Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Six Degrees of
Domain Admin
About Us
I am Andy Robbins
Job: Pentester at Veris Group’s ATD
Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA
Intern...
About Us
I am Rohan Vazarkar
Job: Pentester at Veris Group’s ATD
Tool creator/dev: EyeWitness, Python Empyre, etc.
Present...
About Us
I am Will Schroeder
Job: Researcher at Veris Group’s ATD
Tool creator/dev: Veil-Framework, PowerView, PowerUp,
Em...
The Current State of Active
Directory Domain Privilege
Escalation
“Defenders think in lists.
Attackers think in graphs.
As long as this is true,
attackers win.”
John Lambert
GM, Microsoft ...
AD Domain Priv Esc
◇Active Directory is ubiquitous
◇Ubiquity = Attention = Research time and
$$$
◇Sometimes we get easy bu...
DA
DA
👤
👤👤
👤
👤
👤
👤
Derivative
Local Admin
“The chaining or linking of
administrator rights through
compromising other privileged
accounts”
Ju...
👤 👤
Bob PC1 Mary PC2
👤Bob Help
Desk
Server
Admins
PC2
Challenges
◇Extremely time consuming and tedious
◇Not comprehensive
◇Limited situational awareness
◇Did you even need DA?
Graph Theory
And attack graph design
Basic Elements of a
Graph
Vertices represent
individual elements
of a system
Edges generically
represent
relationships
bet...
Vertex 1 Vertex 2Edge
Vertex 1
Vertex 3
Vertex 2
Vertex 4
BloodHound Attack
Graph Design
Vertices represent
users, groups,
computers, and
domains
Edges identify
group
memberships,
...
Group:
IT
Admins
User:
Bob
Computer:
Server1
User:
Mary
Group:
Domain
Admins
Put Simply…
◇Who is logged on where?
◇Who has admin rights where?
◇What users and groups belong to what
groups?
Stealthy Data Collection
with PowerView
“The best tool these days
for understanding Windows
networks is PowerView…”
Phineas Phisher
http://pastebin.com/raw/0SNSvy...
PowerView
◇A pure PowerShell v2.0+ domain/network
situational awareness tool
◇Collects the data that BloodHound is built
o...
Who’s Logged in Where?
◇Invoke-UserHunter:
■ Get-NetSession – sessions w/ a remote machine
■ Get-NetLoggedOn/Get-LoggedOnL...
Who Can Admin What?
◇We can enumerate members of a local
group on a remote machine, without
admin privileges!
■ The WinNT ...
Who Can Admin What?
GPO Edition
◇GPOs can set local administrators
◇GPOs are applied to OUs/Sites
■ correlation == local a...
Who’s in What Groups?
◇Enumerate all groups and pull the
members of each
◇PowerView:
■ Get-NetGroup | Get-NetGroupMember
◇...
Bringing it All Together
The BloodHound Ingestor
Get-
BloodHoundData
automates
gathering
PowerView data for
a domain
Expor...
BloodHound
Live demo!
BloodHound
◇Built with Linkurious.js
◇Compiled with Electron
◇Uses a neo4j graph database
◇Fed by the custom PowerShell in...
bit.ly/GetBloodHound
Thanks!
@_wald0
@CptJesus
@harmj0y
Upcoming SlideShare
Loading in …5
×

Six Degrees of Domain Admin - BloodHound at DEF CON 24

13,619 views

Published on

The deck used during DEF CON 24.

Published in: Technology

Six Degrees of Domain Admin - BloodHound at DEF CON 24

  1. 1. Six Degrees of Domain Admin
  2. 2. About Us I am Andy Robbins Job: Pentester at Veris Group’s ATD Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA International Trainer: Black Hat USA 2016 Other: Ask me about ACH Twitter: @_wald0
  3. 3. About Us I am Rohan Vazarkar Job: Pentester at Veris Group’s ATD Tool creator/dev: EyeWitness, Python Empyre, etc. Presenter: BSidesDC/LV/DE, Black Hat Arsenal Trainer: Black Hat USA 2016 Twitter: @CptJesus
  4. 4. About Us I am Will Schroeder Job: Researcher at Veris Group’s ATD Tool creator/dev: Veil-Framework, PowerView, PowerUp, Empire/Empyre Speaker: Ask me Trainer: Black Hat USA 2014-2016 Other: Microsoft PowerShell/CDM MVP Twitter: @harmj0y
  5. 5. The Current State of Active Directory Domain Privilege Escalation
  6. 6. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John Lambert GM, Microsoft Threat Intelligence Center
  7. 7. AD Domain Priv Esc ◇Active Directory is ubiquitous ◇Ubiquity = Attention = Research time and $$$ ◇Sometimes we get easy buttons!
  8. 8. DA
  9. 9. DA 👤 👤👤 👤 👤 👤 👤
  10. 10. Derivative Local Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub
  11. 11. 👤 👤 Bob PC1 Mary PC2
  12. 12. 👤Bob Help Desk Server Admins PC2
  13. 13. Challenges ◇Extremely time consuming and tedious ◇Not comprehensive ◇Limited situational awareness ◇Did you even need DA?
  14. 14. Graph Theory And attack graph design
  15. 15. Basic Elements of a Graph Vertices represent individual elements of a system Edges generically represent relationships between vertices Paths are sets of vertices and edges that connect non- adjacent vertices
  16. 16. Vertex 1 Vertex 2Edge
  17. 17. Vertex 1 Vertex 3 Vertex 2 Vertex 4
  18. 18. BloodHound Attack Graph Design Vertices represent users, groups, computers, and domains Edges identify group memberships, admin rights, user sessions, and domain trusts Paths always lead toward escalating rights. Always.
  19. 19. Group: IT Admins User: Bob Computer: Server1 User: Mary Group: Domain Admins
  20. 20. Put Simply… ◇Who is logged on where? ◇Who has admin rights where? ◇What users and groups belong to what groups?
  21. 21. Stealthy Data Collection with PowerView
  22. 22. “The best tool these days for understanding Windows networks is PowerView…” Phineas Phisher http://pastebin.com/raw/0SNSvyjJ
  23. 23. PowerView ◇A pure PowerShell v2.0+ domain/network situational awareness tool ◇Collects the data that BloodHound is built on and doesn’t need elevated privileges for most collection methods!
  24. 24. Who’s Logged in Where? ◇Invoke-UserHunter: ■ Get-NetSession – sessions w/ a remote machine ■ Get-NetLoggedOn/Get-LoggedOnLocal – who’s logged in on what machine ◇-Stealth: ■ Enumerate commonly trafficked servers and query remote sessions for each aka “user hunting”
  25. 25. Who Can Admin What? ◇We can enumerate members of a local group on a remote machine, without admin privileges! ■ The WinNT service provider or NetLocalGroupMembers() ◇PowerView: ■ Get-NetLocalGroup –ComputerName IP [-API]
  26. 26. Who Can Admin What? GPO Edition ◇GPOs can set local administrators ◇GPOs are applied to OUs/Sites ■ correlation == local admin information through communication with only a DC! ◇PowerView: ■ Find-GPOLocation
  27. 27. Who’s in What Groups? ◇Enumerate all groups and pull the members of each ◇PowerView: ■ Get-NetGroup | Get-NetGroupMember ◇That’s it!
  28. 28. Bringing it All Together The BloodHound Ingestor Get- BloodHoundData automates gathering PowerView data for a domain Export- BloodHoundData exports collected data to a neo4j batch REST API for ingestion Export- BloodHoundCSV exports collected data to a series of CSVs for offline ingestion
  29. 29. BloodHound Live demo!
  30. 30. BloodHound ◇Built with Linkurious.js ◇Compiled with Electron ◇Uses a neo4j graph database ◇Fed by the custom PowerShell ingestor
  31. 31. bit.ly/GetBloodHound
  32. 32. Thanks! @_wald0 @CptJesus @harmj0y

×