Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PSConfEU - Offensive Active Directory (With PowerShell!)


Published on

This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.

Published in: Internet
  • Be the first to comment

PSConfEU - Offensive Active Directory (With PowerShell!)

  1. 1. Offensive Active Directory Will Schroeder (@harmj0y) With PowerShell!
  2. 2. Agenda • Offensive Active Directory 101 • Hunting for Users • Local Administrator Enumeration • GPO Enumeration and Abuse • Active Directory ACLs • Domain Trusts
  3. 3. Offensive AD 101 • Red teams and ‘real’ bad guys have been abusing AD for years, but not much offensive AD information has existed publicly (until recently) • See • A lot of what we do on a red team is essentially just (authorized) domain administration • We find misconfigurations and chain access/trust relationships to turn one
  4. 4. PowerView • A pure PowerShell domain/network situational awareness tool • Version 2.0 compliant • Fully self-contained and loadable in memory • Now part of PowerSploit™ (not really trademarked) • Many modules are implemented in Empire • Built to automate large components of the tradecraft on our red team engagements
  5. 5. Sidenote “The best tool these days for understanding windows networks is Powerview [1].” -Phineas Fisher
  6. 6. Hunting for Users • On nearly every engagement, we end up wanting to know where specific users are logged in • We break this down into: • Pre-elevated access, where we have regular domain user privileges. This is out “lateral spread” phase • Post-elevated access, where we have some type of elevated (e.g. Domain Admin) access. This is usually our ‘demonstrate impact’ phase
  7. 7. Win32 API Access • Several techniques we rely on for user- hunting depend on various Windows API calls • Specifically NetWkstaUserEnum and NetSessionEnum • There are several methods to access these API calls through PowerShell • C# Add-Type, straight reflection, PSReflect • See Matt Graeber’s US PowerShell Summit talk on Win32 API access for more details
  8. 8. • Windows allows any domain-authenticated user to enumerate the members of a local group on a remote machine • Either through the NetLocalGroupGetMembers Win32 API call or the WinNT service provider • “Derivative Local Admin” • Alice is (effectively) an admin on Bob’s machine, and Bob is (effectively) an admin on Eve’s machine • Alice can derive Eve’s rights though compromising and leveraging Bob’s credentials Local Administrator Enumeration
  9. 9. • Machines obviously have to somehow determine what users have administrative rights • Usually set through restricted groups or group policy preferences • These GPO policies are accessible by anyone on the domain • From of offensive perspective, we can often query a domain controller, and determine who has administrative rights to what machines GPO Enumeration and Abuse
  10. 10. • Very few organizations properly audit AD ACLs or alert on their alteration • Almost every organization has some kind of misconfiguration SOMEWHERE in the object access rights in their domain structure • This is also a great candidate place for ‘sneaky’ persistence! Active Directory ACLs
  11. 11. • Trusts allow separate domains to form inter-connected relationships • Often utilized during acquisitions (i.e. forest trusts or cross-link trusts) • A trust just links up the authentication systems of two domains and allows authentication traffic to flow between them • Allows for the possibility of privileged access between domains, but doesn’t guarantee it* Domain Trusts
  12. 12. • Mimikatz Golden Tickets now accept SidHistories though the new /sids:<X> argument • If you compromise a DC in a child domain, you can create a golden ticket with the “Enterprise Admins” in the SID history • This can let you compromise the parent domain! • The FOREST is the trust boundary, not the domain! Sidenote: The Mimikatz Trustpocalypse
  13. 13. Summary • There’s a lot of overlap between offensive engagements and legitimate domain administration • You can find where users are logged in WITHOUT elevated domain privileges • You can enumerate the local users of a remote machine WITHOUT elevated domain privileges • Domain trusts can easily be enumerated,
  14. 14. Questions?
  15. 15. • Will Schroeder (@harmj0y) • | will [at] • Security researcher and red teamer for Veris Group‘s Adaptive Threat Division • Offensive open-source developer: • Veil-Evasion, Empire, PowerSploit • Recent Microsoft CDM/PowerShell MVP About_Author
  16. 16. • The Mimikatz Trustpocalypse brought to you by: • Benjamin Delpy (@gentilkiwi) • Sean Metacalf (@pyrotek3) - • My Active Directory background brought to you by: • Carlos Perez (@darkoperator) • Sean Metcalf (@pyrotek3) - • Get PowerView: About_References