The Travelling Pentester

Diaries of the Shortest Path to Compromise

About MeI am Will SchroederJob: “Offensive Engineer” at Veris Group’s ATDCo-Founder: Veil-Framework, PowerView, PowerUp, Empire/Empyre, BloodHoundTrainer: Black Hat USA 2014-2017Other: Microsoft PowerShell/CDM MVP

Twitter: @harmj0y

The Bloodhound GangRohan VazarkarJob: Pentester at Veris Group’s ATDTool creator/dev: BloodHound, Python EmPyrePresenter: BSides, Black Hat Arsenal, DEF CONTrainer: Black Hat USA 2016-2017

Twitter: @CptJesus

Andy RobbinsJob: Pentest lead at Veris Group’s ATDTool creator/dev: BloodHoundSpeaker: BSides, ISSA International, Black Hat Arsenal, DEF CONTrainer: Black Hat USA 2016-2017

Twitter: @_wald0

tl;dr

Offensive Background

Our (Current) Ops◇“Assume breach” approach◇Lots of Active Directory and

offensive PowerShell◇Defenses are getting better- we’ve

had to evolve!

“Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in the fight, whether you thought you were or not. Number two, you almost certainly are penetrated.”

Michael HaydenFormer Director of NSA & CIAMicrosoft Enterprise Cloud Red Teaming Whitepaper

“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”

John LambertGM, Microsoft Threat Intelligence Center

Group: IT

Admins

User:

Bob MemberOf

AdminTo

Computer: Server1 HasSession

User:

Mary

MemberOf

Group: Domain Admins

User:

Alice

Force-Reset-

Password

BloodHound◇Automates the attack

path analysis process◇Components:￭ PowerShell ingestor￭ neo4j backend￭ Cross-platform electron

app front end◇Open source and

BSD 3-clause licensed!

BloodHound Attack Graph Design

Vertices represent users, groups, computers, and domains

Edges identify group memberships, admin rights, user sessions, and now ACL relationships

Paths always lead toward escalating rights. Always.

Who’s Logged in Where?aka “user-hunting”

NetSessionEnum/NetWkstaUserEnumLDAP computer enumeration

NetSessionEnum/NetWkstaUserEnumNetSessionEnum/NetWkstaUserEnum

NetSessionEnum/NetWkstaUserEnum

NetSessionEnum/NetWkstaUserEnum

Attacker

DC

Who’s Logged in Where?“Stealth” user-hunting

NetSessionEnum

Attacker

LDAP enumerationDC

FileServer

NetSessionEnum sessions

sessions

Who’s Logged in Where?Defenses

Who’s Logged in Where?Defenses

Who Can Admin What?

Who Can Admin What?PowerView

Who Can Admin What?Defenses

“Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 16074) the default permissions were changed to allow remote access only to administrators.”

Who Can Admin What?GPO Edition

Restricted Groups

Defined In

Defin

ed In

Group Policy

Preferences

Group Policy Object

OU/site/

domain

Linked To

Contains

Cont

ain

s

Server

WorkstationLocal

Admins

Set

By

Set

By

Who’s in What Groups?

◇Enumerate all groups and extract the members of each

◇PowerView:￭ Get-DomainGroup | Get-DomainGroupMember

◇BloodHound:￭ Just pulls the member for all group objects

Active Directory DACLs

Previous DACL Work

https://www.sstic.org/media/SSTIC2014/SSTIC-actes/chemins_de_controle_active_directory/SSTIC2014-Slides-chemins_de_controle_active_directory-gras_bouillot.pdf

◇Offline (ntds.dit) and some online DACL collection capabilities

◇Backend neo4j database allows for control flow discovery

◇Code released at https://github.com/ANSSI-FR/AD-control-paths

Previous DACL Work

Who Has Rights Over What Objects?

◇By default, any user can enumerate all DACLs for all objects in the domain￭ Through .NET methods or by specifying ntsecuritydescriptor in the LDAP query props

◇PowerView: Get-DomainObjectACL◇BloodHound enumerates just the

control relationships we care about

Computer:

Server1

User:

Mary

User:

Alice

ForceChangePassword

Group: IT

Admins

GenericWrite

GenericAll

WriteDACL

WriteOwner

AllExtendedRights

Computer:

Server1

Group: Exchange Admins

User:

Alice

AddMembers

Group: IT

Admins

GenericWrite

GenericAll

WriteDACL

WriteOwner

AllExtendedRights

◇Default Rights￭ GenericAll - ALL THE RIGHTS￭ GenericWrite - write all object properties￭ WriteDacl - modify the DACL for the object￭ WriteOwner - modify an object owner￭ WriteProperty Self-Membership/Script-Path – modify group membership/user script path

◇Extended Rights￭ User-Force-Change-Password

BloodHoundCurrently Collected ACLs

◇DS-Replication-Get-Changes-All

◇Modification rights to GPC-File-Sys-Path for GPOs

◇“Kerberoastable” accounts

◇Read rights to ms-MCS-AdmPwd

BloodHoundFuture Collected ACLs

BloodHound(Short) Demo

Case Studies(in Failure)Details have been changed to protect the innocent ;)

Case #1

1. Service binary rotated the local admin passwords monthly

2. .NET coded, predictable algorithm based on the date and hostname, no salt

3. Pulled apart app, build weaponized code, had admin access to every gold image system

4. Performed the ‘credential shuffle’ by hand with PowerView, took about 2 weeks

Local Passwords Are Hard

Case #2

1. Kerberoasted 2 services accounts, allowing for access to a handful of systems

2. BloodHound analysis determined one user logged into one system we controlled had direct access to 5 systems, but derivative access to hundreds

3. Bonus: all user accounts had reversible encryption set

4. Elevated, hopped down the chain, DCSynced to recover ultimate target’s plaintext, grabbed the objective

Kerberos is Hard As Well

Case #3

1. VULNERABLE SERVICE on terminal-type machines, allowed elevation

2. All terminal servers had the same (and enabled) local admin account

3. No formal trust, but correlated similar accounts between the two accessible domains

4. Developed GPO correlation technique on the engagement to hop to 2 cross-network targets

5. Group Policy Preferences in cross-network target, allowed compromise to a handful of machines

GPP and GPOs and extra SIDs, Oh My

Case #3

6. Quick escalation to elevated domain rights7. DCSynced to recover krbtgt of child

domain8. Hopped to child domain controller to build

a Golden Ticket with extra SIDs9. Injected and was able to hop up the trust

and DCSync the corporate root domain

GPP and GPOs and extra SIDs, Oh My

Sniffing Out ACLs with BloodHoundCase #4

Sniffing Out ACLs with BloodHoundCase #4

How it Could HaveBeen Prevented

LAPShttps://technet.microsoft.com/en-us/mt227395.aspx

How it Could HaveBeen Prevented

https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access

How it Could HaveBeen Prevented

◇Managed service accounts◇ATA◇SAMRi10 / NetCease◇Credential Guard◇Red Forest Architecture◇PowerUp◇GET RID OF GPP◇Separate forests to enforce trust◇Centralized logging/analysis◇Increased endpoint telemetry

How it Could Have Been PreventedDACLs

¯\_( ツ )_/¯

How WeGet CaughtOur Biggest Pain Points

PowerShell Logging

◇INSTALL V5!

https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/

Endpoint Telemetry

◇Command line logging is a huge pain￭ Many many attacker toolsets end up calling shell commands

◇Mining things like process tree traces at scale can give enormous insight

◇Windows Defender ATP, Sysmon, etc.

Closing Thoughts

Thank You!@harmj0ywill [at] harmj0y.netblog.harmj0y.net