Six Degrees of Domain Admin - BloodHound at DEF CON 24
•Download as PPTX, PDF•
27 likes•17,147 views
The deck used during DEF CON 24.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Six Degrees of Domain Admin - BloodHound at DEF CON 24
Similar to Six Degrees of Domain Admin - BloodHound at DEF CON 24 (20)
Recently uploaded
Recently uploaded (20)
Six Degrees of Domain Admin - BloodHound at DEF CON 24
- 1. Six Degrees of Domain Admin
- 2. About Us I am Andy Robbins Job: Pentester at Veris Group’s ATD Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA International Trainer: Black Hat USA 2016 Other: Ask me about ACH Twitter: @_wald0
- 3. About Us I am Rohan Vazarkar Job: Pentester at Veris Group’s ATD Tool creator/dev: EyeWitness, Python Empyre, etc. Presenter: BSidesDC/LV/DE, Black Hat Arsenal Trainer: Black Hat USA 2016 Twitter: @CptJesus
- 4. About Us I am Will Schroeder Job: Researcher at Veris Group’s ATD Tool creator/dev: Veil-Framework, PowerView, PowerUp, Empire/Empyre Speaker: Ask me Trainer: Black Hat USA 2014-2016 Other: Microsoft PowerShell/CDM MVP Twitter: @harmj0y
- 5. The Current State of Active Directory Domain Privilege Escalation
- 6. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John Lambert GM, Microsoft Threat Intelligence Center
- 7. AD Domain Priv Esc ◇Active Directory is ubiquitous ◇Ubiquity = Attention = Research time and $$$ ◇Sometimes we get easy buttons!
- 8. DA
- 10. Derivative Local Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub
- 11. 👤 👤 Bob PC1 Mary PC2
- 13. Challenges ◇Extremely time consuming and tedious ◇Not comprehensive ◇Limited situational awareness ◇Did you even need DA?
- 14. Graph Theory And attack graph design
- 15. Basic Elements of a Graph Vertices represent individual elements of a system Edges generically represent relationships between vertices Paths are sets of vertices and edges that connect non- adjacent vertices
- 16. Vertex 1 Vertex 2Edge
- 17. Vertex 1 Vertex 3 Vertex 2 Vertex 4
- 18. BloodHound Attack Graph Design Vertices represent users, groups, computers, and domains Edges identify group memberships, admin rights, user sessions, and domain trusts Paths always lead toward escalating rights. Always.
- 20. Put Simply… ◇Who is logged on where? ◇Who has admin rights where? ◇What users and groups belong to what groups?
- 21. Stealthy Data Collection with PowerView
- 22. “The best tool these days for understanding Windows networks is PowerView…” Phineas Phisher http://pastebin.com/raw/0SNSvyjJ
- 23. PowerView ◇A pure PowerShell v2.0+ domain/network situational awareness tool ◇Collects the data that BloodHound is built on and doesn’t need elevated privileges for most collection methods!
- 24. Who’s Logged in Where? ◇Invoke-UserHunter: ■ Get-NetSession – sessions w/ a remote machine ■ Get-NetLoggedOn/Get-LoggedOnLocal – who’s logged in on what machine ◇-Stealth: ■ Enumerate commonly trafficked servers and query remote sessions for each aka “user hunting”
- 25. Who Can Admin What? ◇We can enumerate members of a local group on a remote machine, without admin privileges! ■ The WinNT service provider or NetLocalGroupMembers() ◇PowerView: ■ Get-NetLocalGroup –ComputerName IP [-API]
- 26. Who Can Admin What? GPO Edition ◇GPOs can set local administrators ◇GPOs are applied to OUs/Sites ■ correlation == local admin information through communication with only a DC! ◇PowerView: ■ Find-GPOLocation
- 27. Who’s in What Groups? ◇Enumerate all groups and pull the members of each ◇PowerView: ■ Get-NetGroup | Get-NetGroupMember ◇That’s it!
- 28. Bringing it All Together The BloodHound Ingestor Get- BloodHoundData automates gathering PowerView data for a domain Export- BloodHoundData exports collected data to a neo4j batch REST API for ingestion Export- BloodHoundCSV exports collected data to a series of CSVs for offline ingestion
- 30. BloodHound ◇Built with Linkurious.js ◇Compiled with Electron ◇Uses a neo4j graph database ◇Fed by the custom PowerShell ingestor
Editor's Notes
- 20 SECONDS
- 20 SECONDS
- 20 SECONDS
- “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” This is a very well known quote by John Lambert, General Manager at Microsoft’s Threat Intelligence Center. This quote and the blog post it serves as a title to has proven true time and time again on our red team and pentest assessments. I’d like to ask you all to keep this quote in mind during our talk.
- TWO MINUTES NOTE: The scope of our talk is confined to privilege escalation, we’re not going to go into initial access or provide an encyclopedic diatribe on all the different ways to attack Active Directory. A great resource to go to is Sean Metcalf’s blog at adsecurity.org Active Directory is, of course, effectively ubiquitous in businesses of all sizes, from global enterprise to small and medium size businesses. In fact, Sean Metcalf quantified this in his talk on Thursday as 95% of Fortune 1000 companies that use Active Directory. As such, a lot of time, energy, and money goes into research on how to defend and attack Active Directory environments. Thanks to that research, pentesters get easy buttons every so often. December of 2014 through about the middle of February 2015 was a great time to be a pentester, after Sylvain Monné put out the first public exploit for MS14-068. Thanks to Sylvain and Benjamin Delpy’s work, pentesters had a nice “easy button” to escalate rights from any domain user all the way to domain admin or even enterprise admin. Over the years, we’ve enjoyed other ”easy buttons” as well: MS08-067, kitrap0d, Responder, GPP, Jboss, Tomcat, etc. Over time, many organizations’ defensive posture improves thanks to several contributing factors: maturing vulnerability management practices, increasingly rare (public) bugs in Windows and Active Directory, and proactive vulnerability and risk assessment in the form of regular penetration tests and red team exercises. Unfortunately for us as pentesters, this means that our easy buttons have a tendency to disappear. Except Responder, of course. This is why the best tradecraft includes, but does not exclusively rely on easy buttons in order to accomplish objectives. Instead, the most effective attackers execute attacks specifically tailored to the misconfigurations and poor practices of their target organization.
- TWO MINUTES Let’s take a look at a fairly typical situation. These dotted line computers are going to represent a very small example network. The dotted line computers mean that we, as an attacker, know the computers are there, but we don’t have any sort of privileged access to them yet. First, as an attacker, we gain our initial access to the environment. Maybe we have a Beacon or Metrepreter session from social engineering, or perhaps we were already on the network and found an exploitable system. Either way, we have our initial access into the environment, running as a domain user on a system joined to the domain. Second, we’re able to escalate our privileges locally. Perhaps PowerUp found us a DLL hijack, or we were able to run Responder and crack or relay an admin cred. Using this local admin access, we dump the SAM and get the NTLM hash for the local admin account. Third, lucky us, while the organization has applied KB2871997, they’re still using the built-in 500 account on each system, using the same password for this account on every box. Now we effectively have local admin access everywhere, so our scope of admin rights encompasses the entire network. Finally, we find a system where a DA is logged on, using PowerView’s user hunter, or CrackMapExec, or another tool. Because the local admin password is the same everywhere, and because KB2871997 doesn’t protect against passing the hash for this user, we simply pivot to the box that DA is logged onto, run Mimikatz to get his clear text password, and we win. Woot! By show of hands, how many people have seen this exact same attack scenario more than a few times in real life? Cool. Ok, let’s take a look at our second network.
- THREE MINUTES Now this network looks pretty similar to the last one, but with a few key differences that we’ll explore in each attack step. First, again, is initial access. We get a Beacon or Meterpreter Session running within a domain-joined context. Unfortunately for us, we can’t manage to escalate our rights on this initial machine. No GPP. No misconfigured services. No DLL hijack opportunities. No MS08-067, no MS14-068. We can collect some NTLMv2 challenge/response pairs, but can’t crack the very strong passwords. Also, we can’t relay those creds anywhere due to the client enforcing SMB message signing everywhere. Eventually, though, we do find an initial way to gain local admin rights. A careless admin has left plain text credentials for a service account in an SMB share that any user can read. By impersonating this user and scanning the network, we determine that this service account has admin rights to three systems. Unfortunately for us, this client heavily enforces the principle of least privilege, so this service account only has admin rights on the systems it needs admin rights on. This is where our scope of nominal admin rights begins. Now, using PowerView, CrackMapExec, Nmap, or another tool, we determine who is logged on to those systems. We find a few more service accounts, but none of them are domain admins. Damn! One by one we compromise those accounts until eventually we gain admin rights on a system with a domain admin logged on. W00t! By show of hands, how many folks have executed an attack path like this?
- ONE MINUTE
- ONE MINUTE
- ONE MINUTE
- ONE MINUTE
- 30 SECONDS
- 30 SECONDS
- ONE MINUTE
- TWO MINUTES
- 30 SECONDS
- ONE MINUTE Built to automate components of our engagement tradecraft Fully self contained and loadable in memory, v2.0+ compliant Now part of PowerSploit
- ONE MINUTE Something we do on every engagement LoggedOn - API and remote registry Only need admin for Get-NetLoggedOn Common servers == fileservers, dfs shares, DCs
- ONE MINUTE
- ONE MINUTE GPO == group policy objects This GPO correlation process isn’t super simple… Find-GPOLocation can enumerate for one target or dump all relationships
- ONE MINUTE Based on LDAP/ADSI searches under the hood
- ONE MINUTE So we have a PowerShell v2.0 tool that: -Doesn’t need administrator rights to query most of this data -ingests data straight into BloodHound w/o touching disk!
- ONE MINUTE