Successfully reported this slideshow.
Your SlideShare is downloading. ×

aclpwn - Active Directory ACL exploitation with BloodHound

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 41 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to aclpwn - Active Directory ACL exploitation with BloodHound (20)

Advertisement

Recently uploaded (20)

aclpwn - Active Directory ACL exploitation with BloodHound

  1. 1. fox-it.com Dirk-jan Mollema @_dirkjan Aclpwn.py – Active Directory ACL exploitation with BloodHound
  2. 2. fox-it.com - Lives in The Netherlands - Hacker / Red Teamer / Researcher @ Fox-IT since 2016 - Previously freelance webdeveloper - Author of several Active Directory tools: - mitm6 - ldapdomaindump - BloodHound.py - Co-author of ntlmrelayx - Blogs on dirkjanm.io - Tweets stuff on @_dirkjan Whoami
  3. 3. fox-it.com • What are ACLs • Common ACL abuse paths • aclpwn.py concepts • Using aclpwn.py Contents
  4. 4. fox-it.com • https://github.com/ANSSI-FR/AD-control-paths (Emmanuel Gras and Lucas Bouillot from ANSSI – 2014) • “An ACE up the Sleeve” – BH USA 2017 (by @_wald0 and @harmj0y) • BloodHound (@_wald0, @harmj0y and @CptJesus) Abusing ACLs – prior work
  5. 5. fox-it.com What are ACLs – the short version
  6. 6. fox-it.com • In Active Directory, an ACL defines who can do what on an object • Objects: • Users • Groups • Computers • Domain(s) What are ACLs – the short version
  7. 7. fox-it.com • Access Control List • SACL – used for auditing access • DACL – used for defining who has what access on an object • DACL exists of ACEs • Access Control Entries What are ACLs - Terminology
  8. 8. fox-it.com ACLs are hard ???
  9. 9. fox-it.com ACLs are hard (2) ??? ?????
  10. 10. fox-it.com ACLs are hard (3) ??? !!!
  11. 11. fox-it.com • Even some default ACLs are too complex for the UI to display • We can’t realistically expect sysadmins to keep track of ACLs or to fully understand their impact • Especially not if they are inherited or nested • Tooling is needed! ACLs are hard!
  12. 12. fox-it.com • BloodHound 1.3 introduced the ACL update • Makes it easy to identify ACLs • Identify them with SharpHound.exe -c ACL • Not yet supported in BloodHound.py (but work in progress) Mapping ACLs with BloodHound Source: https://wald0.com/?p=112
  13. 13. fox-it.com ACL abuse – case studies
  14. 14. fox-it.com • By default “Exchange Windows Permissions” has wide-reaching privileges in the domain • Including WriteDacl on the Domain object • Allows any Exchange Server to grant DCSync privileges • Effectively: local admin on Exchange Server = Domain Admin Bad ACLs – Case study 1: Exchange Sources: - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf - https://github.com/gdedrouas/Exchange-AD-Privesc - https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
  15. 15. fox-it.com Bad ACLs – Case study 1: Exchange
  16. 16. fox-it.com • No need to run anything on the Exchange server • Just dump hashes of machine account and feed them to aclpwn.py • Aclpwn.py will pass-the-hash and gain privileges • DCSync with secretsdump.py (impacket) Bad ACLs – Case study 1: Exchange
  17. 17. fox-it.com • ADPREP in Server 2016 introduces an “Enterprise Key Admins” group • This group has full control over the Domain object (before v1709) • Allows Account Operators to obtain DCSync privileges Bad ACLs – Case study 2: Enterprise key admins Sources: - https://secureidentity.se/adprep-bug-in-windows-server-2016/ - My lab ☺
  18. 18. fox-it.com Bad ACLs – Case study 2: Enterprise key admins
  19. 19. fox-it.com WriteDacl on Domain object => DCSync privileges
  20. 20. fox-it.com Exploiting ACLs
  21. 21. fox-it.com • PowerSploit (https://github.com/PowerShellMafia/PowerSploit) • Manual exploitation only • Can be confusing if there are multiple steps in the chain • Complex to use with machine accounts or pass-the-hash • Invoke-AclPwn (https://github.com/fox-it/Invoke-ACLPwn) • Automated pathfinding • Parses SharpHound output on host (slow) • Limited scenario’s • Complex to use with machine accounts or pass-the-hash Existing ACL exploitation tools and their limitations
  22. 22. fox-it.com • Direct integration with BloodHound and the Neo4j graph database • Supports any reversible ACL based attack chain • Advanced pathfinding to find the most efficient paths • Support for exploitation with NTLM hashes (pass-the-hash) • Saves restore state, easy rollback of changes • Can be run via a SOCKS tunnel • Written in Python (2.7 and 3.5+), so OS independent aclpwn.py
  23. 23. fox-it.com • Find an exploitation path • Start at a user/computer • End at a group or domain • aclpwn.py finds the most efficient path • Objects are modified to obtain the required access • After action on objectives is achieved, path is walked in reverse and privileges are restored aclpwn.py - the concept
  24. 24. fox-it.com Pathfinding difficulties
  25. 25. fox-it.com • Shortest path is not always the most efficient path • Neo4j counts path length based on number of nodes • If we have the following scenario: • User “test” is member of group A • Group A is member of group B • Group B is member of group C • Group C is member of Domain Admins • AND user “test” has AddMember on Domain Admins • Neo4j will see the path (Test)-[AddMember]->(Domain Admins) as shortest. • Even if user A is effectively already a domain admin Pathfinding with Neo4j
  26. 26. fox-it.com Solution: weighed paths Weight: 0 Weight: 1
  27. 27. fox-it.com • Either calculated manually (faster but less accurate, may miss paths) • Or discovered using the Dijkstra algorithm (slower, but more accurate) • Different weights for different modification parameters Weighed paths
  28. 28. fox-it.com • Shortest only: • Dijkstra: Pathfinding methods
  29. 29. fox-it.com Path is found and validated
  30. 30. fox-it.com Example: escalating from account operators
  31. 31. fox-it.com Example: escalating from account operators
  32. 32. fox-it.com • ForceChangePassword: • We have the right to change the user’s password • Not easily possible to restore afterwards (only with dcshadow or setntlm) • Not supported for now • Solution: split the path, perform password reset manually • WriteOwner: • Seems to be limited to set the owner to your own user • Not possible to restore right now • Needs more investigation Non-supported edges and limitations
  33. 33. fox-it.com • Aclpwn will remember state during exploitation • Possible to restore all operations using --restore option • Different restore strategies Restore operation
  34. 34. fox-it.com Restore example
  35. 35. fox-it.com Defenses
  36. 36. fox-it.com • Audit your ACLs! • Use BloodHound • Remove dangerous ACLs (for example Exchange) • Restrict permission delegation • Admin on Exchange Server => Domain Admin • Admin on Azure AD connect host => Domain Admin • Resetting password of high privilege users => Domain Admin • Managing groups with high privileges => Domain Admin Defending against ACL attacks
  37. 37. fox-it.com • Monitor for ACL changes • Use SACLs to generate events for important object modifications • Use event logging to monitor DACL changes • See: https://blog.fox-it.com/2018/04/26/escalating-privileges-with- acls-in-active-directory/ Defending against ACL attacks
  38. 38. fox-it.com Conclusions
  39. 39. fox-it.com • ACL attacks are still relatively unknown • But present in almost every Active Directory • You don’t need a Domain Admin session to pwn the domain • More tooling will (hopefully) raise awareness for this issue Conclusions
  40. 40. fox-it.com • Online at https://github.com/fox-it/aclpwn.py • Follow me on Twitter to keep up-to-date with my work (@_dirkjan) • I’ll be demo-ing aclpwn.py this afternoon tomorrow morning • Feel free to drop by for any questions! ☺ Get the tools
  41. 41. fox-it.com Dirk-jan Mollema Aclpwn.py – Active Directory ACL exploitation with BloodHound

×