SlideShare a Scribd company logo

I hunt sys admins 2.0

Download as PPTX, PDF
Will Schroeder
Will Schroeder

This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.

Internet
1 of 51
“I Hunt Sys Admins” (U) Will @harmj0y Version 2.0
$ whoami ● Security researcher and red teamer for the Adaptive Threat Division of Veris Group ● Co-founder of the Veil-Framework and founder of Veil’s PowerTools ● Cons: o Shmoocon ‘14: AV Evasion with the Veil Framework o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0 o Derbycon ‘14: Passing the Torch: Old School Red Teaming, New School Tactics?
What this is ● Ways to hunt for target users on Windows domains ● Ya really, that’s it ● Will cover as many tools and technique for doing this as I have time for
● Setting the stage ● Existing tools o psloggedon.exe, netsess.exe, PVEFindADUser.exe, netview.exe, Nmap, smbexec, Veil-Pillage ● Domain data sources o homeDirectory, profilePath, event logs, email headers, SPNs ● PowerShellz o Sidenote: PowerShell WinAPI access o PowerView tl;dr
Setting the Stage ● This talk is from the “assume breach” perspective o i.e. assume foothold/access to a Windows domain machine ● I’m also going to assume you know (more or less) what users you’re targeting ● PowerShell methods are going to heavily rely on PowerView o https://github.com/veil-framework/PowerTools
User Hunting: Lateral Spread ● Most common: o If you have a privileged account, or local admin account, you want to figure out where high value users are logged in ● Hunt -> pop box -> Mimikatz -> profit ● Knowing what users log in to what boxes from where can give you a better understanding of a network layout and implicit trust relationships
“I Hunt Domain Admins”
“I Hunt Domain Admins”
“I Hunt Domain Admins”
User Hunting: Post DA ● Red teaming isn’t about access, it’s about data and showing impact! ● Once you get privileged access (like domain admin) there are likely specific targets you might want to go after ● Think incident response teams, CEOs, the linux team, database admins, etc.
Does the CEO Care?
How About Now?
Where my sysadmins at? Finding your prey
Existing Tools ● Several tools have been written that allow you to figure out who’s logged in where ● I’ll cover what’s already out there, including the positives/negatives for each ● “Offensive in depth” o You always want multiple ways of achieving the same objective
● Component of Microsoft’s Sysinternals o “...determines who is logged on by scanning the keys under the HKEY_USERS key.” o “To determine who is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API.” ● Needs remote registry access to determine who’s logged in o i.e. admin privileges on a remote machine http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx psloggedon.exe
psloggedon.exe
netsess.exe ● Component of http://www.joeware.net/freetools/ ● Utilizes the NetSessionEnum API call o http://msdn.microsoft.com/en- us/library/windows/desktop/bb525382(v=vs.85).aspx ● Think a version of “net session” that works on remote machines! o great for targeting file servers :) o no admin privs needed!
netsess.exe
PVEFindADUser.exe ● Tool released by corelanc0d3r in 2009 ● “Helps you find where AD users are logged in” o Can also check who’s logged into specific machines ● But “...you also need to have admin access on the computers you are running the utility against.” https://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/
PVEFindADUser.exe
netview.exe ● Rob Fuller’s (@mubix) netview.exe project, presented at Derbycon 2012, is a tool to “enumerate systems using WinAPI calls” ● Finds all machines on the network, enumerates shares, sessions, and logged in users for each host o And now can check share access, highlight high value users, and use a delay/jitter :) o and also, no admin privs needed! https://github.com/mubix/netview
netview.exe
Nmap ● If you have a valid domain account, or local account valid for several machines, you can use smb-enum-sessions.nse ● Don’t need to have admin privileges! nmap -sU -sS --script smb-enum- sessions.nse --script-args 'smbuser=jasonf,smbpass=BusinessBus inessBusiness!' -p U:137,T:139 192.168.52.0/24 http://nmap.org/nsedoc/scripts/smb-enum-sessions.html
Nmap
Smbexec ● Awesome post-exploitation framework built on top of patched Samba binaries ● The enumeration/checkda module can check machines for domain admin processes/sessions on particular targets ● However: o requires local admin on the target machine o only can target domain admins
Veil-Pillage ● Veil-Pillage is a post-exploitation framework conceptually similiar to Smbexec ● The enumeration/domain/group_hunter and enumeration/host/user_hunter modules will do the same tasklist and qwinsta process to hunt for specific target groups ● However: o requires local admin on the target machine o but can target more than just domain admins
Domain Data Sources “It’s a feature”
Active Directory Sources ● There are a few components of Active Directory user objects that warrant interest ● homeDirectory o path to a user’s auto-mounted home directory ● profilePath o path to a user’s roaming profile ● Why? o Enumerating remote sessions against common network servers lots of people use gives an excellent mapping of what users are where
Event Logs ● Sometimes you have DA, but need to target specific users (think the IR team :) ● If you can query the event logs on a domain controller, you can extract: o logon type (interactive/network), account name, source network address ● @sixdub rolled this into a PowerShell script, which has since been incorporated into PowerView, more on this later http://sixdub.net/2014/11/offensive-event-parsing-bringing-home-trophies/
Email Headers ● If you have access to someone’s email (Mimikatz+OWA, etc.) internal headers can provide a wealth of information ● Search for any chains to/from target users, and examine headers for given email chains ● If the “X-Originating-IP” header is present, you can trace where a user sent a given email from
Service Principal Names ● SPNs aren’t just for machines ● Registering a service to run on a machine under a particular user account will register that machine/service for that user in AD o Makes a great place to check for users, all with a single AD query ● Scott Sutherland (@_nullbind) has a great article on this: o https://blog.netspi.com/faster-domain-escalation- using-ldap/
Manual Checks ● To find your targets: o net user “Domain Admins” /domain ● To find your file servers: o AdFind.exe -f "samAccountType=805306368" attr homeDirectory | findstr /c:"homeDirectory" ● To find where your targets are: o NetSess.exe FILESERVER
Wrapping in VBScript ● You can wrap some of these tools in some basic VB script to automate it all up ● Run tool, filter for target users, etc. ● But why use VBScript, when you have...
PowerShell “Microsoft’s Post-Exploitation Language” -@obscuresec
PowerShellz ● PowerShell has some awesome AD hooks and has various ways to access the lower- level Windows API ● You can also access the lower-level Win32 API for interesting functions ○ NetSessionEnum for user sessions ○ NetWkstaUserEnum for logged on users ● Thanks @mattifestation for lots of ways to access the underlying API functions!
Enumerating Targets ● PowerView has several functions that can help you enumerate target users and hunt them down ● Finding targets: o Get-NetGroups *wildcard* will return groups containing specific wildcard terms o Get-UserProperties will extract all user property fields  often interesting field names! o Invoke-UserFieldSearch will search particular user fields for wildcard terms
Invoke-UserHunter ● Flexible function that: o queries AD for hosts or takes a target list o queries AD for users of a target group, or takes a list/single user o uses Win32 API calls to enumerate sessions (NetSessionEnum) and logged in users (NetWkstaUserEnum), matching against the target user list ● Can also check to see if you have local admin access on targets o but no admin privs needed to get good info!
Invoke-UserHunter
Invoke-UserHunter
Invoke-UserView ● Several times on engagements we found ourselves rerunning Invoke-UserHunter in order to re-hunt for specific users ● This creates a lot of unnecessary noise ● Invoke-UserView will run the exact same functions/checks that Invoke-UserHunter does, but preserves all output for later processing
Invoke-UserView
Invoke-StealthUserHunter ● Uses an old red teaming trick 1. Queries AD for all users and extracts all homeDirectory fields to identify likely domain file servers 2. Runs NetSessionEnum against each file server to enumerate remote sessions, matching against target user list ● Gets reasonable coverage with a lot less traffic than UserHunter o and again, no admin privs needed
Invoke-StealthUserHunter
Invoke-StealthUserHunter
Invoke-UserProcessHunter ● Utilizes the newly christened Get- NetProcesses o this function makes it easy to enumerate running processes on remote machines ● You will need admin privileges on the machines you’re enumerating ● Invoke-UserProcessHunter wraps this all up into a weaponized form
Invoke-UserProcessHunter
Invoke-UserEventHunter ● Sometimes you have DA, but need to target specific users (think the IR team :) ● Domain controller event logs make it trivial to track down domain users, provided you have domain admin access ● Get-UserLogonEvents implements @sixdub’s work on offensive event parsing o Invoke-UserEventHunt rolls this all into a weaponized form
Invoke-UserEventHunter
Demo(s)
Shameless Sidebar ● Want to research cool stuff like this? ● Want to work with 13 x OSCPs and 3 x OSCEs? ● Want to do some sweet red teaming? ● Hit me up to join Veris Group’s Adaptive Threat Division
Questions? ● Contact me: o @harmj0y o will [at] harmj0y.net o harmj0y in #veil and #armitage on Freenode ● Read more: o http://blog.harmj0y.net o https://www.veil-framework.com ● Get PowerView: o https://github.com/Veil-Framework/PowerTools

Recommended

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 

Recommended

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 

More Related Content

What's hot

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 

What's hot (20)

Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 

Similar to I hunt sys admins 2.0

Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
Bakry3
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
Concentrated Technology
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 

Similar to I hunt sys admins 2.0 (20)

I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor Workshop
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them All
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 

More from Will Schroeder

More from Will Schroeder (19)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Recently uploaded

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 

Recently uploaded (20)

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 

I hunt sys admins 2.0

  • 1. “I Hunt Sys Admins” (U) Will @harmj0y Version 2.0
  • 2. $ whoami ● Security researcher and red teamer for the Adaptive Threat Division of Veris Group ● Co-founder of the Veil-Framework and founder of Veil’s PowerTools ● Cons: o Shmoocon ‘14: AV Evasion with the Veil Framework o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0 o Derbycon ‘14: Passing the Torch: Old School Red Teaming, New School Tactics?
  • 3. What this is ● Ways to hunt for target users on Windows domains ● Ya really, that’s it ● Will cover as many tools and technique for doing this as I have time for
  • 4. ● Setting the stage ● Existing tools o psloggedon.exe, netsess.exe, PVEFindADUser.exe, netview.exe, Nmap, smbexec, Veil-Pillage ● Domain data sources o homeDirectory, profilePath, event logs, email headers, SPNs ● PowerShellz o Sidenote: PowerShell WinAPI access o PowerView tl;dr
  • 5. Setting the Stage ● This talk is from the “assume breach” perspective o i.e. assume foothold/access to a Windows domain machine ● I’m also going to assume you know (more or less) what users you’re targeting ● PowerShell methods are going to heavily rely on PowerView o https://github.com/veil-framework/PowerTools
  • 6. User Hunting: Lateral Spread ● Most common: o If you have a privileged account, or local admin account, you want to figure out where high value users are logged in ● Hunt -> pop box -> Mimikatz -> profit ● Knowing what users log in to what boxes from where can give you a better understanding of a network layout and implicit trust relationships
  • 7. “I Hunt Domain Admins”
  • 8. “I Hunt Domain Admins”
  • 9. “I Hunt Domain Admins”
  • 10. User Hunting: Post DA ● Red teaming isn’t about access, it’s about data and showing impact! ● Once you get privileged access (like domain admin) there are likely specific targets you might want to go after ● Think incident response teams, CEOs, the linux team, database admins, etc.
  • 11. Does the CEO Care?
  • 13. Where my sysadmins at? Finding your prey
  • 14. Existing Tools ● Several tools have been written that allow you to figure out who’s logged in where ● I’ll cover what’s already out there, including the positives/negatives for each ● “Offensive in depth” o You always want multiple ways of achieving the same objective
  • 15. ● Component of Microsoft’s Sysinternals o “...determines who is logged on by scanning the keys under the HKEY_USERS key.” o “To determine who is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API.” ● Needs remote registry access to determine who’s logged in o i.e. admin privileges on a remote machine http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx psloggedon.exe
  • 17. netsess.exe ● Component of http://www.joeware.net/freetools/ ● Utilizes the NetSessionEnum API call o http://msdn.microsoft.com/en- us/library/windows/desktop/bb525382(v=vs.85).aspx ● Think a version of “net session” that works on remote machines! o great for targeting file servers :) o no admin privs needed!
  • 19. PVEFindADUser.exe ● Tool released by corelanc0d3r in 2009 ● “Helps you find where AD users are logged in” o Can also check who’s logged into specific machines ● But “...you also need to have admin access on the computers you are running the utility against.” https://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/
  • 21. netview.exe ● Rob Fuller’s (@mubix) netview.exe project, presented at Derbycon 2012, is a tool to “enumerate systems using WinAPI calls” ● Finds all machines on the network, enumerates shares, sessions, and logged in users for each host o And now can check share access, highlight high value users, and use a delay/jitter :) o and also, no admin privs needed! https://github.com/mubix/netview
  • 23. Nmap ● If you have a valid domain account, or local account valid for several machines, you can use smb-enum-sessions.nse ● Don’t need to have admin privileges! nmap -sU -sS --script smb-enum- sessions.nse --script-args 'smbuser=jasonf,smbpass=BusinessBus inessBusiness!' -p U:137,T:139 192.168.52.0/24 http://nmap.org/nsedoc/scripts/smb-enum-sessions.html
  • 24. Nmap
  • 25. Smbexec ● Awesome post-exploitation framework built on top of patched Samba binaries ● The enumeration/checkda module can check machines for domain admin processes/sessions on particular targets ● However: o requires local admin on the target machine o only can target domain admins
  • 26. Veil-Pillage ● Veil-Pillage is a post-exploitation framework conceptually similiar to Smbexec ● The enumeration/domain/group_hunter and enumeration/host/user_hunter modules will do the same tasklist and qwinsta process to hunt for specific target groups ● However: o requires local admin on the target machine o but can target more than just domain admins
  • 28. Active Directory Sources ● There are a few components of Active Directory user objects that warrant interest ● homeDirectory o path to a user’s auto-mounted home directory ● profilePath o path to a user’s roaming profile ● Why? o Enumerating remote sessions against common network servers lots of people use gives an excellent mapping of what users are where
  • 29. Event Logs ● Sometimes you have DA, but need to target specific users (think the IR team :) ● If you can query the event logs on a domain controller, you can extract: o logon type (interactive/network), account name, source network address ● @sixdub rolled this into a PowerShell script, which has since been incorporated into PowerView, more on this later http://sixdub.net/2014/11/offensive-event-parsing-bringing-home-trophies/
  • 30. Email Headers ● If you have access to someone’s email (Mimikatz+OWA, etc.) internal headers can provide a wealth of information ● Search for any chains to/from target users, and examine headers for given email chains ● If the “X-Originating-IP” header is present, you can trace where a user sent a given email from
  • 31. Service Principal Names ● SPNs aren’t just for machines ● Registering a service to run on a machine under a particular user account will register that machine/service for that user in AD o Makes a great place to check for users, all with a single AD query ● Scott Sutherland (@_nullbind) has a great article on this: o https://blog.netspi.com/faster-domain-escalation- using-ldap/
  • 32. Manual Checks ● To find your targets: o net user “Domain Admins” /domain ● To find your file servers: o AdFind.exe -f "samAccountType=805306368" attr homeDirectory | findstr /c:"homeDirectory" ● To find where your targets are: o NetSess.exe FILESERVER
  • 33. Wrapping in VBScript ● You can wrap some of these tools in some basic VB script to automate it all up ● Run tool, filter for target users, etc. ● But why use VBScript, when you have...
  • 35. PowerShellz ● PowerShell has some awesome AD hooks and has various ways to access the lower- level Windows API ● You can also access the lower-level Win32 API for interesting functions ○ NetSessionEnum for user sessions ○ NetWkstaUserEnum for logged on users ● Thanks @mattifestation for lots of ways to access the underlying API functions!
  • 36. Enumerating Targets ● PowerView has several functions that can help you enumerate target users and hunt them down ● Finding targets: o Get-NetGroups *wildcard* will return groups containing specific wildcard terms o Get-UserProperties will extract all user property fields  often interesting field names! o Invoke-UserFieldSearch will search particular user fields for wildcard terms
  • 37. Invoke-UserHunter ● Flexible function that: o queries AD for hosts or takes a target list o queries AD for users of a target group, or takes a list/single user o uses Win32 API calls to enumerate sessions (NetSessionEnum) and logged in users (NetWkstaUserEnum), matching against the target user list ● Can also check to see if you have local admin access on targets o but no admin privs needed to get good info!
  • 40. Invoke-UserView ● Several times on engagements we found ourselves rerunning Invoke-UserHunter in order to re-hunt for specific users ● This creates a lot of unnecessary noise ● Invoke-UserView will run the exact same functions/checks that Invoke-UserHunter does, but preserves all output for later processing
  • 42. Invoke-StealthUserHunter ● Uses an old red teaming trick 1. Queries AD for all users and extracts all homeDirectory fields to identify likely domain file servers 2. Runs NetSessionEnum against each file server to enumerate remote sessions, matching against target user list ● Gets reasonable coverage with a lot less traffic than UserHunter o and again, no admin privs needed
  • 45. Invoke-UserProcessHunter ● Utilizes the newly christened Get- NetProcesses o this function makes it easy to enumerate running processes on remote machines ● You will need admin privileges on the machines you’re enumerating ● Invoke-UserProcessHunter wraps this all up into a weaponized form
  • 47. Invoke-UserEventHunter ● Sometimes you have DA, but need to target specific users (think the IR team :) ● Domain controller event logs make it trivial to track down domain users, provided you have domain admin access ● Get-UserLogonEvents implements @sixdub’s work on offensive event parsing o Invoke-UserEventHunt rolls this all into a weaponized form
  • 50. Shameless Sidebar ● Want to research cool stuff like this? ● Want to work with 13 x OSCPs and 3 x OSCEs? ● Want to do some sweet red teaming? ● Hit me up to join Veris Group’s Adaptive Threat Division
  • 51. Questions? ● Contact me: o @harmj0y o will [at] harmj0y.net o harmj0y in #veil and #armitage on Freenode ● Read more: o http://blog.harmj0y.net o https://www.veil-framework.com ● Get PowerView: o https://github.com/Veil-Framework/PowerTools