Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
I hunt sys admins 2.0
I hunt sys admins 2.0
Loading in …3
1 of 32

Six Degrees of Domain Admin - BloodHound at DEF CON 24



Download to read offline

The deck used during DEF CON 24.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Six Degrees of Domain Admin - BloodHound at DEF CON 24

  1. 1. Six Degrees of Domain Admin
  2. 2. About Us I am Andy Robbins Job: Pentester at Veris Group’s ATD Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA International Trainer: Black Hat USA 2016 Other: Ask me about ACH Twitter: @_wald0
  3. 3. About Us I am Rohan Vazarkar Job: Pentester at Veris Group’s ATD Tool creator/dev: EyeWitness, Python Empyre, etc. Presenter: BSidesDC/LV/DE, Black Hat Arsenal Trainer: Black Hat USA 2016 Twitter: @CptJesus
  4. 4. About Us I am Will Schroeder Job: Researcher at Veris Group’s ATD Tool creator/dev: Veil-Framework, PowerView, PowerUp, Empire/Empyre Speaker: Ask me Trainer: Black Hat USA 2014-2016 Other: Microsoft PowerShell/CDM MVP Twitter: @harmj0y
  5. 5. The Current State of Active Directory Domain Privilege Escalation
  6. 6. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John Lambert GM, Microsoft Threat Intelligence Center
  7. 7. AD Domain Priv Esc ◇Active Directory is ubiquitous ◇Ubiquity = Attention = Research time and $$$ ◇Sometimes we get easy buttons!
  8. 8. DA
  9. 9. DA 👤 👤👤 👤 👤 👤 👤
  10. 10. Derivative Local Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub
  11. 11. 👤 👤 Bob PC1 Mary PC2
  12. 12. 👤Bob Help Desk Server Admins PC2
  13. 13. Challenges ◇Extremely time consuming and tedious ◇Not comprehensive ◇Limited situational awareness ◇Did you even need DA?
  14. 14. Graph Theory And attack graph design
  15. 15. Basic Elements of a Graph Vertices represent individual elements of a system Edges generically represent relationships between vertices Paths are sets of vertices and edges that connect non- adjacent vertices
  16. 16. Vertex 1 Vertex 2Edge
  17. 17. Vertex 1 Vertex 3 Vertex 2 Vertex 4
  18. 18. BloodHound Attack Graph Design Vertices represent users, groups, computers, and domains Edges identify group memberships, admin rights, user sessions, and domain trusts Paths always lead toward escalating rights. Always.
  19. 19. Group: IT Admins User: Bob Computer: Server1 User: Mary Group: Domain Admins
  20. 20. Put Simply… ◇Who is logged on where? ◇Who has admin rights where? ◇What users and groups belong to what groups?
  21. 21. Stealthy Data Collection with PowerView
  22. 22. “The best tool these days for understanding Windows networks is PowerView…” Phineas Phisher
  23. 23. PowerView ◇A pure PowerShell v2.0+ domain/network situational awareness tool ◇Collects the data that BloodHound is built on and doesn’t need elevated privileges for most collection methods!
  24. 24. Who’s Logged in Where? ◇Invoke-UserHunter: ■ Get-NetSession – sessions w/ a remote machine ■ Get-NetLoggedOn/Get-LoggedOnLocal – who’s logged in on what machine ◇-Stealth: ■ Enumerate commonly trafficked servers and query remote sessions for each aka “user hunting”
  25. 25. Who Can Admin What? ◇We can enumerate members of a local group on a remote machine, without admin privileges! ■ The WinNT service provider or NetLocalGroupMembers() ◇PowerView: ■ Get-NetLocalGroup –ComputerName IP [-API]
  26. 26. Who Can Admin What? GPO Edition ◇GPOs can set local administrators ◇GPOs are applied to OUs/Sites ■ correlation == local admin information through communication with only a DC! ◇PowerView: ■ Find-GPOLocation
  27. 27. Who’s in What Groups? ◇Enumerate all groups and pull the members of each ◇PowerView: ■ Get-NetGroup | Get-NetGroupMember ◇That’s it!
  28. 28. Bringing it All Together The BloodHound Ingestor Get- BloodHoundData automates gathering PowerView data for a domain Export- BloodHoundData exports collected data to a neo4j batch REST API for ingestion Export- BloodHoundCSV exports collected data to a series of CSVs for offline ingestion
  29. 29. BloodHound Live demo!
  30. 30. BloodHound ◇Built with Linkurious.js ◇Compiled with Electron ◇Uses a neo4j graph database ◇Fed by the custom PowerShell ingestor
  31. 31.
  32. 32. Thanks! @_wald0 @CptJesus @harmj0y

Editor's Notes

  • 20 SECONDS
  • 20 SECONDS
  • 20 SECONDS
  • “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” This is a very well known quote by John Lambert, General Manager at Microsoft’s Threat Intelligence Center. This quote and the blog post it serves as a title to has proven true time and time again on our red team and pentest assessments. I’d like to ask you all to keep this quote in mind during our talk.

    NOTE: The scope of our talk is confined to privilege escalation, we’re not going to go into initial access or provide an encyclopedic diatribe on all the different ways to attack Active Directory. A great resource to go to is Sean Metcalf’s blog at
    Active Directory is, of course, effectively ubiquitous in businesses of all sizes, from global enterprise to small and medium size businesses. In fact, Sean Metcalf quantified this in his talk on Thursday as 95% of Fortune 1000 companies that use Active Directory.

    As such, a lot of time, energy, and money goes into research on how to defend and attack Active Directory environments.

    Thanks to that research, pentesters get easy buttons every so often. December of 2014 through about the middle of February 2015 was a great time to be a pentester, after Sylvain Monné put out the first public exploit for MS14-068. Thanks to Sylvain and Benjamin Delpy’s work, pentesters had a nice “easy button” to escalate rights from any domain user all the way to domain admin or even enterprise admin. Over the years, we’ve enjoyed other ”easy buttons” as well: MS08-067, kitrap0d, Responder, GPP, Jboss, Tomcat, etc.

    Over time, many organizations’ defensive posture improves thanks to several contributing factors: maturing vulnerability management practices, increasingly rare (public) bugs in Windows and Active Directory, and proactive vulnerability and risk assessment in the form of regular penetration tests and red team exercises. Unfortunately for us as pentesters, this means that our easy buttons have a tendency to disappear. Except Responder, of course. 

    This is why the best tradecraft includes, but does not exclusively rely on easy buttons in order to accomplish objectives. Instead, the most effective attackers execute attacks specifically tailored to the misconfigurations and poor practices of their target organization.

    Let’s take a look at a fairly typical situation. These dotted line computers are going to represent a very small example network. The dotted line computers mean that we, as an attacker, know the computers are there, but we don’t have any sort of privileged access to them yet.

    First, as an attacker, we gain our initial access to the environment. Maybe we have a Beacon or Metrepreter session from social engineering, or perhaps we were already on the network and found an exploitable system. Either way, we have our initial access into the environment, running as a domain user on a system joined to the domain.

    Second, we’re able to escalate our privileges locally. Perhaps PowerUp found us a DLL hijack, or we were able to run Responder and crack or relay an admin cred. Using this local admin access, we dump the SAM and get the NTLM hash for the local admin account.

    Third, lucky us, while the organization has applied KB2871997, they’re still using the built-in 500 account on each system, using the same password for this account on every box. Now we effectively have local admin access everywhere, so our scope of admin rights encompasses the entire network.

    Finally, we find a system where a DA is logged on, using PowerView’s user hunter, or CrackMapExec, or another tool. Because the local admin password is the same everywhere, and because KB2871997 doesn’t protect against passing the hash for this user, we simply pivot to the box that DA is logged onto, run Mimikatz to get his clear text password, and we win. Woot!

    By show of hands, how many people have seen this exact same attack scenario more than a few times in real life?

    Cool. Ok, let’s take a look at our second network.

    Now this network looks pretty similar to the last one, but with a few key differences that we’ll explore in each attack step.

    First, again, is initial access. We get a Beacon or Meterpreter Session running within a domain-joined context. Unfortunately for us, we can’t manage to escalate our rights on this initial machine. No GPP. No misconfigured services. No DLL hijack opportunities. No MS08-067, no MS14-068. We can collect some NTLMv2 challenge/response pairs, but can’t crack the very strong passwords. Also, we can’t relay those creds anywhere due to the client enforcing SMB message signing everywhere.

    Eventually, though, we do find an initial way to gain local admin rights. A careless admin has left plain text credentials for a service account in an SMB share that any user can read. By impersonating this user and scanning the network, we determine that this service account has admin rights to three systems. Unfortunately for us, this client heavily enforces the principle of least privilege, so this service account only has admin rights on the systems it needs admin rights on. This is where our scope of nominal admin rights begins.

    Now, using PowerView, CrackMapExec, Nmap, or another tool, we determine who is logged on to those systems. We find a few more service accounts, but none of them are domain admins. Damn! One by one we compromise those accounts until eventually we gain admin rights on a system with a domain admin logged on. W00t!

    By show of hands, how many folks have executed an attack path like this?
  • 30 SECONDS
  • 30 SECONDS
  • 30 SECONDS

    Built to automate components of our engagement tradecraft
    Fully self contained and loadable in memory, v2.0+ compliant
    Now part of PowerSploit

    Something we do on every engagement

    LoggedOn - API and remote registry
    Only need admin for Get-NetLoggedOn

    Common servers == fileservers, dfs shares, DCs

    GPO == group policy objects

    This GPO correlation process isn’t super simple…

    Find-GPOLocation can enumerate for one target or dump all relationships


    Based on LDAP/ADSI searches under the hood

    So we have a PowerShell v2.0 tool that:

    -Doesn’t need administrator rights to query most of this data
    -ingests data straight into BloodHound w/o touching disk!

  • ×