the attack graph were the good guy kind of hackers after all.

Technology
Advertisement

Recommended

BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
Andy Robbins
6.4k views
40 slides
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
17k views
32 slides
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
8.9k views
16 slides
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
6k views
47 slides
Practical Elasticsearch - real world use cases
Itamar
9.9k views
38 slides
Building an Empire with PowerShell
Will Schroeder
22.3k views
56 slides
Dcm#8 elastic search
Ivan Wallarm
604 views
16 slides
Elastic Search
Lukas Vlcek
2.7k views
33 slides
Advertisement

More Related Content

Slideshows for you (20)

Firebird Interbase Database engine hacks or rtfm
qqlan
18.1k views
Elasticsearch quick Intro (English)
Federico Panini
1.5k views
Bridging the Gap
Will Schroeder
7.8k views
Introduction to Elasticsearch
Jason Austin
7.8k views
A Survey of Elasticsearch Usage
Greg Brown
6.6k views
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
14.2k views
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
1.8k views
Иван Новиков «Elastic search»
Mail.ru Group
1.7k views
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
RF Studio
72 views
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
1.8k views
SecLists @ BlackHat Arsenal 2015
Daniel Miessler
4k views
Securing Your MongoDB Deployment
MongoDB
4.3k views
Ace Up the Sleeve
Will Schroeder
23.5k views
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
33.7k views
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
200.5k views
Introduction to Cassandra - Denver
Jon Haddad
3.1k views
Jwt == insecurity?
snyff
18.5k views
Managing Your Content with Elasticsearch
Samantha Quiñones
688 views
JWT: jku x5u
snyff
6.5k views
NoSQL - No Security? - The BSides Edition
Gavin Holt
1.3k views
Firebird Interbase Database engine hacks or rtfm
qqlan
18.1k views
10 slides
Elasticsearch quick Intro (English)
Federico Panini
1.5k views
73 slides
Bridging the Gap
Will Schroeder
7.8k views
53 slides
Introduction to Elasticsearch
Jason Austin
7.8k views
42 slides
A Survey of Elasticsearch Usage
Greg Brown
6.6k views
53 slides
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
14.2k views
49 slides

Similar to How Graphs Changed The Way Hackers Attack (20)

Apache Geode - The First Six Months
Anthony Baker
787 views
How to get along with HATEOAS without letting the bad guys steal your lunch -...
YK Chang
75 views
Using oss at an internet company and hacker culture
Hiro Yoshioka
1.4k views
How Appboy’s Marketing Automation for Apps Platform Grew 40x on the ObjectRoc...
MongoDB
4.3k views
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
9.4k views
Hypermedia
Adam Culp
649 views
Agile startup company management and operation
Jiang Zhu
870 views
淺談 Startup 公司的軟體開發流程 v2
Wen-Tien Chang
38.6k views
Legal and efficient web app testing without permission
Abraham Aranguren
5k views
Notes From Velocity Conference Europe
SiriusWay
1.1k views
Big Data LDN 2017: H2O.ai Driverless AI: Fast, Accurate, Interpretable AI
Matt Stubbs
132 views
Using Blockchain to Increase Supply Chain Transparency
Horea Porutiu
1.4k views
DEEPSEC 2013: Malware Datamining And Attribution
Michael Boman
6k views
Dayton webusers creatinghybridapps-webedition
Martin Davis III
567 views
Crunching the numbers: Open Source Community Metrics
Dawn Foster
335 views
Crunching the numbers: Open Source Community Metrics at OSCON
Dawn Foster
3.1k views
Abraham aranguren. legal and efficient web app testing without permission
Yury Chemerkin
1.7k views
Open Data and Web API
Sammy Fung
970 views
Mobeers waterloo-2011
Brian LeRoux
986 views
WordPress 4.4 and Beyond
Scott Taylor
57.7k views
Apache Geode - The First Six Months
Anthony Baker
787 views
49 slides
How to get along with HATEOAS without letting the bad guys steal your lunch -...
YK Chang
75 views
97 slides
Using oss at an internet company and hacker culture
Hiro Yoshioka
1.4k views
55 slides
How Appboy’s Marketing Automation for Apps Platform Grew 40x on the ObjectRoc...
MongoDB
4.3k views
41 slides
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
9.4k views
177 slides
Hypermedia
Adam Culp
649 views
42 slides
Advertisement

Recently uploaded (20)

An Introduction to Open Source Licensing
All Things Open
0 views
How to Keep an Open-source App Together With Commercial Products?
All Things Open
0 views
BCS ISO 27001 LA Lecture Fahad Zaman.pdf
FahadZaman38
0 views
Mentoring Day - The Need for Technical Business Analysis - Thomas Varsamidis.pdf
VasoPolimerou
0 views
Backend Development - Django
Ahmad Sakhleh
0 views
The State of Open Source Cloud
All Things Open
0 views
CURSO IMERSÃO DIGITAL
REBECA BARRETO
0 views
Zen and the Art of Organizational Open Source
All Things Open
0 views
GPT3 API vs. Reality
Tim Spalding
0 views
SMB MM Educational Session_ March 2023.pdf
AppFolio
0 views
Bootstrapping an Open-Source Program Office at Blue Cross NC
All Things Open
0 views
Concept Of Cyber Security.pdf
FahadZaman38
0 views
Azure Stack TP3 overview deck
DamolaSolanke2
0 views
WN Memory Tiering WP Mar2023.pdf
RochanSankar1
0 views
21st-century-integratingsss (1).pptx
CasimoGladysJoy
0 views
Reduce API Security Risk by Leveraging Graph Analytics Webinar Slides
Neo4j
0 views
Introduction To ThousandEyes
ThousandEyes
0 views
ONT10LG Lab Guide.ppt
AndreMartins698621
0 views
ANN Lecture_3_Applications of ANN.pdf
LakhanPal15
0 views
Getting Started with SQL Language.pptx
Cecilia Brusatori
0 views
An Introduction to Open Source Licensing
All Things Open
0 views
40 slides
How to Keep an Open-source App Together With Commercial Products?
All Things Open
0 views
19 slides
BCS ISO 27001 LA Lecture Fahad Zaman.pdf
FahadZaman38
0 views
19 slides
Mentoring Day - The Need for Technical Business Analysis - Thomas Varsamidis.pdf
VasoPolimerou
0 views
25 slides
Backend Development - Django
Ahmad Sakhleh
0 views
30 slides
The State of Open Source Cloud
All Things Open
0 views
37 slides

How Graphs Changed The Way Hackers Attack

  1. 1. How Graphs Changed the Way Hackers Attack Andy Robbins
  2. 2. Agenda • Prior Work • How Hackers Attack Corporations • The Post-Exploitation Problem • BloodHound • Future Work • Acknowledgements and Conclusion
  3. 3. About Me • Job: Adversary Resilience Lead at SpecterOps • Background: Professional penetration tester/red teamer for 5 years • Speaker: BlackHat USA, DEF CON, ISSA International, ISC2 World Congress, ekoparty, Paranoia • Trainer: BlackHat USA, BlackHat Europe, Private Offerings
  4. 4. About Us • BloodHound Co-creators: • Rohan Vazarkar - @CptJesus • Job: Senior Red Teamer at SpecterOps • Will Schroeder - @harmj0y • Job: Offensive Capability Engineer at SpecterOps
  5. 5. Prior Work
  6. 6. http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf
  7. 7. https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/
  8. 8. https://blogs.technet.microsoft.com/pfesweplat/2017/01/28/forensics-active-directory-acl- investigation/
  9. 9. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” - John Lambert, General Manager, Microsoft Threat Intelligence Center
  10. 10. How Hackers Attack Corporations
  11. 11. How Hackers Attack Corporations • Typical stages of an attack: 1. Recon 2. Initial Access 3. Post-Exploitation 4. Exfiltration
  12. 12. Recon
  13. 13. Initial Access
  14. 14. Attacker Target
  15. 15. Attacker Target
  16. 16. Attacker TargetWorkstation
  17. 17. Attacker TargetWorkstation HTTPS
  18. 18. Post Exploitation
  19. 19. Three Vital Tools • PowerView by Will Schroeder • Mimikatz by Benjamin Delpy • Beacon/Empire/Meterpreter
  20. 20. Image: https://www.adsecurity.org
  21. 21. Attacker TargetWorkstation HTTPS SMB
  22. 22. Exfiltration
  23. 23. Attacker TargetWorkstation HTTPS SMB Exfil
  24. 24. The Post-Exploitation Problem
  25. 25. The Post-Exploitation Problem • Exploits are risky • Situational awareness is time consuming • Effective privileges are complex • But a common, reliable pattern emerged…
  26. 26. DA 👤 👤👤 👤 👤 👤 👤
  27. 27. BloodHound
  28. 28. The BloodHound Graph Design • Design considerations: • Security group delegation • User credential theft • User credential availability • Design goals: • Keep it simple • Keep it flexible enough for future nodes/edges
  29. 29. The BloodHound Graph Design http://www.apcjones.com/arrows/#
  30. 30. Basic Queries
  31. 31. Basic Queries
  32. 32. Data Collection: SharpHound • Written by Rohan Vazarkar, based on original PowerShell collector by Will Schroeder • C# compiled binary (or PowerShell script) uses built-in Windows API function calls • Collects data from Domain Controllers and domain-joined workstations and servers • By default, any user can collect this information!
  33. 33. Data Analysis: The BloodHound UI • Built with Linkurious • Compiled into an Electron app • Interface with Neo4j via the Neo4j JS driver • Chunked CSV import via UI • Cypher query modal enables custom one-off queries in the BloodHound UI
  34. 34. Data Analysis: The BloodHound UI
  35. 35. Attack Path Automation • GoFetch by Tal Maor and Itai Grady https://github.com/GoFetchAD/GoFetch • AngryPuppy by Calvin Hedler and Vincent Yiu https://github.com/vysec/ANGRYPUPPY • The Industrial Revolution of Lateral Movement by Tal Be’ery and Tal Maor https://www.blackhat.com/docs/us-17/thursday/us-17- Beery-The-Industrial-Revolution-Of-Lateral- Movement.pdf
  36. 36. BloodHound 1.3 • Added 7 edge types to the graph design • This resulted in databases with 10x the number of edges as before • Some performance impact (as expected), but we have some ideas for this  • Number of attack paths exploded
  37. 37. http://www.apcjones.com/arrows/#
  38. 38. http://www.apcjones.com/arrows/#
  39. 39. For more about BloodHound 1.3, see our DerbyCon talk here: https://goo.gl/82RsjT
  40. 40. BloodHound 1.4 • Started adding much more information to each node type • This enables extremely interesting analytic queries for us • “Of all the users with a path to Domain Admin, which have the oldest passwords?” • “Find me an attack path that does NOT require going through a Windows server”
  41. 41. Future Additions
  42. 42. GPO/OU Nodes & Relationships
  43. 43. GPO/OU Nodes & Relationships
  44. 44. GPO/OU Nodes & Relationships
  45. 45. GPOs applied to an object
  46. 46. GPOs applied to an object
  47. 47. Acknowledgements • Sam Briesemeister for introducing me to graph theory! • Michael Hunger and Max De Marzi at Neo4j • David Rapin, Jean Villedieu and Sébastian Heymann at Linkurious
  48. 48. Thank you! • Andy Robbins • Twitter: @_wald0 • Co-creators: Rohan Vazarkar and Will Schroeder • Twitter: @CptJesus @harmj0y • https://www.specterops.io

Editor's Notes

  • Research target to build out
  • Research target to build out
  • Research target to build out
  • Research target to build out
  • Research target to build out
  • Research target to build out
  • Gain access to the corporation’s internal network
    Typically achieved through social engineering attacks like phishing
  • Gain access to the corporation’s internal network
    Typically achieved through social engineering attacks like phishing
  • Gain access to the corporation’s internal network
    Typically achieved through social engineering attacks like phishing
  • Gain access to the corporation’s internal network
    Typically achieved through social engineering attacks like phishing
  • Gain access to the corporation’s internal network
    Typically achieved through social engineering attacks like phishing
  • Gain access to the corporation’s internal network
    Typically achieved through social engineering attacks like phishing
  • Use recon results and network access to determine security controls in place
    Elevate privileges locally and in the domain
    Use elevated privileges to access data objective
  • Use recon results and network access to determine security controls in place
    Elevate privileges locally and in the domain
    Use elevated privileges to access data objective
  • Gain access to the corporation’s internal network
    Typically achieved through social engineering attacks like phishing
  • Get the juicy data out of the network 
  • Gain access to the corporation’s internal network
    Typically achieved through social engineering attacks like phishing
  • Get the juicy data out of the network 
  • THREE MINUTES

    Now this network looks pretty similar to the last one, but with a few key differences that we’ll explore in each attack step.

    First, again, is initial access. We get a Beacon or Meterpreter Session running within a domain-joined context. Unfortunately for us, we can’t manage to escalate our rights on this initial machine. No GPP. No misconfigured services. No DLL hijack opportunities. No MS08-067, no MS14-068. We can collect some NTLMv2 challenge/response pairs, but can’t crack the very strong passwords. Also, we can’t relay those creds anywhere due to the client enforcing SMB message signing everywhere.

    Eventually, though, we do find an initial way to gain local admin rights. A careless admin has left plain text credentials for a service account in an SMB share that any user can read. By impersonating this user and scanning the network, we determine that this service account has admin rights to three systems. Unfortunately for us, this client heavily enforces the principle of least privilege, so this service account only has admin rights on the systems it needs admin rights on. This is where our scope of nominal admin rights begins.

    Now, using PowerView, CrackMapExec, Nmap, or another tool, we determine who is logged on to those systems. We find a few more service accounts, but none of them are domain admins. Damn! One by one we compromise those accounts until eventually we gain admin rights on a system with a domain admin logged on. W00t!

    By show of hands, how many folks have executed an attack path like this?
  • Get the juicy data out of the network 
  • “now we have EVERY path to DA”
  • “now we have EVERY path to DA”

×