SlideShare a Scribd company logo
1 of 32
Six Degrees of
Domain Admin
About Us
I am Andy Robbins
Job: Pentester at Veris Group’s ATD
Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA
International
Trainer: Black Hat USA 2016
Other: Ask me about ACH
Twitter: @_wald0
About Us
I am Rohan Vazarkar
Job: Pentester at Veris Group’s ATD
Tool creator/dev: EyeWitness, Python Empyre, etc.
Presenter: BSidesDC/LV/DE, Black Hat Arsenal
Trainer: Black Hat USA 2016
Twitter: @CptJesus
About Us
I am Will Schroeder
Job: Researcher at Veris Group’s ATD
Tool creator/dev: Veil-Framework, PowerView, PowerUp,
Empire/Empyre
Speaker: Ask me
Trainer: Black Hat USA 2014-2016
Other: Microsoft PowerShell/CDM MVP
Twitter: @harmj0y
The Current State of Active
Directory Domain Privilege
Escalation
“Defenders think in lists.
Attackers think in graphs.
As long as this is true,
attackers win.”
John Lambert
GM, Microsoft Threat Intelligence Center
AD Domain Priv Esc
◇Active Directory is ubiquitous
◇Ubiquity = Attention = Research time and
$$$
◇Sometimes we get easy buttons!
DA
DA
👤
👤👤
👤
👤
👤
👤
Derivative
Local Admin
“The chaining or linking of
administrator rights through
compromising other privileged
accounts”
Justin Warner @sixdub
👤 👤
Bob PC1 Mary PC2
👤Bob Help
Desk
Server
Admins
PC2
Challenges
◇Extremely time consuming and tedious
◇Not comprehensive
◇Limited situational awareness
◇Did you even need DA?
Graph Theory
And attack graph design
Basic Elements of a
Graph
Vertices represent
individual elements
of a system
Edges generically
represent
relationships
between vertices
Paths are sets of
vertices and
edges that
connect non-
adjacent vertices
Vertex 1 Vertex 2Edge
Vertex 1
Vertex 3
Vertex 2
Vertex 4
BloodHound Attack
Graph Design
Vertices represent
users, groups,
computers, and
domains
Edges identify
group
memberships,
admin rights, user
sessions, and
domain trusts
Paths always lead
toward escalating
rights. Always.
Group:
IT
Admins
User:
Bob
Computer:
Server1
User:
Mary
Group:
Domain
Admins
Put Simply…
◇Who is logged on where?
◇Who has admin rights where?
◇What users and groups belong to what
groups?
Stealthy Data Collection
with PowerView
“The best tool these days
for understanding Windows
networks is PowerView…”
Phineas Phisher
http://pastebin.com/raw/0SNSvyjJ
PowerView
◇A pure PowerShell v2.0+ domain/network
situational awareness tool
◇Collects the data that BloodHound is built
on and doesn’t need elevated
privileges for most collection methods!
Who’s Logged in Where?
◇Invoke-UserHunter:
■ Get-NetSession – sessions w/ a remote machine
■ Get-NetLoggedOn/Get-LoggedOnLocal – who’s
logged in on what machine
◇-Stealth:
■ Enumerate commonly trafficked servers and query
remote sessions for each
aka “user hunting”
Who Can Admin What?
◇We can enumerate members of a local
group on a remote machine, without
admin privileges!
■ The WinNT service provider or
NetLocalGroupMembers()
◇PowerView:
■ Get-NetLocalGroup –ComputerName IP [-API]
Who Can Admin What?
GPO Edition
◇GPOs can set local administrators
◇GPOs are applied to OUs/Sites
■ correlation == local admin information through
communication with only a DC!
◇PowerView:
■ Find-GPOLocation
Who’s in What Groups?
◇Enumerate all groups and pull the
members of each
◇PowerView:
■ Get-NetGroup | Get-NetGroupMember
◇That’s it!
Bringing it All Together
The BloodHound Ingestor
Get-
BloodHoundData
automates
gathering
PowerView data for
a domain
Export-
BloodHoundData
exports collected
data to a neo4j
batch REST API
for ingestion
Export-
BloodHoundCSV
exports collected
data to a series of
CSVs for offline
ingestion
BloodHound
Live demo!
BloodHound
◇Built with Linkurious.js
◇Compiled with Electron
◇Uses a neo4j graph database
◇Fed by the custom PowerShell ingestor
bit.ly/GetBloodHound
Thanks!
@_wald0
@CptJesus
@harmj0y

More Related Content

What's hot

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

What's hot (20)

BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 

Similar to Six Degrees of Domain Admin - BloodHound at DEF CON 24

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 

Similar to Six Degrees of Domain Admin - BloodHound at DEF CON 24 (20)

Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
 
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
HackMiami-Final
HackMiami-FinalHackMiami-Final
HackMiami-Final
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 

Recently uploaded

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 

Six Degrees of Domain Admin - BloodHound at DEF CON 24

  • 2. About Us I am Andy Robbins Job: Pentester at Veris Group’s ATD Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA International Trainer: Black Hat USA 2016 Other: Ask me about ACH Twitter: @_wald0
  • 3. About Us I am Rohan Vazarkar Job: Pentester at Veris Group’s ATD Tool creator/dev: EyeWitness, Python Empyre, etc. Presenter: BSidesDC/LV/DE, Black Hat Arsenal Trainer: Black Hat USA 2016 Twitter: @CptJesus
  • 4. About Us I am Will Schroeder Job: Researcher at Veris Group’s ATD Tool creator/dev: Veil-Framework, PowerView, PowerUp, Empire/Empyre Speaker: Ask me Trainer: Black Hat USA 2014-2016 Other: Microsoft PowerShell/CDM MVP Twitter: @harmj0y
  • 5. The Current State of Active Directory Domain Privilege Escalation
  • 6. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John Lambert GM, Microsoft Threat Intelligence Center
  • 7. AD Domain Priv Esc ◇Active Directory is ubiquitous ◇Ubiquity = Attention = Research time and $$$ ◇Sometimes we get easy buttons!
  • 8. DA
  • 10. Derivative Local Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub
  • 11. 👤 👤 Bob PC1 Mary PC2
  • 13. Challenges ◇Extremely time consuming and tedious ◇Not comprehensive ◇Limited situational awareness ◇Did you even need DA?
  • 14. Graph Theory And attack graph design
  • 15. Basic Elements of a Graph Vertices represent individual elements of a system Edges generically represent relationships between vertices Paths are sets of vertices and edges that connect non- adjacent vertices
  • 18. BloodHound Attack Graph Design Vertices represent users, groups, computers, and domains Edges identify group memberships, admin rights, user sessions, and domain trusts Paths always lead toward escalating rights. Always.
  • 20. Put Simply… ◇Who is logged on where? ◇Who has admin rights where? ◇What users and groups belong to what groups?
  • 22. “The best tool these days for understanding Windows networks is PowerView…” Phineas Phisher http://pastebin.com/raw/0SNSvyjJ
  • 23. PowerView ◇A pure PowerShell v2.0+ domain/network situational awareness tool ◇Collects the data that BloodHound is built on and doesn’t need elevated privileges for most collection methods!
  • 24. Who’s Logged in Where? ◇Invoke-UserHunter: ■ Get-NetSession – sessions w/ a remote machine ■ Get-NetLoggedOn/Get-LoggedOnLocal – who’s logged in on what machine ◇-Stealth: ■ Enumerate commonly trafficked servers and query remote sessions for each aka “user hunting”
  • 25. Who Can Admin What? ◇We can enumerate members of a local group on a remote machine, without admin privileges! ■ The WinNT service provider or NetLocalGroupMembers() ◇PowerView: ■ Get-NetLocalGroup –ComputerName IP [-API]
  • 26. Who Can Admin What? GPO Edition ◇GPOs can set local administrators ◇GPOs are applied to OUs/Sites ■ correlation == local admin information through communication with only a DC! ◇PowerView: ■ Find-GPOLocation
  • 27. Who’s in What Groups? ◇Enumerate all groups and pull the members of each ◇PowerView: ■ Get-NetGroup | Get-NetGroupMember ◇That’s it!
  • 28. Bringing it All Together The BloodHound Ingestor Get- BloodHoundData automates gathering PowerView data for a domain Export- BloodHoundData exports collected data to a neo4j batch REST API for ingestion Export- BloodHoundCSV exports collected data to a series of CSVs for offline ingestion
  • 30. BloodHound ◇Built with Linkurious.js ◇Compiled with Electron ◇Uses a neo4j graph database ◇Fed by the custom PowerShell ingestor

Editor's Notes

  1. 20 SECONDS
  2. 20 SECONDS
  3. 20 SECONDS
  4. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” This is a very well known quote by John Lambert, General Manager at Microsoft’s Threat Intelligence Center. This quote and the blog post it serves as a title to has proven true time and time again on our red team and pentest assessments. I’d like to ask you all to keep this quote in mind during our talk.
  5. TWO MINUTES NOTE: The scope of our talk is confined to privilege escalation, we’re not going to go into initial access or provide an encyclopedic diatribe on all the different ways to attack Active Directory. A great resource to go to is Sean Metcalf’s blog at adsecurity.org Active Directory is, of course, effectively ubiquitous in businesses of all sizes, from global enterprise to small and medium size businesses. In fact, Sean Metcalf quantified this in his talk on Thursday as 95% of Fortune 1000 companies that use Active Directory. As such, a lot of time, energy, and money goes into research on how to defend and attack Active Directory environments. Thanks to that research, pentesters get easy buttons every so often. December of 2014 through about the middle of February 2015 was a great time to be a pentester, after Sylvain Monné put out the first public exploit for MS14-068. Thanks to Sylvain and Benjamin Delpy’s work, pentesters had a nice “easy button” to escalate rights from any domain user all the way to domain admin or even enterprise admin. Over the years, we’ve enjoyed other ”easy buttons” as well: MS08-067, kitrap0d, Responder, GPP, Jboss, Tomcat, etc. Over time, many organizations’ defensive posture improves thanks to several contributing factors: maturing vulnerability management practices, increasingly rare (public) bugs in Windows and Active Directory, and proactive vulnerability and risk assessment in the form of regular penetration tests and red team exercises. Unfortunately for us as pentesters, this means that our easy buttons have a tendency to disappear. Except Responder, of course.  This is why the best tradecraft includes, but does not exclusively rely on easy buttons in order to accomplish objectives. Instead, the most effective attackers execute attacks specifically tailored to the misconfigurations and poor practices of their target organization.
  6. TWO MINUTES Let’s take a look at a fairly typical situation. These dotted line computers are going to represent a very small example network. The dotted line computers mean that we, as an attacker, know the computers are there, but we don’t have any sort of privileged access to them yet. First, as an attacker, we gain our initial access to the environment. Maybe we have a Beacon or Metrepreter session from social engineering, or perhaps we were already on the network and found an exploitable system. Either way, we have our initial access into the environment, running as a domain user on a system joined to the domain. Second, we’re able to escalate our privileges locally. Perhaps PowerUp found us a DLL hijack, or we were able to run Responder and crack or relay an admin cred. Using this local admin access, we dump the SAM and get the NTLM hash for the local admin account. Third, lucky us, while the organization has applied KB2871997, they’re still using the built-in 500 account on each system, using the same password for this account on every box. Now we effectively have local admin access everywhere, so our scope of admin rights encompasses the entire network. Finally, we find a system where a DA is logged on, using PowerView’s user hunter, or CrackMapExec, or another tool. Because the local admin password is the same everywhere, and because KB2871997 doesn’t protect against passing the hash for this user, we simply pivot to the box that DA is logged onto, run Mimikatz to get his clear text password, and we win. Woot! By show of hands, how many people have seen this exact same attack scenario more than a few times in real life? Cool. Ok, let’s take a look at our second network.
  7. THREE MINUTES Now this network looks pretty similar to the last one, but with a few key differences that we’ll explore in each attack step. First, again, is initial access. We get a Beacon or Meterpreter Session running within a domain-joined context. Unfortunately for us, we can’t manage to escalate our rights on this initial machine. No GPP. No misconfigured services. No DLL hijack opportunities. No MS08-067, no MS14-068. We can collect some NTLMv2 challenge/response pairs, but can’t crack the very strong passwords. Also, we can’t relay those creds anywhere due to the client enforcing SMB message signing everywhere. Eventually, though, we do find an initial way to gain local admin rights. A careless admin has left plain text credentials for a service account in an SMB share that any user can read. By impersonating this user and scanning the network, we determine that this service account has admin rights to three systems. Unfortunately for us, this client heavily enforces the principle of least privilege, so this service account only has admin rights on the systems it needs admin rights on. This is where our scope of nominal admin rights begins. Now, using PowerView, CrackMapExec, Nmap, or another tool, we determine who is logged on to those systems. We find a few more service accounts, but none of them are domain admins. Damn! One by one we compromise those accounts until eventually we gain admin rights on a system with a domain admin logged on. W00t! By show of hands, how many folks have executed an attack path like this?
  8. ONE MINUTE
  9. ONE MINUTE
  10. ONE MINUTE
  11. ONE MINUTE
  12. 30 SECONDS
  13. 30 SECONDS
  14. ONE MINUTE
  15. TWO MINUTES
  16. 30 SECONDS
  17. ONE MINUTE Built to automate components of our engagement tradecraft Fully self contained and loadable in memory, v2.0+ compliant Now part of PowerSploit
  18. ONE MINUTE Something we do on every engagement LoggedOn - API and remote registry Only need admin for Get-NetLoggedOn Common servers == fileservers, dfs shares, DCs
  19. ONE MINUTE
  20. ONE MINUTE GPO == group policy objects This GPO correlation process isn’t super simple… Find-GPOLocation can enumerate for one target or dump all relationships
  21. ONE MINUTE Based on LDAP/ADSI searches under the hood
  22. ONE MINUTE So we have a PowerShell v2.0 tool that: -Doesn’t need administrator rights to query most of this data -ingests data straight into BloodHound w/o touching disk!
  23. ONE MINUTE