Trusts You Might Have Missed - 44con

@harmj0y
Co-founder of Empire/EmPyre,
PowerTools, Veil-Framework
PowerSploit/BloodHound
developer
Microsoft PowerShell MVP

tl;dr ⊙ Red Teaming
⊙ Active Directory and Trusts 101
⊙ Old vs New School Enumeration
⊙ Abusing Trusts
⊙ BloodHound
⊙ Mimikatz and Trusts
⊙ Demo

1
“Red Teaming”
Bridging the Gap

⊙ Red teaming means different
things to different people
○ common thread of increased time frame
and more permissive scope
⊙ We tend towards longer running,
remote network operations with
a focus on Windows
Red Teaming

“ Fundamentally, if somebody wants to get
in, they're getting in...Accept that...What
we tell clients is:
Number one, you're in the fight, whether
you thought you were or not.
Number two, you're almost certainly
penetrated.
Michael Hayden
Former Director of CIA & NSA

⊙ Domain trusts have existed for
years, and red teams have been
abusing them just as long
○ Techniques are public but not as well
known as they should be
⊙ Possible through multiple
means, “offense in depth”
○ VBScript, PowerShell, native tools
Nothing
New?

2
Domain Trusts
A Quick Refresher

⊙ Multiple Levels
○ Domain- logical group of network objects
(computers, users, etc.)
○ Trees- collection of domains
○ Forests- collection of trees
⊙ Used to authenticate and authorize
users and computers on a network
⊙ The domain is not the trust
boundary, the forest is!!!
Active
Directory
Overview

⊙ Trusts allow domains to form
inter-connected relationships
○ A trust just links up the authentication
systems of two domains and allows
authentication traffic to flow between them
○ Done by exchanging an “inter-realm trust
key” that can relay kerberos traffic
⊙ Forests can also establish trust
relationships
○ ex. all domains in Forest A will trust
domains in Forest B
Trusts 101

⊙ Communications in the trust work via
a system of referrals:
○ If the SPN being requested resides
outside of the primary domain, the DC
issues a referral to the forest KDC (or
trusted domain KDC) to receive a ticket
○ Access is passed around w/ inter-realm
TGTs signed by the inter-realm key
⊙ Multiple configuration topographies
available that will determine the
behavior of the trusts
Trusts 201

http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx
Trust
Direction

⊙ Trusts come in a few varieties:
○ One way- one domain trusts the other
○ Two way- both domains trust each other
○ Transitive- domain A trusts Domain B
and Domain B trusts Domain C, so
Domain A trusts Domain C
⊙ A child domain retains an implicit
two-way transitive trust with its
parent
○ http://technet.microsoft.com/en-us/libr
ary/cc773178(v=ws.10).aspx
Trust Types

⊙ Why does this matter?
⊙ Trusts can introduce unintentional
avenues of access into a target
⊙ Enterprise Admin = pwnership over
everything below
○ but at a minimum trusts let you query AD
information for a foreign domain!
Who Cares?

3
Trust
Enumeration
Old School vs. New

⊙ A pure PowerShell domain/network
situational awareness tool
○ think dsquery on steroids... and cocaine
⊙ Built to automate large components
of our tradecraft used to facilitate red
team engagements
⊙ Now integrated into PowerSploit
○ everything is version PS v2.0 compliant
PowerView

⊙ Get-NetForest: information about the
current domain forest
⊙ Get-NetForestDomain: enumerate all
domains in the current forest
⊙ Get-NetDomainTrust: find all current
domain trusts, à la nltest
⊙ Get-NetForestTrust: grab all forest
trusts
PowerView:
Enumerating
Trusts

⊙ If a trust exists, most functions in
PowerView can accept a -Domain
<name> flag to operate across a trust:
○ Get-NetDomainController, Get-NetUser,
Get-NetComputer, Get-NetGroup,
Get-NetGroupMember,
Get-NetFileServer, Invoke-UserHunter,
etc.
PowerView:
Using Trusts

⊙ PowerView also has a function to map
all reachable domain trusts:
○ Invoke-MapDomainTrust
⊙ Finds all domain trusts for the current
domain, enumerates all trusts for each
domain it finds, and so on
○ can dump out a nice .csv of all current
trust relationships
PowerView:
Mapping
Trusts

⊙ Raw trust mappings are digestible for
small domains
○ But the complexity can explode for really
large environments
⊙ Data means nothing if you can’t
interpret it usefully
⊙ @sixdub’sDomainTrustExplorer can
transform CSV output to graphml
Processing
Raw Data

4
Abusing
Domain Trusts
The Path to
Pwnership

1. Map the trusts and their types
(intra-forest or otherwise) reachable from
your current domain
2. Enumerate users/groups from one
domain that have access to resources in
other domains
a. uncovering the hidden ‘trust mesh’ of accesses
that administrators have set up
3. Selectively compromise specific target
accounts in order to hop across the trust
boundary
A Trust
Attack
Strategy

⊙ To enumerate users who are in groups
outside of the user’s primary domain
(i.e. across trusts):
○ Find-ForeignUser -Domain <domain>
○ This is a domain’s “outgoing” access
⊙ To enumerate groups with users
outside of the group’s primary
domain:
○ Find-ForeignGroup -Domain <domain>
○ This is the “incoming” access to a domain
⊙ Lots of Get-NetLocalGroup
Abusing
Trusts With
PowerView

⊙ Automates AD attack path finding
⊙ A graphing front end build on neo4j
with a customized version of
PowerView as the data collector
○ Export as CSV or inputs directly into the
neo4j RESTful API
⊙ Released at DEF CON 24
○ http://bit.ly/getbloodhound
BloodHound
Overview

BloodHound
and Domain
Trusts
⊙ Domains are represented in the
schema only for visualizing their
relationships à la
DomainTrustExplorer
⊙ The normal schema just has
user@domain.local and
machine.domain2.local
○ This lets us easily find cross-domain
paths without having to specifically model
domains in the schema

BloodHound
Foreign
Users/Groups

6
Mimikatz and
Trusts
Thanks @gentilkiwi
and @pyrotek3 !

⊙ “The password for a domain trust
account is used to derive an inter-realm
key for encrypting referral tickets”*
○ Mimikatz can extract these trust keys
from domain controllers participating in
the trust
⊙ These keys can be used to create
“golden” trust referral tickets for the
krbtgt service, with a trusting domain
as the target
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx
Mimikatz and
Trust Keys

⊙ Mimikatz can now include extra
account SIDs from other domains
when it constructs a Golden Ticket
○ with the /sids flag
⊙ If you get the krbtgt hash of a domain
controller of a child domain in a forest,
you can set the SID history to be
“Enterprise Admins” of the parent
domain
○ This allows you to compromise the forest
root!
The
Trustpocalypse

If you compromise one
domain controller of a
child domain in a forest,
you can compromise the
entire forest!
The
Trustpocalypse

Caveat:
SID Filtering
⊙ If SID filtering is enabled, DCs in a
trusting domain remove SIDs that
aren’t contained in the trusted
domain
○ Applies to SIDHistory!
⊙ This prevents the malicious
SIDHistory Mimikatz attack
⊙ Enabled by default for
external/interforest trusts

Caveat:
Quarantined
Within Forest
⊙ Parent-child trusts can be marked as
‘quarantined’
⊙ This will filter out all SIDs, EXCEPT the
“Enterprise Domain Controllers” SID
(S-1-5-9) ;)
⊙ This means it’s still possible to craft a
Golden Ticket in such a way to hop up
the trust!

⊙ Say we land on a machine in the
dev.testlab.local domain
⊙ We want to compromise the
external.local forest
⊙ We’ll do this by abusing trust
relationships to hop to testlab.local
and then external.local
Demo Setup

Credits Special thanks to:
⊙ @_wald0
⊙ @CptJesus
⊙ @sixdub
⊙ @gentilkiwi
⊙ @pyrotek3

Thanks!
Any questions?
@harmj0y
will [at] harmj0y.net
http://blog.harmj0y.net/

Trusts You Might Have Missed - 44con

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to Trusts You Might Have Missed - 44con

Similar to Trusts You Might Have Missed - 44con (20)

Recently uploaded

Recently uploaded (11)

Trusts You Might Have Missed - 44con