SixDegreesofDomainAdminUsingGraphTheorytoAccelerateRedTeamOperations

DEFCON24– LasVegas,NV2016

AndyRobbins- @_wald0 RohanVazarkar - @CptJesus WillSchroeder- @harmj0y

AboutUs– AndyRobbins

• OffensiveNetworkServicesTeamLeadatVerisGroup’sAdaptiveThreatDivision• Redteamandpenetrationtestlead• Performedhundredsofnetworkpenetrationtests• WithBrandonHenry,identifiedcriticalvulnerabilityinACHfileprocessingprocedures

AboutUs– RohanVazarkar

• PenetrationtesteratVerisGroup’sAdaptiveThreatDivision• Co-authorandmajorcontributortomanyprojects,includingEyeWitness andPythonEmpire• Presenter:BSidesDC,BSidesLV,BSidesDE,BlackHatArsenal• Trainer:BlackHatUSA2016

AboutUs– WillSchroeder

• ResearcheratVerisGroup’sAdaptiveThreatDivision• Co-founderoftheVeil-Framework,PowerView,PowerUp,Empire/EmPyre• ActivePowerSploit devleoper• MicrosoftPowerShell/CDMMVP• SpeakerandvariousconsandBlackHat trainer

“Defendersthinkinlists.Attackersthinkingraphs.Aslongasthisistrue,attackerswin.”- JohnLambert,GeneralManager,MicrosoftThreatIntelligenceCenter

Agenda

• TheCurrentStateofADDomainPrivilegeEscalation• TheConceptof“DerivativeLocalAdmin”• ACrashCourseinGraphTheory• StealthyDataCollectionwithPowerView• TheReleaseofBloodHound• ClosingRemarksandFuturePlans

PriorWork

• ”DerivativeLocalAdmin”byJustinWarner(@sixdub)-http://www.sixdub.net/?p=591• ActiveDirectoryControlPathsbyEmmanuelGrasandLucasBouillot -https://github.com/ANSSI-FR/AD-control-paths• OneofthebestADSecurityresources- https://adsecurity.org/

TheCurrentStateofActiveDirectoryDomainPrivilegeEscalation

CurrentStateofADDomainPriv Esc

• ActiveDirectoryisubiquitous.• LOTSofsecurityresearchdevotedtoActiveDirectory• Sometimeswegeteasybuttons!J• Easybuttonshaveatendencytodisappear.• Thebesttradecraftincludes,butdoesnotrelyoneasybuttons

ATaleofTwoNetworks

ATaleofTwoNetworks

TheConceptof“DerivativeLocalAdmin”

DerivativeLocalAdmin

• Thechainingorlinkingofadministratorrightsthroughcompromisingotherprivilegedaccounts• Alsoreferredtoasa“Snowballattack”byMicrosoftResearchasearlyas2009• “DerivativeLocalAdmin”firstcoinedinthisblogpost:sixdub.net/asdf

Steve Bob Mary

DerivativeLocalAdmin

• Thisoftenoccursduetorunawaynestedgroups,makingitdifficulttodeterminewhotheeffectiveadminsareonagivensystem.

Steve MaryGroup1 Group2

DerivativeLocalAdmin– ForwardEscalation

Steve Mary

Bob

Susan

Jeff

DerivativeLocalAdmin– ReverseAnalysis

Steve Mary

Bob

Dave

Sarah

DerivativeLocalAdmin– TheCombinatorialExplosion

Steve Mary

Chris

Susan

Clara

Rita

Clark

John

David

Jason

Jen

Cliff

Diane

Jose

Bob

Susan

Jeff

Challengeswiththisapproach

• Doesn’tscale• Extremelytimeconsumingandtedious• Maynotidentifytheshortest(andcertainlynotall)pathpossible• DomainAdminmightnotbenecessary• Limitedsituationalawareness

ACrashCourseinGraphTheory

GraphTheoryCrashCourse

• Graphsarecomprisedofvertices(ornodes)andedges(orrelationships).• Verticesthatshareanedgearesaidtobe“adjacent”• Edgescanbedirected(or“one-way”)orundirected(or“bidirectional”)• Apathisasetofverticesandedgeslinkingonevertextoanother,whetherthoseverticesareadjacentornot

GraphTheoryCrashCourse

Vertex1 Vertex2Edge

GraphTheoryCrashCourse

Vertex1 Vertex4

Vertex2

Vertex3

BloodHound GraphDesign

StealthyDataCollectionwithPowerView

Thanks?

•“ThebesttoolthesedaysforunderstandingwindowsnetworksisPowerview [1].”

-PhineasFisherhttp://pastebin.com/raw/0SNSvyjJ

PowerView

•ApurePowerShellv2.0domain/networksituationalawarenesstool• Fullyself-containedandloadableinmemory• NowpartofPowerSploit™(notreallytrademarked)

•Builttoautomatelargecomponentsofthetradecraftonourredteamengagements

•CollectsthedatathatBloodHound isbuilton

Who’sLoggedInWhere?

•Wedeemthis“userhunting”

• Invoke-UserHunter isbuilton:• Get-NetSession – whohassessionswitharemotemachine• Get-NetLoggedOn – who’sloggedinonwhatmachine• Get-LoggedOnLocal – who’sloggedinonamachine(withremoteregistry)

• “Stealth”approach:• Enumeratecommonlytraffickedservers(i.e.fileservers)andremotesessioninformationforeach

WhoCanAdminWhat?

•DidyouknowthatWindowsallowsanydomain-authenticatedusertoenumeratethemembersofalocal grouponaremote machine?• EitherthroughtheNetLocalGroupGetMembers()Win32APIcallortheWinNTserviceprovider

•PowerView:• Get-NetLocalGroup –ComputerName IP[-API]

WhoCanAdminWhat(GPOEdition)?

• Let’scorrelatewhatGPOssetthelocaladministratorsgroupwithwithOUs/sitstheseGPOsareappliedto• LetsusdeterminewhohasadminrightswherebasedonGPOsettings• Thisisn’tasupersimpleprocess…

• PowerView’s Find-GPOLocationwillenumeratethisforaspecifictargetordumpallrelationshipsbydefault

Who’sinWhatGroups?

• Nottoocrazy,justenumerateallgroupsandallmembersofeachgroupthroughLDAP/ADSIsearches

• Get-NetGroup |Get-NetGroupMember

• That’sit!

BringingitAllTogether

• TheBloodHound ingestor isacustomizedversionofPowerViewwiththefollowingtwofunctionsadded:• Export-BloodHoundData – exportsPowerViewdataobjectstotheBloodHoundNeo4jbatchRESTful API• Get-BloodHoundData – automatesthedataingestionandpipesresultstoExport-BloodHoundData

•WehaveaPowerShellv2.0ingestiontoolthat:• Doesn’tneedadministratorrightstopulllotsofdata• DirectlyingestsdataintoBloodHound

TheReleaseofBloodHound

TheReleaseofBloodHound

• Easy-to-use,intuitivewebinterfaceforinteractingwithagraphdatabase• BuiltwithLinkurious.js• LotsoffuncapabilitiesthatRohanwilldemorightnow

ClosingRemarksandFuturePlans

FuturePlans

• IncreasethescopeofelementsmodeledintheBloodHound graph,includingADobjectACLs,GPOs,andmore• ContinuedresearchontheapplicationsofgraphtheorytoActiveDirectorysecurity• Defense-centriccapability• Continuingmaturationofdatacollection,ingestion,andanalysismethods

ClosingRemarks

• Asdefensiveposturesimprove,attackpathswillincreasinglyrelyonenvironmentalmisconfigurations,andpoorimplementationsofleastprivilegeandadministratoraccounthygiene• Graphtheoryenablesrapidattackpathanalysis• BloodHound isafreeandopensourceActiveDirectorydomainprivilegeescalationcapabilitywhichutilizesgraphtheory

GoGetBloodHound!

• https://www.github.com/adaptivethreat/bloodhound

• ContactUs:• AndyRobbins-- @_wald0• RohanVazarkar -- @CptJesus• WillSchroeder-- @harmj0y