Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I Hunt Sys Admins


Published on

This presentation covers various ways to hunt for users on Windows domains. It was presented at the Shmoocon 2015 firetalks.

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉
    Are you sure you want to  Yes  No
    Your message goes here

I Hunt Sys Admins

  1. 1. “I Hunt Sys Admins” (U) Will @harmj0y
  2. 2. $ whoami ● Security researcher and red teamer for the Veris Group’s Adaptive Threat Division ● Co-founder of the Veil-Framework and founder of Veil’s PowerTools ● Cons: o Shmoocon ‘14: AV Evasion with the Veil Framework o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0 o Derbycon ‘14: Passing the Torch: Old School Red Teaming, New School Tactics?
  3. 3. What this is ● Ways to hunt for target users on Windows domains ● Ya really, that’s it ● Will cover as many tools and technique for doing this as I have time for
  4. 4. Setting the Stage ● This talk is from the “assume breach” perspective o i.e. assume foothold/access to a Windows domain machine ● I’m also going to assume you know (more or less) what users you’re targeting ● PowerShell methods are going to heavily rely on PowerView o
  5. 5. Motivations ● Most common: o If you have a privileged account, or local admin account, you want to figure out where high value users are logged in ● Hunt -> pop box -> Mimikatz -> profit ● Other times you might have domain admin rights and need to target specific users to demonstrate impact o e.g. popping a CEO’s desktop and email
  6. 6. Where my sysadmins at? Finding your prey
  7. 7. Existing Tech ● Several tools have been written that allow you to figure out who’s logged in where ● I’ll cover what’s already out there, including the positives/negatives for each ● “Offensive in depth” o You always want multiple ways of achieving the same objective in your attack chain
  8. 8. ● Component of Microsoft’s Sysinternals o “...determines who is logged on by scanning the keys under the HKEY_USERS key.” o “To determine who is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API.” ● Needs remote registry access to determine who’s logged in o i.e. admin privileges on a remote machine psloggedon.exe
  9. 9. psloggedon.exe
  10. 10. netsess.exe ● Component of ● Utilizes the NetSessionEnum API call o us/library/windows/desktop/bb525382(v=vs.85).aspx ● Think a version of “net session” that works on remote machines! o great for targeting file servers :) o no admin privs needed!
  11. 11. netsess.exe
  12. 12. PVEFindADUser.exe ● Tool released by corelanc0d3r in 2009 ● “Helps you find where AD users are logged in” o Can also check who’s logged into specific machines ● But “ also need to have admin access on the computers you are running the utility against.”
  13. 13. PVEFindADUser.exe
  14. 14. netview.exe ● Rob Fuller (@mubix’s) netview.exe project, presented at Derbycon 2012, is a tool to “enumerate systems using WinAPI calls” ● Finds all machines on the network, enumerates shares, sessions, and logged in users for each host o And now can check share access, highlight high value users, and use a delay/jitter :) o and also, no admin privs needed!
  15. 15. netview.exe
  16. 16. Nmap ● If you have a valid domain account, or local account valid for several machines, you can use smb-enum-sessions.nse ● Don’t need to have admin privileges! nmap -sU -sS --script smb-enum- sessions.nse --script-args 'smbuser=jasonf,smbpass=BusinessBus inessBusiness!' -p U:137,T:139
  17. 17. Nmap
  18. 18. Email Headers ● If you have access to someone’s email (Mimikatz+OWA, etc.) internal headers can provide a wealth of information ● Search for any chains to/from target users, and examine headers for given email chains ● If the “X-Originating-IP” header is present, you can trace where a user sent a given email from
  19. 19. PowerShell “Microsoft’s Post-Exploitation Language”
  20. 20. Invoke-UserHunter ● Flexible function that: o queries AD for hosts or takes a target list o queries AD for users of a target group, or takes a list/single user o uses Win32 API calls to enumerate sessions (NetSessionEnum) and logged in users (NetWkstaUserEnum), matching against the target user list ● Can also check to see if you have local admin access on targets o but no admin privs needed to get good info!
  21. 21. Invoke-UserHunter
  22. 22. Invoke-StealthUserHunter ● Uses an old red teaming trick 1. Queries AD for all users and extracts all homeDirectory fields to identify likely domain file servers 2. Runs NetSessionEnum against each file server to enumerate remote sessions, matching against target user list ● Gets reasonable coverage with a lot less traffic than UserHunter o and again, no admin privs needed
  23. 23. Invoke-StealthUserHunter
  24. 24. Invoke-UserLogonHunter ● Sometimes you have DA, but need to target specific users (think the IR team :) ● Domain controller event logs make it trivial to track down domain users, provided you have domain admin access ● Get-UserLogonEvents implements @sixdub’s work on offensive event parsing o Invoke-UserLogonHunter rolls this all into a weaponized form
  25. 25. Invoke-UserEventHunter
  26. 26. Questions? ● Contact me: o @harmj0y o o harmj0y in #veil and #armitage on Freenode ● Read more: o o ● Get PowerView: o