Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Trusts You Might Have Missed

3,821 views

Published on

This presentation was given at BSides Chicago 2015, and covers the enumeration and abuse of active directory domain trusts.

Published in: Internet
  • Be the first to comment

Trusts You Might Have Missed

  1. 1. Trusts You Might Have Missed Will (@harmj0y) Justin (@sixdub)
  2. 2. @harmj0y ● Security researcher and red teamer for the Adaptive Threat Division of Veris Group ● Co-founder of the Veil-Framework and Veil’s PowerTools ● Cons: Shmoocon, CarolinaCon, Defcon, Derbycon, various BSides
  3. 3. @sixdub ● Pentester and red teamer for the Adaptive Threat Division of Veris Group ● Lots of interest: red team ops, reverse engineering, adversarial tactics, etc ● Developer on the Veil-Framework and co- founder of Veil’s PowerTools
  4. 4. tl;dr ● Red Team Operations ● Active Directory 101 ● Domain Trusts 101 ● So what? ● Back to the Old School ● New School Enumeration ● Visualizing Trusts ● Abusing Trusts ● Demo ● On The Horizon
  5. 5. Red Team Operations Setting the stage
  6. 6. Red Teaming ● Red teaming means different things to different people o physical ops, in-depth social engineering, custom exploit dev, pure network based operations, etc. ● Common thread of increased time frame and more permissive scope ● Red Team Operations - military concept of adversarial thinking that evolved into adversary emulation
  7. 7. “Assume Breach” Mentality ● With the rash of recent major incidents, organizations have started to realize that they’re probably already owned ● You’re not going to stop the bad guys from getting in the front door ● Companies need to implement an “assume breach” way of thinking
  8. 8. Nothing New? ● Domain trusts have existed for years, and red teams have been abusing them just as long ● While these techniques are public, they’re not as well known as they should be ● Most of what we’re going to talk about is possible through multiple means: o VBScript, PowerShell, native tools o Good to have alternative ways to accomplish the same goal
  9. 9. Active Directory 101 Let’s go back to school
  10. 10. Base Overview ● Multiple Levels o Domain - Logical group of network objects (computers, users etc) o Trees - Collection of domains o Forests - Collection of trees ● Used to authenticate and authorize users and computers on a network o Also provides security policies, centralized management, and other rich features
  11. 11. Not So Basic Overview: NTLM https://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_ntlmauthentication
  12. 12. Not So Basic Overview: Kerberos http://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_kerberosauthentication
  13. 13. Active Directory Trusts 101 ● Trusts allow separate domains to form a relationship o Allows for the possibility of access to objects between domains. Authentication linkage! o Allows you to use objects from a remote domain  aka Users from Domain A can be in groups of Domain B ● Forests can also establish trust relationships o ex. All domains in Forest A will trust domains in Forest B
  14. 14. Active Directory Trusts 201 ● Communications in the trust work via a system of referrals o If the SPN being requested resides outside of primary DC, issue a referral to the forest KDC or trusted domain KDC to receive a ticket o access is passed around with inter-realm TGTs ● Multiple configuration topographies available that will determine the behavior of the trusts o All a matter of design…
  15. 15. Trust Direction http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx
  16. 16. Trust Types ● Trusts come in a few varieties: o One way - Only one domain trusts the other o Two way - Both domains trust each other o Transitive - Domain A trusts Domain B and Domain B trusts Domain C, so Domain A trusts Domain C ● A child domain retains an implicit trust with its parent ● Lots more information at http://technet.microsoft.com/en- us/library/cc773178(v=ws.10).aspx
  17. 17. So What? ● Why does this matter? ● Red teams often compromise accounts/machines in a domain that's trusted by their actual target, allowing them to exploit these existing trust relationships to achieve their end goal ● And Enterprise Admin = pwnership over everything below
  18. 18. Domain Trust Enumeration Know what you have before you start pwning
  19. 19. Old School Enumeration ● Traditional trust enumeration utilizing ntltest:
  20. 20. Old School Enumeration ● Netdom (from servers only): o netdom query trust ● Adfind to enumerate trusts in other domains:
  21. 21. New School Enumeration ● PowerShell: Microsoft’s handy “post- exploitation language” :) ● Essentially a command-line wrapper for .NET with full access to the framework ● Contains various Active Directory hooks that makes enumeration much easier and flexible than before
  22. 22. ● To enumerate all domains in the forest: o ([System.DirectoryServices.ActiveDirectory.Fore st]::GetCurrentForest()).Domains ● To enumerate all trust relationships for the current domain: o ([System.DirectoryServices.ActiveDirectory.Dom ain]::GetCurrentDomain()).GetAllTrustRelationsh ips() Trust Enumeration with PowerShell
  23. 23. Using Trusts With PowerShell ● A lot of ADSI native PowerShell AD functionality can easily operate on domains to which there's an existing trust: o finding domain controllers, querying users, enumerating domain groups, finding domain machines, etc. ● All across trust boundaries with little extra effort, using these enumerated domain contexts
  24. 24. PowerView ● Think dsquery on steroids... and cocaine ● First started because a client banned “net” commands on domain machines ● Otherwise initially inspired by Rob Fuller’s netview.exe tool o Wanted something more flexible that also didn’t drop a binary to disk
  25. 25. PowerView: Enumerating Trusts ● PowerView has several new functions that allow you to enumerate any existing domain/forest trust relationships: o Get-NetForest: information about the current domain forest o Get-NetForestTrusts: grab all forest trusts o Get-NetForestDomains: enumerate all domains in the current forest o Get-NetDomainTrusts: find all current domain trusts, á la nltest
  26. 26. PowerView: Enumerating Trusts
  27. 27. PowerView: Trust Mapping w/ LDAP! ● Sometimes the trust “enclave” is more protected, and mass enumeration across a boundary can seem strange o Also, your workstation might not be able to directly contact the DC of a trusted/ing domain ● Get-NetDomainTrustsLDAP - Utilizes LDAP queries only to enumerate trusts o Slightly less accurate… but blends better! o And these LDAP queries can be bounced through your primary DC!
  28. 28. PowerView: Using Trusts ● If a trust exists, most functions in PowerView can now accept a -Domain <name> flag to operate across a trust: o Get-NetDomainControllers, Get-NetUsers, Get- NetUser, Get-NetComputers, Get-NetGroups, Get- NetGroup, Get-NetFileServers, Get-UserProperties, Invoke-UserFieldSearch, Invoke-Netview, Invoke- UserHunter, etc.
  29. 29. PowerView: Using Trusts
  30. 30. Mapping Domain Trusts ● PowerView also have a function to map all reachable domain trusts: o Invoke-MapDomainTrusts o Invoke-MapDomainTrustsLDAP ● Finds all domain trusts for the current domain, then tries to enumerate all trusts for each domain it finds, and so on ● Can dump out a nice .csv of all current trust relationships
  31. 31. Analysis and Visualization Raw data ain’t nothin’
  32. 32. Motivations ● Many networks only have a few domains and associated trusts ● While this raw data from PowerView is useful, it can become onerous for networks with many domains o Think dozens+, all interconnected ● Data means nothing if you can’t interpret it usefully
  33. 33. Nodal Analysis ● Concept of applying network and graph theory techniques to identify relevant and useful data o Centrality o Shortest Path o Isolated Nodes ● DomainTrustExplorer! o Used to rapidly triage large networks with a spaghetti mess of trusts o https://github.com/sixdub/DomainTrustExplorer
  34. 34. Nodal Analysis
  35. 35. Visualization ● Visual information processing is much easier for some people ● Seemingly random relationships might reveal important information when visualized in certain methods o Tree vs Node-Link vs Topological ● DomainTrustExplorer dumps to GraphML format
  36. 36. Abusing Domain Trusts The path to pwnership
  37. 37. Abusing Trusts ● As mentioned, knowing a trust exists can let you query information, but it doesn’t necessarily imply access o though it often does ;) ● You need to figure out if any users have cross-domain access and to what resources in other domains o trusts are rarely locked down properly, and you can often jump from one domain to another
  38. 38. Abusing Trusts with PowerView ● To enumerate users who are in groups outside of the user’s primary domain (i.e. across trusts): o Invoke-FindUserTrustGroups -Domain <domain> o Invoke-FindAllUserTrustGroups ● To enumerate users who have local admin privileges on all domain controllers in a particular domain: o Get-GetDomainControllers -Domain <domain> | Get-NetLocalGroup
  39. 39. ● To enumerate groups with users outside of the group’s primary domain: o Invoke-FindGroupTrustUsers -Domain <domain> o Invoke-FindAllGroupTrustUsers ● To find members of the administrators localgroup outside of the primary domain for all machines in a domain: o Invoke-EnumerateLocalTrustGroups -Domain <domain> Abusing Trusts with PowerView: BSides Chicago Edition
  40. 40. Abusing Trusts: A Case Study ● Say we land on a machine in the dev.testlab.local domain and work our way to the DC ● We want to compromise the testlab.local forest root o We’ll do this by abusing trust relationships with another child domain in the forest ● We’ll step through enumeration, visualization, and abuse
  41. 41. Demo
  42. 42. On The Horizon Whats next...
  43. 43. Improved Data Analysis ● Working on methods to correlate PowerView data with trust information to provide additional context o Think “this domain group has access to these cross- domain resources” ● Goal of creating an offensive dashboard for red team operations o @_tomsteele has started some of this work already https://github.com/tomsteele/domain-trust-grapher
  44. 44. Trust Keys
  45. 45. Trust Keys
  46. 46. Trust Keys ● The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets* o Mimikatz can now extract these trust keys from domain controllers participating in the trust ● These keys can be used to create “gold-ish” trust tickets for the krbtgt service, with a trusting domain as the target o these in turn can be used to request TGSes for specific services on the trusting domain *https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx
  47. 47. Trust Keys: A Domain Trust Golden Ticket This means that even if the krbtgt hash is rolled twice, you can still abuse a privileged domain trust and possibly recompromise a domain from a trusted source!
  48. 48. Questions? ● Contact us: o @harmj0y (will [at] harmj0y.net) or keybase.io/harmj0y o @sixdub (justin [at] sixdub.net) or keybase.io/sixdub ● Read more: o http://www.harmj0y.net/blog/tag/domain-trusts/ o http://www.sixdub.net/?p=285 ● Get the tools: o https://github.com/Veil- Framework/PowerTools/tree/master/PowerView o https://github.com/sixdub/DomainTrustExplorer

×