This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
2. Agenda
• Offensive Active Directory 101
• Hunting for Users
• Local Administrator Enumeration
• GPO Enumeration and Abuse
• Active Directory ACLs
• Domain Trusts
3. Offensive AD 101
• Red teams and ‘real’ bad guys have been
abusing AD for years, but not much
offensive AD information has existed
publicly (until recently)
• See http://adsecurity.org/
• A lot of what we do on a red team is
essentially just (authorized) domain
administration
• We find misconfigurations and chain
access/trust relationships to turn one
4. PowerView
• A pure PowerShell domain/network
situational awareness tool
• Version 2.0 compliant
• Fully self-contained and loadable in memory
• Now part of PowerSploit™ (not really
trademarked)
• Many modules are implemented in Empire
• Built to automate large components of the
tradecraft on our red team engagements
5. Sidenote
“The best tool these days
for understanding windows
networks is Powerview
[1].”
-Phineas Fisher
http://pastebin.com/raw/0SNSvyjJ
6. Hunting for Users
• On nearly every engagement, we end up
wanting to know where specific users are
logged in
• We break this down into:
• Pre-elevated access, where we have regular
domain user privileges. This is out “lateral
spread” phase
• Post-elevated access, where we have some type
of elevated (e.g. Domain Admin) access. This
is usually our ‘demonstrate impact’ phase
7. Win32 API Access
• Several techniques we rely on for user-
hunting depend on various Windows API
calls
• Specifically NetWkstaUserEnum and
NetSessionEnum
• There are several methods to access these
API calls through PowerShell
• C# Add-Type, straight reflection, PSReflect
• See Matt Graeber’s US PowerShell Summit
talk on Win32 API access for more details
8. • Windows allows any domain-authenticated
user to enumerate the members of a local
group on a remote machine
• Either through the NetLocalGroupGetMembers
Win32 API call or the WinNT service provider
• “Derivative Local Admin”
• Alice is (effectively) an admin on Bob’s
machine, and Bob is (effectively) an admin on
Eve’s machine
• Alice can derive Eve’s rights though
compromising and leveraging Bob’s credentials
Local Administrator Enumeration
9. • Machines obviously have to somehow
determine what users have administrative
rights
• Usually set through restricted groups or
group policy preferences
• These GPO policies are accessible by
anyone on the domain
• From of offensive perspective, we can
often query a domain controller, and
determine who has administrative rights
to what machines
GPO Enumeration and Abuse
10. • Very few organizations properly audit AD
ACLs or alert on their alteration
• Almost every organization has some kind
of misconfiguration SOMEWHERE in the
object access rights in their domain
structure
• This is also a great candidate place for
‘sneaky’ persistence!
Active Directory ACLs
11. • Trusts allow separate domains to form
inter-connected relationships
• Often utilized during acquisitions (i.e.
forest trusts or cross-link trusts)
• A trust just links up the authentication
systems of two domains and allows
authentication traffic to flow between
them
• Allows for the possibility of privileged
access between domains, but doesn’t guarantee
it*
Domain Trusts
12. • Mimikatz Golden Tickets now accept
SidHistories though the new /sids:<X>
argument
• If you compromise a DC in a child domain,
you can create a golden ticket with the
“Enterprise Admins” in the SID history
• This can let you compromise the parent
domain!
• The FOREST is the trust boundary, not the
domain!
Sidenote: The Mimikatz
Trustpocalypse
13. Summary
• There’s a lot of overlap between
offensive engagements and legitimate
domain administration
• You can find where users are logged in
WITHOUT elevated domain privileges
• You can enumerate the local users of a
remote machine WITHOUT elevated domain
privileges
• Domain trusts can easily be enumerated,
15. • Will Schroeder (@harmj0y)
• http://blog.harmj0y.net | will [at]
harmj0y.net
• Security researcher and red teamer for
Veris Group‘s Adaptive Threat Division
• Offensive open-source developer:
• Veil-Evasion, Empire, PowerSploit
• Recent Microsoft CDM/PowerShell MVP
About_Author
16. • The Mimikatz Trustpocalypse brought to
you by:
• Benjamin Delpy (@gentilkiwi)
• Sean Metacalf (@pyrotek3) -
http://adsecurity.org
• My Active Directory background brought to
you by:
• Carlos Perez (@darkoperator)
• Sean Metcalf (@pyrotek3) -
http://adsecurity.org
• Get PowerView:
About_References
Editor's Notes
So why not the official Active Directory (RSAT-AD-PowerShell) cmdlets?
For offense, we want something:
PowerShell version 2.0 compliant
Fully self-contained with no dependencies
Usable without any installation
Think of PowerView as a version 2.0 replacement for the AD cmdlets
combined with offensive-oriented cmdlet functions
Phineas is the person who took down HackingTeam…
Pre-elevated introduces some complexities
I use PSReflect in PowerView because of its simplicity
DEMO
Show PowerView source, and Get-NetSession code
Show Invoke-UserHunter and all of its options
This is INCREDIBLY useful from an offensive perspective
Originally built because of the KB2871997 “pass the hash” patch
so we could enumerate the RID-500 account and whether we could reuse
DEMO- Get-NetLocalGroup and friends
DEMO- walk through Find-GPOLocation
Resolves a user/group’s SID
Builds a list SIDs the target is a part of
Uses Get-NetGPOGroup to pull GPOs that set “Restricted Groups” or groups.xml
Matches the target SID list to the queried GPO SID list to enumerate all GPOs the target is applied to
Enumerates all OUs/sites and applicable GPO GUIDs that are applied through GPLink
Queries for all computers in target OUs/sites
People may audit if someone’s added to a group, but not the ACL for that group
DEMO
Why this matters-
Red teams often compromise accounts/machines in a domain trusted by their actual target
This allows operators to exploit these existing trust relationships to achieve their end goal
DEMO: domain trusts