2. About Us
I am Andy Robbins
Job: Pentester at Veris Group’s ATD
Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA
International
Trainer: Black Hat USA 2016
Other: Ask me about ACH
Twitter: @_wald0
3. About Us
I am Rohan Vazarkar
Job: Pentester at Veris Group’s ATD
Tool creator/dev: EyeWitness, Python Empyre, etc.
Presenter: BSidesDC/LV/DE, Black Hat Arsenal
Trainer: Black Hat USA 2016
Twitter: @CptJesus
4. About Us
I am Will Schroeder
Job: Researcher at Veris Group’s ATD
Tool creator/dev: Veil-Framework, PowerView, PowerUp,
Empire/Empyre
Speaker: Ask me
Trainer: Black Hat USA 2014-2016
Other: Microsoft PowerShell/CDM MVP
Twitter: @harmj0y
6. “Defenders think in lists.
Attackers think in graphs.
As long as this is true,
attackers win.”
John Lambert
GM, Microsoft Threat Intelligence Center
7. AD Domain Priv Esc
◇Active Directory is ubiquitous
◇Ubiquity = Attention = Research time and
$$$
◇Sometimes we get easy buttons!
15. Basic Elements of a
Graph
Vertices represent
individual elements
of a system
Edges generically
represent
relationships
between vertices
Paths are sets of
vertices and
edges that
connect non-
adjacent vertices
22. “The best tool these days
for understanding Windows
networks is PowerView…”
Phineas Phisher
http://pastebin.com/raw/0SNSvyjJ
23. PowerView
◇A pure PowerShell v2.0+ domain/network
situational awareness tool
◇Collects the data that BloodHound is built
on and doesn’t need elevated
privileges for most collection methods!
24. Who’s Logged in Where?
◇Invoke-UserHunter:
■ Get-NetSession – sessions w/ a remote machine
■ Get-NetLoggedOn/Get-LoggedOnLocal – who’s
logged in on what machine
◇-Stealth:
■ Enumerate commonly trafficked servers and query
remote sessions for each
aka “user hunting”
25. Who Can Admin What?
◇We can enumerate members of a local
group on a remote machine, without
admin privileges!
■ The WinNT service provider or
NetLocalGroupMembers()
◇PowerView:
■ Get-NetLocalGroup –ComputerName IP [-API]
26. Who Can Admin What?
GPO Edition
◇GPOs can set local administrators
◇GPOs are applied to OUs/Sites
■ correlation == local admin information through
communication with only a DC!
◇PowerView:
■ Find-GPOLocation
27. Who’s in What Groups?
◇Enumerate all groups and pull the
members of each
◇PowerView:
■ Get-NetGroup | Get-NetGroupMember
◇That’s it!
28. Bringing it All Together
The BloodHound Ingestor
Get-
BloodHoundData
automates
gathering
PowerView data for
a domain
Export-
BloodHoundData
exports collected
data to a neo4j
batch REST API
for ingestion
Export-
BloodHoundCSV
exports collected
data to a series of
CSVs for offline
ingestion
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” This is a very well known quote by John Lambert, General Manager at Microsoft’s Threat Intelligence Center. This quote and the blog post it serves as a title to has proven true time and time again on our red team and pentest assessments. I’d like to ask you all to keep this quote in mind during our talk.
TWO MINUTES
NOTE: The scope of our talk is confined to privilege escalation, we’re not going to go into initial access or provide an encyclopedic diatribe on all the different ways to attack Active Directory. A great resource to go to is Sean Metcalf’s blog at adsecurity.org
Active Directory is, of course, effectively ubiquitous in businesses of all sizes, from global enterprise to small and medium size businesses. In fact, Sean Metcalf quantified this in his talk on Thursday as 95% of Fortune 1000 companies that use Active Directory.
As such, a lot of time, energy, and money goes into research on how to defend and attack Active Directory environments.
Thanks to that research, pentesters get easy buttons every so often. December of 2014 through about the middle of February 2015 was a great time to be a pentester, after Sylvain Monné put out the first public exploit for MS14-068. Thanks to Sylvain and Benjamin Delpy’s work, pentesters had a nice “easy button” to escalate rights from any domain user all the way to domain admin or even enterprise admin. Over the years, we’ve enjoyed other ”easy buttons” as well: MS08-067, kitrap0d, Responder, GPP, Jboss, Tomcat, etc.
Over time, many organizations’ defensive posture improves thanks to several contributing factors: maturing vulnerability management practices, increasingly rare (public) bugs in Windows and Active Directory, and proactive vulnerability and risk assessment in the form of regular penetration tests and red team exercises. Unfortunately for us as pentesters, this means that our easy buttons have a tendency to disappear. Except Responder, of course.
This is why the best tradecraft includes, but does not exclusively rely on easy buttons in order to accomplish objectives. Instead, the most effective attackers execute attacks specifically tailored to the misconfigurations and poor practices of their target organization.
TWO MINUTES
Let’s take a look at a fairly typical situation. These dotted line computers are going to represent a very small example network. The dotted line computers mean that we, as an attacker, know the computers are there, but we don’t have any sort of privileged access to them yet.
First, as an attacker, we gain our initial access to the environment. Maybe we have a Beacon or Metrepreter session from social engineering, or perhaps we were already on the network and found an exploitable system. Either way, we have our initial access into the environment, running as a domain user on a system joined to the domain.
Second, we’re able to escalate our privileges locally. Perhaps PowerUp found us a DLL hijack, or we were able to run Responder and crack or relay an admin cred. Using this local admin access, we dump the SAM and get the NTLM hash for the local admin account.
Third, lucky us, while the organization has applied KB2871997, they’re still using the built-in 500 account on each system, using the same password for this account on every box. Now we effectively have local admin access everywhere, so our scope of admin rights encompasses the entire network.
Finally, we find a system where a DA is logged on, using PowerView’s user hunter, or CrackMapExec, or another tool. Because the local admin password is the same everywhere, and because KB2871997 doesn’t protect against passing the hash for this user, we simply pivot to the box that DA is logged onto, run Mimikatz to get his clear text password, and we win. Woot!
By show of hands, how many people have seen this exact same attack scenario more than a few times in real life?
Cool. Ok, let’s take a look at our second network.
THREE MINUTES
Now this network looks pretty similar to the last one, but with a few key differences that we’ll explore in each attack step.
First, again, is initial access. We get a Beacon or Meterpreter Session running within a domain-joined context. Unfortunately for us, we can’t manage to escalate our rights on this initial machine. No GPP. No misconfigured services. No DLL hijack opportunities. No MS08-067, no MS14-068. We can collect some NTLMv2 challenge/response pairs, but can’t crack the very strong passwords. Also, we can’t relay those creds anywhere due to the client enforcing SMB message signing everywhere.
Eventually, though, we do find an initial way to gain local admin rights. A careless admin has left plain text credentials for a service account in an SMB share that any user can read. By impersonating this user and scanning the network, we determine that this service account has admin rights to three systems. Unfortunately for us, this client heavily enforces the principle of least privilege, so this service account only has admin rights on the systems it needs admin rights on. This is where our scope of nominal admin rights begins.
Now, using PowerView, CrackMapExec, Nmap, or another tool, we determine who is logged on to those systems. We find a few more service accounts, but none of them are domain admins. Damn! One by one we compromise those accounts until eventually we gain admin rights on a system with a domain admin logged on. W00t!
By show of hands, how many folks have executed an attack path like this?
ONE MINUTE
ONE MINUTE
ONE MINUTE
ONE MINUTE
30 SECONDS
30 SECONDS
ONE MINUTE
TWO MINUTES
30 SECONDS
ONE MINUTE
Built to automate components of our engagement tradecraft
Fully self contained and loadable in memory, v2.0+ compliant
Now part of PowerSploit
ONE MINUTE
Something we do on every engagement
LoggedOn - API and remote registry
Only need admin for Get-NetLoggedOn
Common servers == fileservers, dfs shares, DCs
ONE MINUTE
ONE MINUTE
GPO == group policy objects
This GPO correlation process isn’t super simple…
Find-GPOLocation can enumerate for one target or dump all relationships
ONE MINUTE
Based on LDAP/ADSI searches under the hood
ONE MINUTE
So we have a PowerShell v2.0 tool that:
-Doesn’t need administrator rights to query most of this data
-ingests data straight into BloodHound w/o touching disk!