The deck used during DEF CON 24.
Six Degrees of
I am Andy Robbins
Job: Pentester at Veris Group’s ATD
Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA
Trainer: Black Hat USA 2016
Other: Ask me about ACH
I am Rohan Vazarkar
Job: Pentester at Veris Group’s ATD
Tool creator/dev: EyeWitness, Python Empyre, etc.
Presenter: BSidesDC/LV/DE, Black Hat Arsenal
Trainer: Black Hat USA 2016
I am Will Schroeder
Job: Researcher at Veris Group’s ATD
Tool creator/dev: Veil-Framework, PowerView, PowerUp,
Speaker: Ask me
Trainer: Black Hat USA 2014-2016
Other: Microsoft PowerShell/CDM MVP
The Current State of Active
Directory Domain Privilege
“Defenders think in lists.
Attackers think in graphs.
As long as this is true,
GM, Microsoft Threat Intelligence Center
AD Domain Priv Esc
◇Active Directory is ubiquitous
◇Ubiquity = Attention = Research time and
◇Sometimes we get easy buttons!
“The chaining or linking of
administrator rights through
compromising other privileged
Justin Warner @sixdub
Bob PC1 Mary PC2
◇Extremely time consuming and tedious
◇Limited situational awareness
◇Did you even need DA?
And attack graph design
Basic Elements of a
of a system
Paths are sets of
Vertex 1 Vertex 2Edge
admin rights, user
Paths always lead
◇Who is logged on where?
◇Who has admin rights where?
◇What users and groups belong to what
Stealthy Data Collection
“The best tool these days
for understanding Windows
networks is PowerView…”
◇A pure PowerShell v2.0+ domain/network
situational awareness tool
◇Collects the data that BloodHound is built
on and doesn’t need elevated
privileges for most collection methods!
Who’s Logged in Where?
￭ Get-NetSession – sessions w/ a remote machine
￭ Get-NetLoggedOn/Get-LoggedOnLocal – who’s
logged in on what machine
￭ Enumerate commonly trafficked servers and query
remote sessions for each
aka “user hunting”
Who Can Admin What?
◇We can enumerate members of a local
group on a remote machine, without
￭ The WinNT service provider or
￭ Get-NetLocalGroup –ComputerName IP [-API]
Who Can Admin What?
◇GPOs can set local administrators
◇GPOs are applied to OUs/Sites
￭ correlation == local admin information through
communication with only a DC!
Who’s in What Groups?
◇Enumerate all groups and pull the
members of each
￭ Get-NetGroup | Get-NetGroupMember
Bringing it All Together
The BloodHound Ingestor
PowerView data for
data to a neo4j
batch REST API
data to a series of
CSVs for offline
◇Built with Linkurious.js
◇Compiled with Electron
◇Uses a neo4j graph database
◇Fed by the custom PowerShell ingestor
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” This is a very well known quote by John Lambert, General Manager at Microsoft’s Threat Intelligence Center. This quote and the blog post it serves as a title to has proven true time and time again on our red team and pentest assessments. I’d like to ask you all to keep this quote in mind during our talk.
NOTE: The scope of our talk is confined to privilege escalation, we’re not going to go into initial access or provide an encyclopedic diatribe on all the different ways to attack Active Directory. A great resource to go to is Sean Metcalf’s blog at adsecurity.org
Active Directory is, of course, effectively ubiquitous in businesses of all sizes, from global enterprise to small and medium size businesses. In fact, Sean Metcalf quantified this in his talk on Thursday as 95% of Fortune 1000 companies that use Active Directory.
As such, a lot of time, energy, and money goes into research on how to defend and attack Active Directory environments.
Thanks to that research, pentesters get easy buttons every so often. December of 2014 through about the middle of February 2015 was a great time to be a pentester, after Sylvain Monné put out the first public exploit for MS14-068. Thanks to Sylvain and Benjamin Delpy’s work, pentesters had a nice “easy button” to escalate rights from any domain user all the way to domain admin or even enterprise admin. Over the years, we’ve enjoyed other ”easy buttons” as well: MS08-067, kitrap0d, Responder, GPP, Jboss, Tomcat, etc.
Over time, many organizations’ defensive posture improves thanks to several contributing factors: maturing vulnerability management practices, increasingly rare (public) bugs in Windows and Active Directory, and proactive vulnerability and risk assessment in the form of regular penetration tests and red team exercises. Unfortunately for us as pentesters, this means that our easy buttons have a tendency to disappear. Except Responder, of course.
This is why the best tradecraft includes, but does not exclusively rely on easy buttons in order to accomplish objectives. Instead, the most effective attackers execute attacks specifically tailored to the misconfigurations and poor practices of their target organization.
Let’s take a look at a fairly typical situation. These dotted line computers are going to represent a very small example network. The dotted line computers mean that we, as an attacker, know the computers are there, but we don’t have any sort of privileged access to them yet.
First, as an attacker, we gain our initial access to the environment. Maybe we have a Beacon or Metrepreter session from social engineering, or perhaps we were already on the network and found an exploitable system. Either way, we have our initial access into the environment, running as a domain user on a system joined to the domain.
Second, we’re able to escalate our privileges locally. Perhaps PowerUp found us a DLL hijack, or we were able to run Responder and crack or relay an admin cred. Using this local admin access, we dump the SAM and get the NTLM hash for the local admin account.
Third, lucky us, while the organization has applied KB2871997, they’re still using the built-in 500 account on each system, using the same password for this account on every box. Now we effectively have local admin access everywhere, so our scope of admin rights encompasses the entire network.
Finally, we find a system where a DA is logged on, using PowerView’s user hunter, or CrackMapExec, or another tool. Because the local admin password is the same everywhere, and because KB2871997 doesn’t protect against passing the hash for this user, we simply pivot to the box that DA is logged onto, run Mimikatz to get his clear text password, and we win. Woot!
By show of hands, how many people have seen this exact same attack scenario more than a few times in real life?
Cool. Ok, let’s take a look at our second network.
Now this network looks pretty similar to the last one, but with a few key differences that we’ll explore in each attack step.
First, again, is initial access. We get a Beacon or Meterpreter Session running within a domain-joined context. Unfortunately for us, we can’t manage to escalate our rights on this initial machine. No GPP. No misconfigured services. No DLL hijack opportunities. No MS08-067, no MS14-068. We can collect some NTLMv2 challenge/response pairs, but can’t crack the very strong passwords. Also, we can’t relay those creds anywhere due to the client enforcing SMB message signing everywhere.
Eventually, though, we do find an initial way to gain local admin rights. A careless admin has left plain text credentials for a service account in an SMB share that any user can read. By impersonating this user and scanning the network, we determine that this service account has admin rights to three systems. Unfortunately for us, this client heavily enforces the principle of least privilege, so this service account only has admin rights on the systems it needs admin rights on. This is where our scope of nominal admin rights begins.
Now, using PowerView, CrackMapExec, Nmap, or another tool, we determine who is logged on to those systems. We find a few more service accounts, but none of them are domain admins. Damn! One by one we compromise those accounts until eventually we gain admin rights on a system with a domain admin logged on. W00t!
By show of hands, how many folks have executed an attack path like this?
Built to automate components of our engagement tradecraft
Fully self contained and loadable in memory, v2.0+ compliant
Now part of PowerSploit
Something we do on every engagement
LoggedOn - API and remote registry
Only need admin for Get-NetLoggedOn
Common servers == fileservers, dfs shares, DCs
GPO == group policy objects
This GPO correlation process isn’t super simple…
Find-GPOLocation can enumerate for one target or dump all relationships
Based on LDAP/ADSI searches under the hood
So we have a PowerShell v2.0 tool that:
-Doesn’t need administrator rights to query most of this data
-ingests data straight into BloodHound w/o touching disk!