Trusts You Might Have Missed

@harmj0yCo-founder of Empire/EmPyre, PowerTools, Veil-Framework

PowerSploit/BloodHound developer

Microsoft PowerShell MVP

tl;dr ⊙ Red Teaming⊙ Active Directory and Trusts 101⊙ Old vs New School Enumeration⊙ Abusing Trusts⊙ BloodHound⊙ Mimikatz and Trusts⊙ Demo

1“Red Teaming”

Bridging the Gap

⊙ Red teaming means different things to different people○ common thread of increased time frame

and more permissive scope

⊙ We tend towards longer running, remote network operations with a focus on Windows

Red Teaming

“ Fundamentally, if somebody wants to get in, they're getting in...Accept that...What we tell clients is:Number one, you're in the fight, whether you thought you were or not.Number two, you're almost certainly penetrated.

Michael HaydenFormer Director of CIA & NSA

⊙ Domain trusts have existed for years, and red teams have been abusing them just as long○ Techniques are public but not as well

known as they should be

⊙ Possible through multiple means, “offense in depth”○ VBScript, PowerShell, native tools

Nothing New?

2Domain Trusts

A Quick Refresher

⊙ Multiple Levels○ Domain- logical group of network objects

(computers, users, etc.)○ Trees- collection of domains○ Forests- collection of trees

⊙ Used to authenticate and authorize users and computers on a network

⊙ The domain is not the trust boundary, the forest is!!!

Active Directory Overview

⊙ Trusts allow domains to form inter-connected relationships○ A trust just links up the authentication

systems of two domains and allows authentication traffic to flow between them

○ Done by exchanging an “inter-realm trust key” that can relay kerberos traffic

⊙ Forests can also establish trust relationships○ ex. all domains in Forest A will trust

domains in Forest B

Trusts 101

⊙ Communications in the trust work via a system of referrals:○ If the SPN being requested resides

outside of the primary domain, the DC issues a referral to the forest KDC (or trusted domain KDC) to receive a ticket

○ Access is passed around w/ inter-realm TGTs signed by the inter-realm key

⊙ Multiple configuration topographies available that will determine the behavior of the trusts

Trusts 201

Kerberos and Domain

Trusts

http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx

Trust Direction

⊙ Trusts come in a few varieties:○ One way- one domain trusts the other○ Two way- both domains trust each other○ Transitive- domain A trusts Domain B

and Domain B trusts Domain C, so Domain A trusts Domain C

⊙ A child domain retains an implicit two-way transitive trust with its parent○ http://technet.microsoft.com/en-us/libr

ary/cc773178(v=ws.10).aspx

Trust Types

⊙ Why does this matter?

⊙ Trusts can introduce unintentional avenues of access into a target

⊙ Enterprise Admin = pwnership over everything below○ but at a minimum trusts let you query AD

information for a foreign domain!

Who Cares?

3Trust

EnumerationOld School vs. New

nltest.exeand

adfind.exe

⊙ A pure PowerShell domain/network situational awareness tool○ think dsquery on steroids... and cocaine

⊙ Built to automate large components of our tradecraft used to facilitate red team engagements

⊙ Now integrated into PowerSploit○ everything is version PS v2.0 compliant

PowerView

⊙ Get-NetForest: information about the current domain forest

⊙ Get-NetForestDomain: enumerate all domains in the current forest

⊙ Get-NetDomainTrust: find all current domain trusts, à la nltest

⊙ Get-NetForestTrust: grab all forest trusts

PowerView: Enumerating

Trusts

⊙ If a trust exists, most functions in PowerView can accept a -Domain <name> flag to operate across a trust:○ Get-NetDomainController, Get-NetUser,

Get-NetComputer, Get-NetGroup, Get-NetGroupMember, Get-NetFileServer, Invoke-UserHunter, etc.

PowerView: Using Trusts

PowerView: Using Trusts

⊙ PowerView also has a function to map all reachable domain trusts:○ Invoke-MapDomainTrust

⊙ Finds all domain trusts for the current domain, enumerates all trusts for each domain it finds, and so on○ can dump out a nice .csv of all current

trust relationships

PowerView: Mapping

Trusts

Trust Mappings

⊙ Raw trust mappings are digestible for small domains○ But the complexity can explode for really

large environments

⊙ Data means nothing if you can’t interpret it usefully

⊙ @sixdub’s DomainTrustExplorer can transform CSV output to graphml

Processing Raw Data

Trust Visualization

4Abusing

Domain TrustsThe Path to Pwnership

1. Map the trusts and their types (intra-forest or otherwise) reachable from your current domain

2. Enumerate users/groups from one domain that have access to resources in other domainsa. uncovering the hidden ‘trust mesh’ of accesses

that administrators have set up3. Selectively compromise specific target

accounts in order to hop across the trust boundary

A Trust Attack

Strategy

⊙ To enumerate users who are in groups outside of the user’s primary domain (i.e. across trusts):○ Find-ForeignUser -Domain <domain>○ This is a domain’s “outgoing” access

⊙ To enumerate groups with users outside of the group’s primary domain:○ Find-ForeignGroup -Domain <domain>○ This is the “incoming” access to a domain

⊙ Lots of Get-NetLocalGroup

Abusing Trusts With PowerView

Abusing Trusts With PowerView

5

⊙ Automates AD attack path finding

⊙ A graphing front end build on neo4j with a customized version of PowerView as the data collector○ Export as CSV or inputs directly into the

neo4j RESTful API

⊙ Released at DEF CON 24○ http://bit.ly/getbloodhound

BloodHound Overview

BloodHound Path Finding

BloodHound and Domain

Trusts

⊙ Domains are represented in the schema only for visualizing their relationships à la DomainTrustExplorer

⊙ The normal schema just has user@domain.local and machine.domain2.local○ This lets us easily find cross-domain

paths without having to specifically model domains in the schema

BloodHound Visualizing

Trusts

BloodHound Hopping

Trusts

BloodHound Foreign

Users/Groups

6Mimikatz and

TrustsThanks @gentilkiwi

and @pyrotek3 !

⊙ “The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets”*○ Mimikatz can extract these trust keys

from domain controllers participating in the trust

⊙ These keys can be used to create “golden” trust referral tickets for the krbtgt service, with a trusting domain as the target

*https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx

Mimikatz and Trust Keys

Even Crazier...

⊙ Mimikatz can now include extra account SIDs from other domains when it constructs a Golden Ticket○ with the /sids flag

⊙ If you get the krbtgt hash of a domain controller of a child domain in a forest, you can set the SID history to be “Enterprise Admins” of the parent domain○ This allows you to compromise the forest

root!

The Trustpocalypse

If you compromise one domain controller of a child domain in a forest, you can compromise the entire forest!

The Trustpocalypse

Advice From @gentilkiwi

Caveat:SID Filtering

⊙ If SID filtering is enabled, DCs in a trusting domain remove SIDs that aren’t contained in the trusted domain○ Applies to SIDHistory!

⊙ This prevents the malicious SIDHistory Mimikatz attack

⊙ Enabled by default for external/interforest trusts

Caveat:Quarantined

Within Forest

⊙ Parent-child trusts can be marked as ‘quarantined’

⊙ This will filter out all SIDs, EXCEPT the “Enterprise Domain Controllers” SID (S-1-5-9) ;)

⊙ This means it’s still possible to craft a Golden Ticket in such a way to hop up the trust!

⊙ Say we land on a machine in the dev.testlab.local domain

⊙ We want to compromise the external.local forest

⊙ We’ll do this by abusing trust relationships to hop to testlab.local and then external.local

Demo Setup

Demo

Credits Special thanks to:⊙ @_wald0⊙ @CptJesus⊙ @sixdub⊙ @gentilkiwi⊙ @pyrotek3

Thanks!Any questions?@harmj0y

will [at] harmj0y.net

http://blog.harmj0y.net/