six degrees of domain admin - def con con 24/def con 24... · bsidesde, black hat arsenal •...
TRANSCRIPT
SixDegreesofDomainAdminUsingGraphTheorytoAccelerateRedTeamOperations
DEFCON24– LasVegas,NV2016
AndyRobbins- @_wald0 RohanVazarkar - @CptJesus WillSchroeder- @harmj0y
AboutUs– AndyRobbins
• OffensiveNetworkServicesTeamLeadatVerisGroup’sAdaptiveThreatDivision• Redteamandpenetrationtestlead• Performedhundredsofnetworkpenetrationtests• WithBrandonHenry,identifiedcriticalvulnerabilityinACHfileprocessingprocedures
AboutUs– RohanVazarkar
• PenetrationtesteratVerisGroup’sAdaptiveThreatDivision• Co-authorandmajorcontributortomanyprojects,includingEyeWitness andPythonEmpire• Presenter:BSidesDC,BSidesLV,BSidesDE,BlackHatArsenal• Trainer:BlackHatUSA2016
AboutUs– WillSchroeder
• ResearcheratVerisGroup’sAdaptiveThreatDivision• Co-founderoftheVeil-Framework,PowerView,PowerUp,Empire/EmPyre• ActivePowerSploit devleoper• MicrosoftPowerShell/CDMMVP• SpeakerandvariousconsandBlackHat trainer
“Defendersthinkinlists.Attackersthinkingraphs.Aslongasthisistrue,attackerswin.”- JohnLambert,GeneralManager,MicrosoftThreatIntelligenceCenter
Agenda
• TheCurrentStateofADDomainPrivilegeEscalation• TheConceptof“DerivativeLocalAdmin”• ACrashCourseinGraphTheory• StealthyDataCollectionwithPowerView• TheReleaseofBloodHound• ClosingRemarksandFuturePlans
PriorWork
• ”DerivativeLocalAdmin”byJustinWarner(@sixdub)-http://www.sixdub.net/?p=591• ActiveDirectoryControlPathsbyEmmanuelGrasandLucasBouillot -https://github.com/ANSSI-FR/AD-control-paths• OneofthebestADSecurityresources- https://adsecurity.org/
TheCurrentStateofActiveDirectoryDomainPrivilegeEscalation
CurrentStateofADDomainPriv Esc
• ActiveDirectoryisubiquitous.• LOTSofsecurityresearchdevotedtoActiveDirectory• Sometimeswegeteasybuttons!J• Easybuttonshaveatendencytodisappear.• Thebesttradecraftincludes,butdoesnotrelyoneasybuttons
ATaleofTwoNetworks
ATaleofTwoNetworks
TheConceptof“DerivativeLocalAdmin”
DerivativeLocalAdmin
• Thechainingorlinkingofadministratorrightsthroughcompromisingotherprivilegedaccounts• Alsoreferredtoasa“Snowballattack”byMicrosoftResearchasearlyas2009• “DerivativeLocalAdmin”firstcoinedinthisblogpost:sixdub.net/asdf
Steve Bob Mary
DerivativeLocalAdmin
• Thisoftenoccursduetorunawaynestedgroups,makingitdifficulttodeterminewhotheeffectiveadminsareonagivensystem.
Steve MaryGroup1 Group2
DerivativeLocalAdmin– ForwardEscalation
Steve Mary
Bob
Susan
Jeff
DerivativeLocalAdmin– ReverseAnalysis
Steve Mary
Bob
Dave
Sarah
DerivativeLocalAdmin– TheCombinatorialExplosion
Steve Mary
Chris
Susan
Clara
Rita
Clark
John
David
Jason
Jen
Cliff
Diane
Jose
Bob
Susan
Jeff
Challengeswiththisapproach
• Doesn’tscale• Extremelytimeconsumingandtedious• Maynotidentifytheshortest(andcertainlynotall)pathpossible• DomainAdminmightnotbenecessary• Limitedsituationalawareness
ACrashCourseinGraphTheory
GraphTheoryCrashCourse
• Graphsarecomprisedofvertices(ornodes)andedges(orrelationships).• Verticesthatshareanedgearesaidtobe“adjacent”• Edgescanbedirected(or“one-way”)orundirected(or“bidirectional”)• Apathisasetofverticesandedgeslinkingonevertextoanother,whetherthoseverticesareadjacentornot
GraphTheoryCrashCourse
Vertex1 Vertex2Edge
GraphTheoryCrashCourse
Vertex1 Vertex4
Vertex2
Vertex3
BloodHound GraphDesign
StealthyDataCollectionwithPowerView
Thanks?
•“ThebesttoolthesedaysforunderstandingwindowsnetworksisPowerview [1].”
-PhineasFisherhttp://pastebin.com/raw/0SNSvyjJ
PowerView
•ApurePowerShellv2.0domain/networksituationalawarenesstool• Fullyself-containedandloadableinmemory• NowpartofPowerSploit™(notreallytrademarked)
•Builttoautomatelargecomponentsofthetradecraftonourredteamengagements
•CollectsthedatathatBloodHound isbuilton
Who’sLoggedInWhere?
•Wedeemthis“userhunting”
• Invoke-UserHunter isbuilton:• Get-NetSession – whohassessionswitharemotemachine• Get-NetLoggedOn – who’sloggedinonwhatmachine• Get-LoggedOnLocal – who’sloggedinonamachine(withremoteregistry)
• “Stealth”approach:• Enumeratecommonlytraffickedservers(i.e.fileservers)andremotesessioninformationforeach
WhoCanAdminWhat?
•DidyouknowthatWindowsallowsanydomain-authenticatedusertoenumeratethemembersofalocal grouponaremote machine?• EitherthroughtheNetLocalGroupGetMembers()Win32APIcallortheWinNTserviceprovider
•PowerView:• Get-NetLocalGroup –ComputerName IP[-API]
WhoCanAdminWhat(GPOEdition)?
• Let’scorrelatewhatGPOssetthelocaladministratorsgroupwithwithOUs/sitstheseGPOsareappliedto• LetsusdeterminewhohasadminrightswherebasedonGPOsettings• Thisisn’tasupersimpleprocess…
• PowerView’s Find-GPOLocationwillenumeratethisforaspecifictargetordumpallrelationshipsbydefault
Who’sinWhatGroups?
• Nottoocrazy,justenumerateallgroupsandallmembersofeachgroupthroughLDAP/ADSIsearches
• Get-NetGroup |Get-NetGroupMember
• That’sit!
BringingitAllTogether
• TheBloodHound ingestor isacustomizedversionofPowerViewwiththefollowingtwofunctionsadded:• Export-BloodHoundData – exportsPowerViewdataobjectstotheBloodHoundNeo4jbatchRESTful API• Get-BloodHoundData – automatesthedataingestionandpipesresultstoExport-BloodHoundData
•WehaveaPowerShellv2.0ingestiontoolthat:• Doesn’tneedadministratorrightstopulllotsofdata• DirectlyingestsdataintoBloodHound
TheReleaseofBloodHound
TheReleaseofBloodHound
• Easy-to-use,intuitivewebinterfaceforinteractingwithagraphdatabase• BuiltwithLinkurious.js• LotsoffuncapabilitiesthatRohanwilldemorightnow
ClosingRemarksandFuturePlans
FuturePlans
• IncreasethescopeofelementsmodeledintheBloodHound graph,includingADobjectACLs,GPOs,andmore• ContinuedresearchontheapplicationsofgraphtheorytoActiveDirectorysecurity• Defense-centriccapability• Continuingmaturationofdatacollection,ingestion,andanalysismethods
ClosingRemarks
• Asdefensiveposturesimprove,attackpathswillincreasinglyrelyonenvironmentalmisconfigurations,andpoorimplementationsofleastprivilegeandadministratoraccounthygiene• Graphtheoryenablesrapidattackpathanalysis• BloodHound isafreeandopensourceActiveDirectorydomainprivilegeescalationcapabilitywhichutilizesgraphtheory
GoGetBloodHound!
• https://www.github.com/adaptivethreat/bloodhound
• ContactUs:• AndyRobbins-- @_wald0• RohanVazarkar -- @CptJesus• WillSchroeder-- @harmj0y