SlideShare a Scribd company logo
1 of 50
Download to read offline
Trusts You
Might Have
Missed
Will (@harmj0y)
Justin (@sixdub)
@harmj0y
● Security researcher and red teamer for the
Adaptive Threat Division of Veris Group
● Co-founder of the Veil-Framework and Veil’s
PowerTools
● Cons: Shmoocon, CarolinaCon, Defcon,
Derbycon, various BSides
@sixdub
● Pentester and red teamer for the Adaptive
Threat Division of Veris Group
● Lots of interest: red team ops, reverse
engineering, adversarial tactics, etc
● Developer on the Veil-Framework and co-
founder of Veil’s PowerTools
tl;dr
● Red Team Operations
● Active Directory 101
● Domain Trusts 101
● So what?
● Back to the Old School
● New School Enumeration
● Visualizing Trusts
● Abusing Trusts
● Demo
● On The Horizon
Red
Team
Operations
Setting the stage
Red Teaming
● Red teaming means different things to
different people
o physical ops, in-depth social engineering, custom
exploit dev, pure network based operations, etc.
● Common thread of increased time frame and
more permissive scope
● Red Team Operations - military concept of
adversarial thinking that evolved into
adversary emulation
“Assume Breach” Mentality
● With the rash of recent major incidents,
organizations have started to realize that
they’re probably already owned
● You’re not going to stop the bad guys
from getting in the front door
● Companies need to implement an “assume
breach” way of thinking
Nothing New?
● Domain trusts have existed for years, and red
teams have been abusing them just as long
● While these techniques are public, they’re not
as well known as they should be
● Most of what we’re going to talk about is
possible through multiple means:
o VBScript, PowerShell, native tools
o Good to have alternative ways to accomplish the
same goal
Active
Directory
101
Let’s go back to school
Base Overview
● Multiple Levels
o Domain - Logical group of network objects
(computers, users etc)
o Trees - Collection of domains
o Forests - Collection of trees
● Used to authenticate and authorize users and
computers on a network
o Also provides security policies, centralized
management, and other rich features
Not So Basic Overview: NTLM
https://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_ntlmauthentication
Not So Basic Overview: Kerberos
http://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_kerberosauthentication
Active Directory Trusts 101
● Trusts allow separate domains to form a
relationship
o Allows for the possibility of access to objects
between domains. Authentication linkage!
o Allows you to use objects from a remote domain
 aka Users from Domain A can be in groups of
Domain B
● Forests can also establish trust relationships
o ex. All domains in Forest A will trust domains in
Forest B
Active Directory Trusts 201
● Communications in the trust work via a
system of referrals
o If the SPN being requested resides outside of
primary DC, issue a referral to the forest KDC or
trusted domain KDC to receive a ticket
o access is passed around with inter-realm TGTs
● Multiple configuration topographies available
that will determine the behavior of the trusts
o All a matter of design…
Trust Direction
http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx
Trust Types
● Trusts come in a few varieties:
o One way - Only one domain trusts the other
o Two way - Both domains trust each other
o Transitive - Domain A trusts Domain B and Domain
B trusts Domain C, so Domain A trusts Domain C
● A child domain retains an implicit trust with
its parent
● Lots more information at
http://technet.microsoft.com/en-
us/library/cc773178(v=ws.10).aspx
So What?
● Why does this matter?
● Red teams often compromise
accounts/machines in a domain that's
trusted by their actual target, allowing them
to exploit these existing trust relationships to
achieve their end goal
● And Enterprise Admin = pwnership over
everything below
Domain
Trust
Enumeration
Know what you have before
you start pwning
Old School Enumeration
● Traditional trust enumeration utilizing ntltest:
Old School Enumeration
● Netdom (from servers only):
o netdom query trust
● Adfind to enumerate trusts in other domains:
New School Enumeration
● PowerShell: Microsoft’s handy “post-
exploitation language” :)
● Essentially a command-line wrapper for
.NET with full access to the framework
● Contains various Active Directory hooks that
makes enumeration much easier and flexible
than before
● To enumerate all domains in the forest:
o ([System.DirectoryServices.ActiveDirectory.Fore
st]::GetCurrentForest()).Domains
● To enumerate all trust relationships for the
current domain:
o ([System.DirectoryServices.ActiveDirectory.Dom
ain]::GetCurrentDomain()).GetAllTrustRelationsh
ips()
Trust Enumeration with PowerShell
Using Trusts With PowerShell
● A lot of ADSI native PowerShell AD
functionality can easily operate on domains
to which there's an existing trust:
o finding domain controllers, querying users,
enumerating domain groups, finding domain
machines, etc.
● All across trust boundaries with little extra
effort, using these enumerated domain
contexts
PowerView
● Think dsquery on steroids... and cocaine
● First started because a client banned “net”
commands on domain machines
● Otherwise initially inspired by Rob Fuller’s
netview.exe tool
o Wanted something more flexible that also didn’t drop
a binary to disk
PowerView: Enumerating Trusts
● PowerView has several new functions that
allow you to enumerate any existing
domain/forest trust relationships:
o Get-NetForest: information about the current
domain forest
o Get-NetForestTrusts: grab all forest trusts
o Get-NetForestDomains: enumerate all domains in
the current forest
o Get-NetDomainTrusts: find all current domain
trusts, á la nltest
PowerView: Enumerating Trusts
PowerView: Trust Mapping w/ LDAP!
● Sometimes the trust “enclave” is more
protected, and mass enumeration across a
boundary can seem strange
o Also, your workstation might not be able to directly
contact the DC of a trusted/ing domain
● Get-NetDomainTrustsLDAP - Utilizes
LDAP queries only to enumerate trusts
o Slightly less accurate… but blends better!
o And these LDAP queries can be bounced through
your primary DC!
PowerView: Using Trusts
● If a trust exists, most functions in PowerView
can now accept a -Domain <name> flag to
operate across a trust:
o Get-NetDomainControllers, Get-NetUsers, Get-
NetUser, Get-NetComputers, Get-NetGroups, Get-
NetGroup, Get-NetFileServers, Get-UserProperties,
Invoke-UserFieldSearch, Invoke-Netview, Invoke-
UserHunter, etc.
PowerView: Using Trusts
Mapping Domain Trusts
● PowerView also have a function to map all
reachable domain trusts:
o Invoke-MapDomainTrusts
o Invoke-MapDomainTrustsLDAP
● Finds all domain trusts for the current
domain, then tries to enumerate all trusts for
each domain it finds, and so on
● Can dump out a nice .csv of all current trust
relationships
Analysis
and
Visualization
Raw data ain’t nothin’
Motivations
● Many networks only have a few domains
and associated trusts
● While this raw data from PowerView is
useful, it can become onerous for networks
with many domains
o Think dozens+, all interconnected
● Data means nothing if you can’t interpret it
usefully
Nodal Analysis
● Concept of applying network and graph
theory techniques to identify relevant and
useful data
o Centrality
o Shortest Path
o Isolated Nodes
● DomainTrustExplorer!
o Used to rapidly triage large networks with a
spaghetti mess of trusts
o https://github.com/sixdub/DomainTrustExplorer
Nodal Analysis
Visualization
● Visual information processing is much easier
for some people
● Seemingly random relationships might reveal
important information when visualized in
certain methods
o Tree vs Node-Link vs Topological
● DomainTrustExplorer dumps to GraphML
format
Abusing
Domain
Trusts
The path to pwnership
Abusing Trusts
● As mentioned, knowing a trust exists can let
you query information, but it doesn’t
necessarily imply access
o though it often does ;)
● You need to figure out if any users have
cross-domain access and to what resources
in other domains
o trusts are rarely locked down properly, and you can
often jump from one domain to another
Abusing Trusts with PowerView
● To enumerate users who are in groups
outside of the user’s primary domain (i.e.
across trusts):
o Invoke-FindUserTrustGroups -Domain <domain>
o Invoke-FindAllUserTrustGroups
● To enumerate users who have local admin
privileges on all domain controllers in a
particular domain:
o Get-GetDomainControllers -Domain <domain> |
Get-NetLocalGroup
● To enumerate groups with users outside of
the group’s primary domain:
o Invoke-FindGroupTrustUsers -Domain <domain>
o Invoke-FindAllGroupTrustUsers
● To find members of the administrators
localgroup outside of the primary domain for
all machines in a domain:
o Invoke-EnumerateLocalTrustGroups -Domain
<domain>
Abusing Trusts with PowerView:
BSides Chicago Edition
Abusing Trusts: A Case Study
● Say we land on a machine in the
dev.testlab.local domain and work our way
to the DC
● We want to compromise the testlab.local
forest root
o We’ll do this by abusing trust relationships with
another child domain in the forest
● We’ll step through enumeration,
visualization, and abuse
Demo
On
The
Horizon
Whats next...
Improved Data Analysis
● Working on methods to correlate PowerView
data with trust information to provide
additional context
o Think “this domain group has access to these cross-
domain resources”
● Goal of creating an offensive dashboard for
red team operations
o @_tomsteele has started some of this work already
https://github.com/tomsteele/domain-trust-grapher
Trust Keys
Trust Keys
Trust Keys
● The password for a domain trust account is
used to derive an inter-realm key for
encrypting referral tickets*
o Mimikatz can now extract these trust keys from
domain controllers participating in the trust
● These keys can be used to create “gold-ish”
trust tickets for the krbtgt service, with a
trusting domain as the target
o these in turn can be used to request TGSes for
specific services on the trusting domain
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx
Trust Keys:
A Domain Trust Golden Ticket
This means that even if the
krbtgt hash is rolled twice, you
can still abuse a privileged
domain trust and possibly
recompromise a domain from
a trusted source!
Questions?
● Contact us:
o @harmj0y (will [at] harmj0y.net) or keybase.io/harmj0y
o @sixdub (justin [at] sixdub.net) or keybase.io/sixdub
● Read more:
o http://www.harmj0y.net/blog/tag/domain-trusts/
o http://www.sixdub.net/?p=285
● Get the tools:
o https://github.com/Veil-
Framework/PowerTools/tree/master/PowerView
o https://github.com/sixdub/DomainTrustExplorer

More Related Content

What's hot

Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 

What's hot (20)

Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 

Viewers also liked

Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 

Viewers also liked (12)

Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 

Similar to Trusts You Might Have Missed

Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29MysoreMuleSoftMeetup
 
Windows Network concepts
Windows Network conceptsWindows Network concepts
Windows Network conceptsDuressa Teshome
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1aspyker
 
ContainerCon 2016: Finding (and Fixing!) Performance Anomalies in Large Scale...
ContainerCon 2016: Finding (and Fixing!) Performance Anomalies in Large Scale...ContainerCon 2016: Finding (and Fixing!) Performance Anomalies in Large Scale...
ContainerCon 2016: Finding (and Fixing!) Performance Anomalies in Large Scale...Victor Marmol
 
Directory Services Nma Unit-1
Directory Services Nma Unit-1Directory Services Nma Unit-1
Directory Services Nma Unit-1GPAPassedStudents
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
A Primer for Your Next Data Science Proof of Concept on the Cloud
A Primer for Your Next Data Science Proof of Concept on the CloudA Primer for Your Next Data Science Proof of Concept on the Cloud
A Primer for Your Next Data Science Proof of Concept on the CloudAlton Alexander
 
Top 10 interview question and answers for mcsa
Top 10 interview question and answers for mcsaTop 10 interview question and answers for mcsa
Top 10 interview question and answers for mcsahopesuresh
 
dude wheres my domain admins v1.pptx
dude wheres my domain admins v1.pptxdude wheres my domain admins v1.pptx
dude wheres my domain admins v1.pptxJoel Leo
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...MongoDB
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingShapeBlue
 
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB AtlasMongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB AtlasMongoDB
 

Similar to Trusts You Might Have Missed (20)

Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Active directory 101
Active directory 101Active directory 101
Active directory 101
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
 
Windows Network concepts
Windows Network conceptsWindows Network concepts
Windows Network concepts
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
 
ContainerCon 2016: Finding (and Fixing!) Performance Anomalies in Large Scale...
ContainerCon 2016: Finding (and Fixing!) Performance Anomalies in Large Scale...ContainerCon 2016: Finding (and Fixing!) Performance Anomalies in Large Scale...
ContainerCon 2016: Finding (and Fixing!) Performance Anomalies in Large Scale...
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
Directory Services Nma Unit-1
Directory Services Nma Unit-1Directory Services Nma Unit-1
Directory Services Nma Unit-1
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
A Primer for Your Next Data Science Proof of Concept on the Cloud
A Primer for Your Next Data Science Proof of Concept on the CloudA Primer for Your Next Data Science Proof of Concept on the Cloud
A Primer for Your Next Data Science Proof of Concept on the Cloud
 
Top 10 interview question and answers for mcsa
Top 10 interview question and answers for mcsaTop 10 interview question and answers for mcsa
Top 10 interview question and answers for mcsa
 
dude wheres my domain admins v1.pptx
dude wheres my domain admins v1.pptxdude wheres my domain admins v1.pptx
dude wheres my domain admins v1.pptx
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and Troubleshooting
 
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB AtlasMongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 

More from Will Schroeder (7)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 

Recently uploaded

draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Basic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielBasic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielpratamakiki860
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfrajats19920
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirtsrahman018755
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 

Recently uploaded (11)

draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Basic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielBasic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobiel
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 

Trusts You Might Have Missed

  • 1. Trusts You Might Have Missed Will (@harmj0y) Justin (@sixdub)
  • 2. @harmj0y ● Security researcher and red teamer for the Adaptive Threat Division of Veris Group ● Co-founder of the Veil-Framework and Veil’s PowerTools ● Cons: Shmoocon, CarolinaCon, Defcon, Derbycon, various BSides
  • 3. @sixdub ● Pentester and red teamer for the Adaptive Threat Division of Veris Group ● Lots of interest: red team ops, reverse engineering, adversarial tactics, etc ● Developer on the Veil-Framework and co- founder of Veil’s PowerTools
  • 4. tl;dr ● Red Team Operations ● Active Directory 101 ● Domain Trusts 101 ● So what? ● Back to the Old School ● New School Enumeration ● Visualizing Trusts ● Abusing Trusts ● Demo ● On The Horizon
  • 6. Red Teaming ● Red teaming means different things to different people o physical ops, in-depth social engineering, custom exploit dev, pure network based operations, etc. ● Common thread of increased time frame and more permissive scope ● Red Team Operations - military concept of adversarial thinking that evolved into adversary emulation
  • 7. “Assume Breach” Mentality ● With the rash of recent major incidents, organizations have started to realize that they’re probably already owned ● You’re not going to stop the bad guys from getting in the front door ● Companies need to implement an “assume breach” way of thinking
  • 8. Nothing New? ● Domain trusts have existed for years, and red teams have been abusing them just as long ● While these techniques are public, they’re not as well known as they should be ● Most of what we’re going to talk about is possible through multiple means: o VBScript, PowerShell, native tools o Good to have alternative ways to accomplish the same goal
  • 10. Base Overview ● Multiple Levels o Domain - Logical group of network objects (computers, users etc) o Trees - Collection of domains o Forests - Collection of trees ● Used to authenticate and authorize users and computers on a network o Also provides security policies, centralized management, and other rich features
  • 11. Not So Basic Overview: NTLM https://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_ntlmauthentication
  • 12. Not So Basic Overview: Kerberos http://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_kerberosauthentication
  • 13. Active Directory Trusts 101 ● Trusts allow separate domains to form a relationship o Allows for the possibility of access to objects between domains. Authentication linkage! o Allows you to use objects from a remote domain  aka Users from Domain A can be in groups of Domain B ● Forests can also establish trust relationships o ex. All domains in Forest A will trust domains in Forest B
  • 14. Active Directory Trusts 201 ● Communications in the trust work via a system of referrals o If the SPN being requested resides outside of primary DC, issue a referral to the forest KDC or trusted domain KDC to receive a ticket o access is passed around with inter-realm TGTs ● Multiple configuration topographies available that will determine the behavior of the trusts o All a matter of design…
  • 16. Trust Types ● Trusts come in a few varieties: o One way - Only one domain trusts the other o Two way - Both domains trust each other o Transitive - Domain A trusts Domain B and Domain B trusts Domain C, so Domain A trusts Domain C ● A child domain retains an implicit trust with its parent ● Lots more information at http://technet.microsoft.com/en- us/library/cc773178(v=ws.10).aspx
  • 17. So What? ● Why does this matter? ● Red teams often compromise accounts/machines in a domain that's trusted by their actual target, allowing them to exploit these existing trust relationships to achieve their end goal ● And Enterprise Admin = pwnership over everything below
  • 18. Domain Trust Enumeration Know what you have before you start pwning
  • 19. Old School Enumeration ● Traditional trust enumeration utilizing ntltest:
  • 20. Old School Enumeration ● Netdom (from servers only): o netdom query trust ● Adfind to enumerate trusts in other domains:
  • 21. New School Enumeration ● PowerShell: Microsoft’s handy “post- exploitation language” :) ● Essentially a command-line wrapper for .NET with full access to the framework ● Contains various Active Directory hooks that makes enumeration much easier and flexible than before
  • 22. ● To enumerate all domains in the forest: o ([System.DirectoryServices.ActiveDirectory.Fore st]::GetCurrentForest()).Domains ● To enumerate all trust relationships for the current domain: o ([System.DirectoryServices.ActiveDirectory.Dom ain]::GetCurrentDomain()).GetAllTrustRelationsh ips() Trust Enumeration with PowerShell
  • 23. Using Trusts With PowerShell ● A lot of ADSI native PowerShell AD functionality can easily operate on domains to which there's an existing trust: o finding domain controllers, querying users, enumerating domain groups, finding domain machines, etc. ● All across trust boundaries with little extra effort, using these enumerated domain contexts
  • 24. PowerView ● Think dsquery on steroids... and cocaine ● First started because a client banned “net” commands on domain machines ● Otherwise initially inspired by Rob Fuller’s netview.exe tool o Wanted something more flexible that also didn’t drop a binary to disk
  • 25. PowerView: Enumerating Trusts ● PowerView has several new functions that allow you to enumerate any existing domain/forest trust relationships: o Get-NetForest: information about the current domain forest o Get-NetForestTrusts: grab all forest trusts o Get-NetForestDomains: enumerate all domains in the current forest o Get-NetDomainTrusts: find all current domain trusts, á la nltest
  • 27. PowerView: Trust Mapping w/ LDAP! ● Sometimes the trust “enclave” is more protected, and mass enumeration across a boundary can seem strange o Also, your workstation might not be able to directly contact the DC of a trusted/ing domain ● Get-NetDomainTrustsLDAP - Utilizes LDAP queries only to enumerate trusts o Slightly less accurate… but blends better! o And these LDAP queries can be bounced through your primary DC!
  • 28. PowerView: Using Trusts ● If a trust exists, most functions in PowerView can now accept a -Domain <name> flag to operate across a trust: o Get-NetDomainControllers, Get-NetUsers, Get- NetUser, Get-NetComputers, Get-NetGroups, Get- NetGroup, Get-NetFileServers, Get-UserProperties, Invoke-UserFieldSearch, Invoke-Netview, Invoke- UserHunter, etc.
  • 30. Mapping Domain Trusts ● PowerView also have a function to map all reachable domain trusts: o Invoke-MapDomainTrusts o Invoke-MapDomainTrustsLDAP ● Finds all domain trusts for the current domain, then tries to enumerate all trusts for each domain it finds, and so on ● Can dump out a nice .csv of all current trust relationships
  • 32. Motivations ● Many networks only have a few domains and associated trusts ● While this raw data from PowerView is useful, it can become onerous for networks with many domains o Think dozens+, all interconnected ● Data means nothing if you can’t interpret it usefully
  • 33. Nodal Analysis ● Concept of applying network and graph theory techniques to identify relevant and useful data o Centrality o Shortest Path o Isolated Nodes ● DomainTrustExplorer! o Used to rapidly triage large networks with a spaghetti mess of trusts o https://github.com/sixdub/DomainTrustExplorer
  • 35. Visualization ● Visual information processing is much easier for some people ● Seemingly random relationships might reveal important information when visualized in certain methods o Tree vs Node-Link vs Topological ● DomainTrustExplorer dumps to GraphML format
  • 36.
  • 37.
  • 39. Abusing Trusts ● As mentioned, knowing a trust exists can let you query information, but it doesn’t necessarily imply access o though it often does ;) ● You need to figure out if any users have cross-domain access and to what resources in other domains o trusts are rarely locked down properly, and you can often jump from one domain to another
  • 40. Abusing Trusts with PowerView ● To enumerate users who are in groups outside of the user’s primary domain (i.e. across trusts): o Invoke-FindUserTrustGroups -Domain <domain> o Invoke-FindAllUserTrustGroups ● To enumerate users who have local admin privileges on all domain controllers in a particular domain: o Get-GetDomainControllers -Domain <domain> | Get-NetLocalGroup
  • 41. ● To enumerate groups with users outside of the group’s primary domain: o Invoke-FindGroupTrustUsers -Domain <domain> o Invoke-FindAllGroupTrustUsers ● To find members of the administrators localgroup outside of the primary domain for all machines in a domain: o Invoke-EnumerateLocalTrustGroups -Domain <domain> Abusing Trusts with PowerView: BSides Chicago Edition
  • 42. Abusing Trusts: A Case Study ● Say we land on a machine in the dev.testlab.local domain and work our way to the DC ● We want to compromise the testlab.local forest root o We’ll do this by abusing trust relationships with another child domain in the forest ● We’ll step through enumeration, visualization, and abuse
  • 43. Demo
  • 45. Improved Data Analysis ● Working on methods to correlate PowerView data with trust information to provide additional context o Think “this domain group has access to these cross- domain resources” ● Goal of creating an offensive dashboard for red team operations o @_tomsteele has started some of this work already https://github.com/tomsteele/domain-trust-grapher
  • 48. Trust Keys ● The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets* o Mimikatz can now extract these trust keys from domain controllers participating in the trust ● These keys can be used to create “gold-ish” trust tickets for the krbtgt service, with a trusting domain as the target o these in turn can be used to request TGSes for specific services on the trusting domain *https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx
  • 49. Trust Keys: A Domain Trust Golden Ticket This means that even if the krbtgt hash is rolled twice, you can still abuse a privileged domain trust and possibly recompromise a domain from a trusted source!
  • 50. Questions? ● Contact us: o @harmj0y (will [at] harmj0y.net) or keybase.io/harmj0y o @sixdub (justin [at] sixdub.net) or keybase.io/sixdub ● Read more: o http://www.harmj0y.net/blog/tag/domain-trusts/ o http://www.sixdub.net/?p=285 ● Get the tools: o https://github.com/Veil- Framework/PowerTools/tree/master/PowerView o https://github.com/sixdub/DomainTrustExplorer