Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Trusts You Might Have Missed - 44con


Published on

This presentation was given at 44con on 9/16/16 and covers Active Directory domain trusts from an offensive perspective.

Published in: Internet

Trusts You Might Have Missed - 44con

  1. 1. Trusts You Might Have Missed
  2. 2. @harmj0y Co-founder of Empire/EmPyre, PowerTools, Veil-Framework PowerSploit/BloodHound developer Microsoft PowerShell MVP
  3. 3. tl;dr ⊙ Red Teaming ⊙ Active Directory and Trusts 101 ⊙ Old vs New School Enumeration ⊙ Abusing Trusts ⊙ BloodHound ⊙ Mimikatz and Trusts ⊙ Demo
  4. 4. 1 “Red Teaming” Bridging the Gap
  5. 5. ⊙ Red teaming means different things to different people ○ common thread of increased time frame and more permissive scope ⊙ We tend towards longer running, remote network operations with a focus on Windows Red Teaming
  6. 6. “ Fundamentally, if somebody wants to get in, they're getting in...Accept that...What we tell clients is: Number one, you're in the fight, whether you thought you were or not. Number two, you're almost certainly penetrated. Michael Hayden Former Director of CIA & NSA
  7. 7. ⊙ Domain trusts have existed for years, and red teams have been abusing them just as long ○ Techniques are public but not as well known as they should be ⊙ Possible through multiple means, “offense in depth” ○ VBScript, PowerShell, native tools Nothing New?
  8. 8. 2 Domain Trusts A Quick Refresher
  9. 9. ⊙ Multiple Levels ○ Domain- logical group of network objects (computers, users, etc.) ○ Trees- collection of domains ○ Forests- collection of trees ⊙ Used to authenticate and authorize users and computers on a network ⊙ The domain is not the trust boundary, the forest is!!! Active Directory Overview
  10. 10. ⊙ Trusts allow domains to form inter-connected relationships ○ A trust just links up the authentication systems of two domains and allows authentication traffic to flow between them ○ Done by exchanging an “inter-realm trust key” that can relay kerberos traffic ⊙ Forests can also establish trust relationships ○ ex. all domains in Forest A will trust domains in Forest B Trusts 101
  11. 11. ⊙ Communications in the trust work via a system of referrals: ○ If the SPN being requested resides outside of the primary domain, the DC issues a referral to the forest KDC (or trusted domain KDC) to receive a ticket ○ Access is passed around w/ inter-realm TGTs signed by the inter-realm key ⊙ Multiple configuration topographies available that will determine the behavior of the trusts Trusts 201
  12. 12. Kerberos and Domain Trusts
  13. 13. Trust Direction
  14. 14. ⊙ Trusts come in a few varieties: ○ One way- one domain trusts the other ○ Two way- both domains trust each other ○ Transitive- domain A trusts Domain B and Domain B trusts Domain C, so Domain A trusts Domain C ⊙ A child domain retains an implicit two-way transitive trust with its parent ○ ary/cc773178(v=ws.10).aspx Trust Types
  15. 15. ⊙ Why does this matter? ⊙ Trusts can introduce unintentional avenues of access into a target ⊙ Enterprise Admin = pwnership over everything below ○ but at a minimum trusts let you query AD information for a foreign domain! Who Cares?
  16. 16. 3 Trust Enumeration Old School vs. New
  17. 17. nltest.exe and adfind.exe
  18. 18. ⊙ A pure PowerShell domain/network situational awareness tool ○ think dsquery on steroids... and cocaine ⊙ Built to automate large components of our tradecraft used to facilitate red team engagements ⊙ Now integrated into PowerSploit ○ everything is version PS v2.0 compliant PowerView
  19. 19. ⊙ Get-NetForest: information about the current domain forest ⊙ Get-NetForestDomain: enumerate all domains in the current forest ⊙ Get-NetDomainTrust: find all current domain trusts, à la nltest ⊙ Get-NetForestTrust: grab all forest trusts PowerView: Enumerating Trusts
  20. 20. ⊙ If a trust exists, most functions in PowerView can accept a -Domain <name> flag to operate across a trust: ○ Get-NetDomainController, Get-NetUser, Get-NetComputer, Get-NetGroup, Get-NetGroupMember, Get-NetFileServer, Invoke-UserHunter, etc. PowerView: Using Trusts
  21. 21. PowerView: Using Trusts
  22. 22. ⊙ PowerView also has a function to map all reachable domain trusts: ○ Invoke-MapDomainTrust ⊙ Finds all domain trusts for the current domain, enumerates all trusts for each domain it finds, and so on ○ can dump out a nice .csv of all current trust relationships PowerView: Mapping Trusts
  23. 23. Trust Mappings
  24. 24. ⊙ Raw trust mappings are digestible for small domains ○ But the complexity can explode for really large environments ⊙ Data means nothing if you can’t interpret it usefully ⊙ @sixdub’sDomainTrustExplorer can transform CSV output to graphml Processing Raw Data
  25. 25. Trust Visualization
  26. 26. 4 Abusing Domain Trusts The Path to Pwnership
  27. 27. 1. Map the trusts and their types (intra-forest or otherwise) reachable from your current domain 2. Enumerate users/groups from one domain that have access to resources in other domains a. uncovering the hidden ‘trust mesh’ of accesses that administrators have set up 3. Selectively compromise specific target accounts in order to hop across the trust boundary A Trust Attack Strategy
  28. 28. ⊙ To enumerate users who are in groups outside of the user’s primary domain (i.e. across trusts): ○ Find-ForeignUser -Domain <domain> ○ This is a domain’s “outgoing” access ⊙ To enumerate groups with users outside of the group’s primary domain: ○ Find-ForeignGroup -Domain <domain> ○ This is the “incoming” access to a domain ⊙ Lots of Get-NetLocalGroup Abusing Trusts With PowerView
  29. 29. Abusing Trusts With PowerView
  30. 30. 5
  31. 31. ⊙ Automates AD attack path finding ⊙ A graphing front end build on neo4j with a customized version of PowerView as the data collector ○ Export as CSV or inputs directly into the neo4j RESTful API ⊙ Released at DEF CON 24 ○ BloodHound Overview
  32. 32. BloodHound Path Finding
  33. 33. BloodHound and Domain Trusts ⊙ Domains are represented in the schema only for visualizing their relationships à la DomainTrustExplorer ⊙ The normal schema just has user@domain.local and machine.domain2.local ○ This lets us easily find cross-domain paths without having to specifically model domains in the schema
  34. 34. BloodHound Visualizing Trusts
  35. 35. BloodHound Hopping Trusts
  36. 36. BloodHound Foreign Users/Groups
  37. 37. 6 Mimikatz and Trusts Thanks @gentilkiwi and @pyrotek3 !
  38. 38. ⊙ “The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets”* ○ Mimikatz can extract these trust keys from domain controllers participating in the trust ⊙ These keys can be used to create “golden” trust referral tickets for the krbtgt service, with a trusting domain as the target * Mimikatz and Trust Keys
  39. 39. Even Crazier...
  40. 40. ⊙ Mimikatz can now include extra account SIDs from other domains when it constructs a Golden Ticket ○ with the /sids flag ⊙ If you get the krbtgt hash of a domain controller of a child domain in a forest, you can set the SID history to be “Enterprise Admins” of the parent domain ○ This allows you to compromise the forest root! The Trustpocalypse
  41. 41. If you compromise one domain controller of a child domain in a forest, you can compromise the entire forest! The Trustpocalypse
  42. 42. Advice From @gentilkiwi
  43. 43. Caveat: SID Filtering ⊙ If SID filtering is enabled, DCs in a trusting domain remove SIDs that aren’t contained in the trusted domain ○ Applies to SIDHistory! ⊙ This prevents the malicious SIDHistory Mimikatz attack ⊙ Enabled by default for external/interforest trusts
  44. 44. Caveat: Quarantined Within Forest ⊙ Parent-child trusts can be marked as ‘quarantined’ ⊙ This will filter out all SIDs, EXCEPT the “Enterprise Domain Controllers” SID (S-1-5-9) ;) ⊙ This means it’s still possible to craft a Golden Ticket in such a way to hop up the trust!
  45. 45. ⊙ Say we land on a machine in the dev.testlab.local domain ⊙ We want to compromise the external.local forest ⊙ We’ll do this by abusing trust relationships to hop to testlab.local and then external.local Demo Setup
  46. 46. Demo
  47. 47. Credits Special thanks to: ⊙ @_wald0 ⊙ @CptJesus ⊙ @sixdub ⊙ @gentilkiwi ⊙ @pyrotek3
  48. 48. Thanks! Any questions? @harmj0y will [at]