Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Travelling Pentester
Diaries of the Shortest Path to
Compromise
About Me
I am Will Schroeder
Job: “Offensive Engineer” at Veris Group’s ATD
Co-Founder: Veil-Framework, PowerView, PowerUp...
The Bloodhound Gang
Rohan Vazarkar
Job: Pentester at Veris Group’s ATD
Tool creator/dev: BloodHound, Python
EmPyre
Present...
tl;dr
Offensive
Background
Our (Current) Ops
◇“Assume breach” approach
◇Lots of Active Directory and offensive
PowerShell
◇Defenses are getting bette...
“Fundamentally, if someone wants to
get in, they’re getting in…accept that.
What we tell clients is: Number one,
you’re in...
“Defenders think in lists.
Attackers think in graphs.
As long as this is true,
attackers win.”
John Lambert
GM, Microsoft ...
Group:
IT
Admins
User:
Bob
Computer:
Server1
User:
Mary
Group:
Domain
Admins
User:
Alice
BloodHound
◇Automates the attack path
analysis process
◇Components:
■ PowerShell ingestor
■ neo4j backend
■ Cross-platform...
BloodHound Attack
Graph Design
Vertices represent
users, groups,
computers, and
domains
Edges identify
group
memberships,
...
Who’s Logged in Where?
aka “user-hunting”
NetSessionEnum/NetWkstaUserEnum
Attacker
DC
Who’s Logged in Where?
“Stealth” user-hunting
Attacker
DC
File
Server
NetSessionEnum sessions
sessions
Who’s Logged in Where?
Defenses
Who’s Logged in Where?
Defenses
Who Can Admin What?
Who Can Admin What?
PowerView
Who Can Admin What?
Defenses
“Windows 10 had introduced an option to control the
remote access to the SAM, through a speci...
Who Can Admin What?
GPO Edition
Restricted
Groups
Group
Policy
Preferences
Group
Policy
Object
OU/site/
domain
Contains
Se...
Who’s in What Groups?
◇Enumerate all groups and extract the
members of each
◇PowerView:
■ Get-DomainGroup | Get-DomainGrou...
Active Directory
DACLs
Previous DACL Work
https://www.sstic.org/media/SSTIC2014/SSTIC-actes/chemins_de_controle_active_directory/SSTIC2014-Slides...
◇Offline (ntds.dit) and some online DACL
collection capabilities
◇Backend neo4j database allows for
control flow discovery...
Who Has Rights Over
What Objects?
◇By default, any user can enumerate all
DACLs for all objects in the domain
■ Through .N...
Computer:
Server1
User:
Mary
User:
Alice
ForceChangePassword
Group:
IT
Admins
GenericWrite
GenericAll
WriteDACL
WriteOwner...
Computer:
Server1
Group:
Exchange
Admins
User:
Alice
AddMembers
Group:
IT
Admins
GenericWrite
GenericAll
WriteDACL
WriteOw...
◇Default Rights
■ GenericAll - ALL THE RIGHTS
■ GenericWrite - write all object properties
■ WriteDacl - modify the DACL f...
◇DS-Replication-Get-Changes-All
◇Modification rights to GPC-File-Sys-Path
for GPOs
◇“Kerberoastable” accounts
◇Read rights...
BloodHound
(Short) Demo
Case Studies
(in Failure)
Details have been changed to
protect the innocent ;)
Case #1
1. Service binary rotated the local admin
passwords monthly
2. .NET coded, predictable algorithm based on the
date...
Case #2
1. Kerberoasted 2 services accounts, allowing for
access to a handful of systems
2. BloodHound analysis determined...
Case #3
1. VULNERABLE SERVICE on terminal-type
machines, allowed elevation
2. All terminal servers had the same (and enabl...
Case #3
6. Quick escalation to elevated domain rights
7. DCSynced to recover krbtgt of child domain
8. Hopped to child dom...
Sniffing Out ACLs with BloodHound
Case #4
Sniffing Out ACLs with BloodHound
Case #4
How it Could Have
Been Prevented
LAPS
https://technet.microsoft.com/en-us/mt227395.aspx
How it Could Have
Been Prevented
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-acce...
How it Could Have
Been Prevented
◇Managed service accounts
◇ATA
◇SAMRi10 / NetCease
◇Credential Guard
◇Red Forest Architec...
How it Could Have Been Prevented
DACLs
¯_(ツ)_/¯
How We
Get Caught
Our Biggest Pain Points
PowerShell Logging
◇INSTALL V5!
https://www.crowdstrike.com/blog/investigating-powershell-command-
and-script-logging/
Endpoint Telemetry
◇Command line logging is a huge pain
■ Many many attacker toolsets end up calling shell
commands
◇Minin...
Closing Thoughts
Thank You!
@harmj0y
will [at] harmj0y.net
blog.harmj0y.net
Upcoming SlideShare
Loading in …5
×

The Travelling Pentester: Diaries of the Shortest Path to Compromise

6,908 views

Published on

This presentation was given at Blue Hat IL in 2017

Published in: Internet

The Travelling Pentester: Diaries of the Shortest Path to Compromise

  1. 1. The Travelling Pentester Diaries of the Shortest Path to Compromise
  2. 2. About Me I am Will Schroeder Job: “Offensive Engineer” at Veris Group’s ATD Co-Founder: Veil-Framework, PowerView, PowerUp, Empire/Empyre, BloodHound Trainer: Black Hat USA 2014-2017 Other: Microsoft PowerShell/CDM MVP Twitter: @harmj0y
  3. 3. The Bloodhound Gang Rohan Vazarkar Job: Pentester at Veris Group’s ATD Tool creator/dev: BloodHound, Python EmPyre Presenter: BSides, Black Hat Arsenal, DEF CON Trainer: Black Hat USA 2016-2017 Twitter: @CptJesus Andy Robbins Job: Pentest lead at Veris Group’s ATD Tool creator/dev: BloodHound Speaker: BSides, ISSA International, Black Hat Arsenal, DEF CON Trainer: Black Hat USA 2016-2017 Twitter: @_wald0
  4. 4. tl;dr
  5. 5. Offensive Background
  6. 6. Our (Current) Ops ◇“Assume breach” approach ◇Lots of Active Directory and offensive PowerShell ◇Defenses are getting better- we’ve had to evolve!
  7. 7. “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in the fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” Michael Hayden Former Director of NSA & CIA Microsoft Enterprise Cloud Red Teaming Whitepaper
  8. 8. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John Lambert GM, Microsoft Threat Intelligence Center
  9. 9. Group: IT Admins User: Bob Computer: Server1 User: Mary Group: Domain Admins User: Alice
  10. 10. BloodHound ◇Automates the attack path analysis process ◇Components: ■ PowerShell ingestor ■ neo4j backend ■ Cross-platform electron app front end ◇Open source and BSD 3-clause licensed!
  11. 11. BloodHound Attack Graph Design Vertices represent users, groups, computers, and domains Edges identify group memberships, admin rights, user sessions, and now ACL relationships Paths always lead toward escalating rights. Always.
  12. 12. Who’s Logged in Where? aka “user-hunting” NetSessionEnum/NetWkstaUserEnum Attacker DC
  13. 13. Who’s Logged in Where? “Stealth” user-hunting Attacker DC File Server NetSessionEnum sessions sessions
  14. 14. Who’s Logged in Where? Defenses
  15. 15. Who’s Logged in Where? Defenses
  16. 16. Who Can Admin What?
  17. 17. Who Can Admin What? PowerView
  18. 18. Who Can Admin What? Defenses “Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 16074) the default permissions were changed to allow remote access only to administrators.”
  19. 19. Who Can Admin What? GPO Edition Restricted Groups Group Policy Preferences Group Policy Object OU/site/ domain Contains Server WorkstationLocal Admins
  20. 20. Who’s in What Groups? ◇Enumerate all groups and extract the members of each ◇PowerView: ■ Get-DomainGroup | Get-DomainGroupMember ◇BloodHound: ■ Just pulls the member for all group objects
  21. 21. Active Directory DACLs
  22. 22. Previous DACL Work https://www.sstic.org/media/SSTIC2014/SSTIC-actes/chemins_de_controle_active_directory/SSTIC2014-Slides- chemins_de_controle_active_directory-gras_bouillot.pdf
  23. 23. ◇Offline (ntds.dit) and some online DACL collection capabilities ◇Backend neo4j database allows for control flow discovery ◇Code released at https://github.com/ANSSI-FR/AD-control- paths Previous DACL Work
  24. 24. Who Has Rights Over What Objects? ◇By default, any user can enumerate all DACLs for all objects in the domain ■ Through .NET methods or by specifying ntsecuritydescriptor in the LDAP query props ◇PowerView: Get-DomainObjectACL ◇BloodHound enumerates just the control relationships we care about
  25. 25. Computer: Server1 User: Mary User: Alice ForceChangePassword Group: IT Admins GenericWrite GenericAll WriteDACL WriteOwner AllExtendedRights
  26. 26. Computer: Server1 Group: Exchange Admins User: Alice AddMembers Group: IT Admins GenericWrite GenericAll WriteDACL WriteOwner AllExtendedRights
  27. 27. ◇Default Rights ■ GenericAll - ALL THE RIGHTS ■ GenericWrite - write all object properties ■ WriteDacl - modify the DACL for the object ■ WriteOwner - modify an object owner ■ WriteProperty Self-Membership/Script-Path – modify group membership/user script path ◇Extended Rights ■ User-Force-Change-Password BloodHound Currently Collected ACLs
  28. 28. ◇DS-Replication-Get-Changes-All ◇Modification rights to GPC-File-Sys-Path for GPOs ◇“Kerberoastable” accounts ◇Read rights to ms-MCS-AdmPwd BloodHound Future Collected ACLs
  29. 29. BloodHound (Short) Demo
  30. 30. Case Studies (in Failure) Details have been changed to protect the innocent ;)
  31. 31. Case #1 1. Service binary rotated the local admin passwords monthly 2. .NET coded, predictable algorithm based on the date and hostname, no salt 3. Pulled apart app, build weaponized code, had admin access to every gold image system 4. Performed the ‘credential shuffle’ by hand with PowerView, took about 2 weeks Local Passwords Are Hard
  32. 32. Case #2 1. Kerberoasted 2 services accounts, allowing for access to a handful of systems 2. BloodHound analysis determined one user logged into one system we controlled had direct access to 5 systems, but derivative access to hundreds 3. Bonus: all user accounts had reversible encryption set 4. Elevated, hopped down the chain, DCSynced to recover ultimate target’s plaintext, grabbed the objective Kerberos is Hard As Well
  33. 33. Case #3 1. VULNERABLE SERVICE on terminal-type machines, allowed elevation 2. All terminal servers had the same (and enabled) local admin account 3. No formal trust, but correlated similar accounts between the two accessible domains 4. Developed GPO correlation technique on the engagement to hop to 2 cross-network targets 5. Group Policy Preferences in cross-network target, allowed compromise to a handful of machines GPP and GPOs and extra SIDs, Oh My
  34. 34. Case #3 6. Quick escalation to elevated domain rights 7. DCSynced to recover krbtgt of child domain 8. Hopped to child domain controller to build a Golden Ticket with extra SIDs 9. Injected and was able to hop up the trust and DCSync the corporate root domain GPP and GPOs and extra SIDs, Oh My
  35. 35. Sniffing Out ACLs with BloodHound Case #4
  36. 36. Sniffing Out ACLs with BloodHound Case #4
  37. 37. How it Could Have Been Prevented LAPS https://technet.microsoft.com/en-us/mt227395.aspx
  38. 38. How it Could Have Been Prevented https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access
  39. 39. How it Could Have Been Prevented ◇Managed service accounts ◇ATA ◇SAMRi10 / NetCease ◇Credential Guard ◇Red Forest Architecture ◇PowerUp ◇GET RID OF GPP ◇Separate forests to enforce trust ◇Centralized logging/analysis ◇Increased endpoint telemetry
  40. 40. How it Could Have Been Prevented DACLs ¯_(ツ)_/¯
  41. 41. How We Get Caught Our Biggest Pain Points
  42. 42. PowerShell Logging ◇INSTALL V5! https://www.crowdstrike.com/blog/investigating-powershell-command- and-script-logging/
  43. 43. Endpoint Telemetry ◇Command line logging is a huge pain ■ Many many attacker toolsets end up calling shell commands ◇Mining things like process tree traces at scale can give enormous insight ◇Windows Defender ATP, Sysmon, etc.
  44. 44. Closing Thoughts
  45. 45. Thank You! @harmj0y will [at] harmj0y.net blog.harmj0y.net

×