Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

aclpwn - Active Directory ACL exploitation with BloodHound

4,219 views

Published on

My talk about aclpwn and Active Directory ACL exploitation as given on Hack in the Box Dubai Armory 2018.

Published in: Software
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT, ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

aclpwn - Active Directory ACL exploitation with BloodHound

  1. 1. fox-it.com Dirk-jan Mollema @_dirkjan Aclpwn.py – Active Directory ACL exploitation with BloodHound
  2. 2. fox-it.com - Lives in The Netherlands - Hacker / Red Teamer / Researcher @ Fox-IT since 2016 - Previously freelance webdeveloper - Author of several Active Directory tools: - mitm6 - ldapdomaindump - BloodHound.py - Co-author of ntlmrelayx - Blogs on dirkjanm.io - Tweets stuff on @_dirkjan Whoami
  3. 3. fox-it.com • What are ACLs • Common ACL abuse paths • aclpwn.py concepts • Using aclpwn.py Contents
  4. 4. fox-it.com • https://github.com/ANSSI-FR/AD-control-paths (Emmanuel Gras and Lucas Bouillot from ANSSI – 2014) • “An ACE up the Sleeve” – BH USA 2017 (by @_wald0 and @harmj0y) • BloodHound (@_wald0, @harmj0y and @CptJesus) Abusing ACLs – prior work
  5. 5. fox-it.com What are ACLs – the short version
  6. 6. fox-it.com • In Active Directory, an ACL defines who can do what on an object • Objects: • Users • Groups • Computers • Domain(s) What are ACLs – the short version
  7. 7. fox-it.com • Access Control List • SACL – used for auditing access • DACL – used for defining who has what access on an object • DACL exists of ACEs • Access Control Entries What are ACLs - Terminology
  8. 8. fox-it.com ACLs are hard ???
  9. 9. fox-it.com ACLs are hard (2) ??? ?????
  10. 10. fox-it.com ACLs are hard (3) ??? !!!
  11. 11. fox-it.com • Even some default ACLs are too complex for the UI to display • We can’t realistically expect sysadmins to keep track of ACLs or to fully understand their impact • Especially not if they are inherited or nested • Tooling is needed! ACLs are hard!
  12. 12. fox-it.com • BloodHound 1.3 introduced the ACL update • Makes it easy to identify ACLs • Identify them with SharpHound.exe -c ACL • Not yet supported in BloodHound.py (but work in progress) Mapping ACLs with BloodHound Source: https://wald0.com/?p=112
  13. 13. fox-it.com ACL abuse – case studies
  14. 14. fox-it.com • By default “Exchange Windows Permissions” has wide-reaching privileges in the domain • Including WriteDacl on the Domain object • Allows any Exchange Server to grant DCSync privileges • Effectively: local admin on Exchange Server = Domain Admin Bad ACLs – Case study 1: Exchange Sources: - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf - https://github.com/gdedrouas/Exchange-AD-Privesc - https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
  15. 15. fox-it.com Bad ACLs – Case study 1: Exchange
  16. 16. fox-it.com • No need to run anything on the Exchange server • Just dump hashes of machine account and feed them to aclpwn.py • Aclpwn.py will pass-the-hash and gain privileges • DCSync with secretsdump.py (impacket) Bad ACLs – Case study 1: Exchange
  17. 17. fox-it.com • ADPREP in Server 2016 introduces an “Enterprise Key Admins” group • This group has full control over the Domain object (before v1709) • Allows Account Operators to obtain DCSync privileges Bad ACLs – Case study 2: Enterprise key admins Sources: - https://secureidentity.se/adprep-bug-in-windows-server-2016/ - My lab ☺
  18. 18. fox-it.com Bad ACLs – Case study 2: Enterprise key admins
  19. 19. fox-it.com WriteDacl on Domain object => DCSync privileges
  20. 20. fox-it.com Exploiting ACLs
  21. 21. fox-it.com • PowerSploit (https://github.com/PowerShellMafia/PowerSploit) • Manual exploitation only • Can be confusing if there are multiple steps in the chain • Complex to use with machine accounts or pass-the-hash • Invoke-AclPwn (https://github.com/fox-it/Invoke-ACLPwn) • Automated pathfinding • Parses SharpHound output on host (slow) • Limited scenario’s • Complex to use with machine accounts or pass-the-hash Existing ACL exploitation tools and their limitations
  22. 22. fox-it.com • Direct integration with BloodHound and the Neo4j graph database • Supports any reversible ACL based attack chain • Advanced pathfinding to find the most efficient paths • Support for exploitation with NTLM hashes (pass-the-hash) • Saves restore state, easy rollback of changes • Can be run via a SOCKS tunnel • Written in Python (2.7 and 3.5+), so OS independent aclpwn.py
  23. 23. fox-it.com • Find an exploitation path • Start at a user/computer • End at a group or domain • aclpwn.py finds the most efficient path • Objects are modified to obtain the required access • After action on objectives is achieved, path is walked in reverse and privileges are restored aclpwn.py - the concept
  24. 24. fox-it.com Pathfinding difficulties
  25. 25. fox-it.com • Shortest path is not always the most efficient path • Neo4j counts path length based on number of nodes • If we have the following scenario: • User “test” is member of group A • Group A is member of group B • Group B is member of group C • Group C is member of Domain Admins • AND user “test” has AddMember on Domain Admins • Neo4j will see the path (Test)-[AddMember]->(Domain Admins) as shortest. • Even if user A is effectively already a domain admin Pathfinding with Neo4j
  26. 26. fox-it.com Solution: weighed paths Weight: 0 Weight: 1
  27. 27. fox-it.com • Either calculated manually (faster but less accurate, may miss paths) • Or discovered using the Dijkstra algorithm (slower, but more accurate) • Different weights for different modification parameters Weighed paths
  28. 28. fox-it.com • Shortest only: • Dijkstra: Pathfinding methods
  29. 29. fox-it.com Path is found and validated
  30. 30. fox-it.com Example: escalating from account operators
  31. 31. fox-it.com Example: escalating from account operators
  32. 32. fox-it.com • ForceChangePassword: • We have the right to change the user’s password • Not easily possible to restore afterwards (only with dcshadow or setntlm) • Not supported for now • Solution: split the path, perform password reset manually • WriteOwner: • Seems to be limited to set the owner to your own user • Not possible to restore right now • Needs more investigation Non-supported edges and limitations
  33. 33. fox-it.com • Aclpwn will remember state during exploitation • Possible to restore all operations using --restore option • Different restore strategies Restore operation
  34. 34. fox-it.com Restore example
  35. 35. fox-it.com Defenses
  36. 36. fox-it.com • Audit your ACLs! • Use BloodHound • Remove dangerous ACLs (for example Exchange) • Restrict permission delegation • Admin on Exchange Server => Domain Admin • Admin on Azure AD connect host => Domain Admin • Resetting password of high privilege users => Domain Admin • Managing groups with high privileges => Domain Admin Defending against ACL attacks
  37. 37. fox-it.com • Monitor for ACL changes • Use SACLs to generate events for important object modifications • Use event logging to monitor DACL changes • See: https://blog.fox-it.com/2018/04/26/escalating-privileges-with- acls-in-active-directory/ Defending against ACL attacks
  38. 38. fox-it.com Conclusions
  39. 39. fox-it.com • ACL attacks are still relatively unknown • But present in almost every Active Directory • You don’t need a Domain Admin session to pwn the domain • More tooling will (hopefully) raise awareness for this issue Conclusions
  40. 40. fox-it.com • Online at https://github.com/fox-it/aclpwn.py • Follow me on Twitter to keep up-to-date with my work (@_dirkjan) • I’ll be demo-ing aclpwn.py this afternoon tomorrow morning • Feel free to drop by for any questions! ☺ Get the tools
  41. 41. fox-it.com Dirk-jan Mollema Aclpwn.py – Active Directory ACL exploitation with BloodHound

×