Catch Me If You Can: PowerShell Red vs Blue
Your SlideShare is downloading.
×
![● To enumerate all domains in the forest:
o ([System.DirectoryServices.ActiveDirectory.Fore
st]::GetCurrentForest()).Domai...](https://image.slidesharecdn.com/trustsyoumighthavemissed-150516161824-lva1-app6892/75/trusts-you-might-have-missed-22-2048.jpg?cb=1668469899)
![Questions?
● Contact us:
o @harmj0y (will [at] harmj0y.net) or keybase.io/harmj0y
o @sixdub (justin [at] sixdub.net) or ke...](https://image.slidesharecdn.com/trustsyoumighthavemissed-150516161824-lva1-app6892/75/trusts-you-might-have-missed-48-2048.jpg?cb=1668469899)
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Viewers also liked (13)
Similar to Trusts You Might Have Missed (20)
Recently uploaded (20)
Trusts You Might Have Missed
- 1. Trusts You Might Have Missed Will (@harmj0y) Justin (@sixdub)
- 2. @harmj0y ● Security researcher and red teamer for the Adaptive Threat Division of Veris Group ● Co-founder of the Veil-Framework and Veil’s PowerTools ● Cons: Shmoocon, CarolinaCon, Defcon, Derbycon, various BSides
- 3. @sixdub ● Pentester and red teamer for the Adaptive Threat Division of Veris Group ● Lots of interest: red team ops, reverse engineering, adversarial tactics, etc ● Developer on the Veil-Framework and co- founder of Veil’s PowerTools
- 4. tl;dr ● Red Team Operations ● Active Directory 101 ● Domain Trusts 101 ● So what? ● Back to the Old School ● New School Enumeration ● Visualizing Trusts ● Abusing Trusts ● Demo ● On The Horizon
- 5. Red Team Operations Setting the stage
- 6. Red Teaming ● Red teaming means different things to different people o physical ops, in-depth social engineering, custom exploit dev, pure network based operations, etc. ● Common thread of increased time frame and more permissive scope ● Red Team Operations - military concept of adversarial thinking that evolved into adversary emulation
- 7. “Assume Breach” Mentality ● With the rash of recent major incidents, organizations have started to realize that they’re probably already owned ● You’re not going to stop the bad guys from getting in the front door ● Companies need to implement an “assume breach” way of thinking
- 8. Nothing New? ● Domain trusts have existed for years, and red teams have been abusing them just as long ● While these techniques are public, they’re not as well known as they should be ● Most of what we’re going to talk about is possible through multiple means: o VBScript, PowerShell, native tools o Good to have alternative ways to accomplish the same goal
- 9. Active Directory 101 Let’s go back to school
- 10. Base Overview ● Multiple Levels o Domain - Logical group of network objects (computers, users etc) o Trees - Collection of domains o Forests - Collection of trees ● Used to authenticate and authorize users and computers on a network o Also provides security policies, centralized management, and other rich features
- 11. Not So Basic Overview: NTLM https://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_ntlmauthentication
- 12. Not So Basic Overview: Kerberos http://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_kerberosauthentication
- 13. Active Directory Trusts 101 ● Trusts allow separate domains to form a relationship o Allows for the possibility of access to objects between domains. Authentication linkage! o Allows you to use objects from a remote domain aka Users from Domain A can be in groups of Domain B ● Forests can also establish trust relationships o ex. All domains in Forest A will trust domains in Forest B
- 14. Active Directory Trusts 201 ● Communications in the trust work via a system of referrals o If the SPN being requested resides outside of primary DC, issue a referral to the forest KDC or trusted domain KDC to receive a ticket o access is passed around with inter-realm TGTs ● Multiple configuration topographies available that will determine the behavior of the trusts o All a matter of design…
- 15. Trust Direction http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx
- 16. Trust Types ● Trusts come in a few varieties: o One way - Only one domain trusts the other o Two way - Both domains trust each other o Transitive - Domain A trusts Domain B and Domain B trusts Domain C, so Domain A trusts Domain C ● A child domain retains an implicit trust with its parent ● Lots more information at http://technet.microsoft.com/en- us/library/cc773178(v=ws.10).aspx
- 17. So What? ● Why does this matter? ● Red teams often compromise accounts/machines in a domain that's trusted by their actual target, allowing them to exploit these existing trust relationships to achieve their end goal ● And Enterprise Admin = pwnership over everything below
- 18. Domain Trust Enumeration Know what you have before you start pwning
- 19. Old School Enumeration ● Traditional trust enumeration utilizing ntltest:
- 20. Old School Enumeration ● Netdom (from servers only): o netdom query trust ● Adfind to enumerate trusts in other domains:
- 21. New School Enumeration ● PowerShell: Microsoft’s handy “post- exploitation language” :) ● Essentially a command-line wrapper for .NET with full access to the framework ● Contains various Active Directory hooks that makes enumeration much easier and flexible than before
- 22. ● To enumerate all domains in the forest: o ([System.DirectoryServices.ActiveDirectory.Fore st]::GetCurrentForest()).Domains ● To enumerate all trust relationships for the current domain: o ([System.DirectoryServices.ActiveDirectory.Dom ain]::GetCurrentDomain()).GetAllTrustRelationsh ips() Trust Enumeration with PowerShell
- 23. Using Trusts With PowerShell ● A lot of ADSI native PowerShell AD functionality can easily operate on domains to which there's an existing trust: o finding domain controllers, querying users, enumerating domain groups, finding domain machines, etc. ● All across trust boundaries with little extra effort, using these enumerated domain contexts
- 24. PowerView ● Think dsquery on steroids... and cocaine ● First started because a client banned “net” commands on domain machines ● Otherwise initially inspired by Rob Fuller’s netview.exe tool o Wanted something more flexible that also didn’t drop a binary to disk
- 25. PowerView: Enumerating Trusts ● PowerView has several new functions that allow you to enumerate any existing domain/forest trust relationships: o Get-NetForest: information about the current domain forest o Get-NetForestTrusts: grab all forest trusts o Get-NetForestDomains: enumerate all domains in the current forest o Get-NetDomainTrusts: find all current domain trusts, á la nltest
- 26. PowerView: Enumerating Trusts
- 27. PowerView: Trust Mapping w/ LDAP! ● Sometimes the trust “enclave” is more protected, and mass enumeration across a boundary can seem strange o Also, your workstation might not be able to directly contact the DC of a trusted/ing domain ● Get-NetDomainTrustsLDAP - Utilizes LDAP queries only to enumerate trusts o Slightly less accurate… but blends better! o And these LDAP queries can be bounced through your primary DC!
- 28. PowerView: Using Trusts ● If a trust exists, most functions in PowerView can now accept a -Domain <name> flag to operate across a trust: o Get-NetDomainControllers, Get-NetUsers, Get- NetUser, Get-NetComputers, Get-NetGroups, Get- NetGroup, Get-NetFileServers, Get-UserProperties, Invoke-UserFieldSearch, Invoke-Netview, Invoke- UserHunter, etc.
- 29. PowerView: Using Trusts
- 30. Mapping Domain Trusts ● PowerView also have a function to map all reachable domain trusts: o Invoke-MapDomainTrusts o Invoke-MapDomainTrustsLDAP ● Finds all domain trusts for the current domain, then tries to enumerate all trusts for each domain it finds, and so on ● Can dump out a nice .csv of all current trust relationships
- 31. Analysis and Visualization Raw data ain’t nothin’
- 32. Motivations ● Many networks only have a few domains and associated trusts ● While this raw data from PowerView is useful, it can become onerous for networks with many domains o Think dozens+, all interconnected ● Data means nothing if you can’t interpret it usefully
- 33. Nodal Analysis ● Concept of applying network and graph theory techniques to identify relevant and useful data o Centrality o Shortest Path o Isolated Nodes ● DomainTrustExplorer! o Used to rapidly triage large networks with a spaghetti mess of trusts o https://github.com/sixdub/DomainTrustExplorer
- 34. Nodal Analysis
- 35. Visualization ● Visual information processing is much easier for some people ● Seemingly random relationships might reveal important information when visualized in certain methods o Tree vs Node-Link vs Topological ● DomainTrustExplorer dumps to GraphML format
- 36. Abusing Domain Trusts The path to pwnership
- 37. Abusing Trusts ● As mentioned, knowing a trust exists can let you query information, but it doesn’t necessarily imply access o though it often does ;) ● You need to figure out if any users have cross-domain access and to what resources in other domains o trusts are rarely locked down properly, and you can often jump from one domain to another
- 38. Abusing Trusts with PowerView ● To enumerate users who are in groups outside of the user’s primary domain (i.e. across trusts): o Invoke-FindUserTrustGroups -Domain <domain> o Invoke-FindAllUserTrustGroups ● To enumerate users who have local admin privileges on all domain controllers in a particular domain: o Get-GetDomainControllers -Domain <domain> | Get-NetLocalGroup
- 39. ● To enumerate groups with users outside of the group’s primary domain: o Invoke-FindGroupTrustUsers -Domain <domain> o Invoke-FindAllGroupTrustUsers ● To find members of the administrators localgroup outside of the primary domain for all machines in a domain: o Invoke-EnumerateLocalTrustGroups -Domain <domain> Abusing Trusts with PowerView: BSides Chicago Edition
- 40. Abusing Trusts: A Case Study ● Say we land on a machine in the dev.testlab.local domain and work our way to the DC ● We want to compromise the testlab.local forest root o We’ll do this by abusing trust relationships with another child domain in the forest ● We’ll step through enumeration, visualization, and abuse
- 41. Demo
- 42. On The Horizon Whats next...
- 43. Improved Data Analysis ● Working on methods to correlate PowerView data with trust information to provide additional context o Think “this domain group has access to these cross- domain resources” ● Goal of creating an offensive dashboard for red team operations o @_tomsteele has started some of this work already https://github.com/tomsteele/domain-trust-grapher
- 44. Trust Keys
- 45. Trust Keys
- 46. Trust Keys ● The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets* o Mimikatz can now extract these trust keys from domain controllers participating in the trust ● These keys can be used to create “gold-ish” trust tickets for the krbtgt service, with a trusting domain as the target o these in turn can be used to request TGSes for specific services on the trusting domain *https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx
- 47. Trust Keys: A Domain Trust Golden Ticket This means that even if the krbtgt hash is rolled twice, you can still abuse a privileged domain trust and possibly recompromise a domain from a trusted source!
- 48. Questions? ● Contact us: o @harmj0y (will [at] harmj0y.net) or keybase.io/harmj0y o @sixdub (justin [at] sixdub.net) or keybase.io/sixdub ● Read more: o http://www.harmj0y.net/blog/tag/domain-trusts/ o http://www.sixdub.net/?p=285 ● Get the tools: o https://github.com/Veil- Framework/PowerTools/tree/master/PowerView o https://github.com/sixdub/DomainTrustExplorer
