I Hunt Sys Admins
26
“I Hunt Sys Admins” (U) Will @harmj0y
Transcript of I Hunt Sys Admins
“I Hunt Sys Admins”(U) Will
@harmj0y
$ whoami
● Security researcher and red teamer for the
Veris Group’s Adaptive Threat Division
● Co-founder of the Veil-Framework and
founder of Veil’s PowerTools
● Cons:o Shmoocon ‘14: AV Evasion with the Veil Framework
o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0
o Derbycon ‘14: Passing the Torch: Old School Red
Teaming, New School Tactics?
What this is
● Ways to hunt for target users on Windows
domains
● Ya really, that’s it
● Will cover as many tools and technique for
doing this as I have time for
Setting the Stage
● This talk is from the “assume breach”
perspectiveo i.e. assume foothold/access to a Windows domain
machine
● I’m also going to assume you know (more or
less) what users you’re targeting
● PowerShell methods are going to heavily
rely on PowerViewo https://github.com/veil-framework/PowerTools
Motivations
● Most common:o If you have a privileged account, or local admin
account, you want to figure out where high value
users are logged in
● Hunt -> pop box -> Mimikatz -> profit
● Other times you might have domain admin
rights and need to target specific users to
demonstrate impacto e.g. popping a CEO’s desktop and email
Where my sysadmins at?Finding your prey
Existing Tech
● Several tools have been written that allow
you to figure out who’s logged in where
● I’ll cover what’s already out there, including
the positives/negatives for each
● “Offensive in depth”o You always want multiple ways of achieving the
same objective in your attack chain
● Component of Microsoft’s Sysinternals
o “...determines who is logged on by scanning the
keys under the HKEY_USERS key.”
o “To determine who is logged onto a computer via
resource shares, PsLoggedOn uses the
NetSessionEnum API.”
● Needs remote registry access to determine
who’s logged ino i.e. admin privileges on a remote machine
http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx
psloggedon.exe
psloggedon.exe
netsess.exe
● Component of
http://www.joeware.net/freetools/
● Utilizes the NetSessionEnum API callo http://msdn.microsoft.com/en-
us/library/windows/desktop/bb525382(v=vs.85).aspx
● Think a version of “net session” that works
on remote machines!o great for targeting file servers :)
o no admin privs needed!
netsess.exe
PVEFindADUser.exe
● Tool released by corelanc0d3r in 2009
● “Helps you find where AD users are logged in”o Can also check who’s logged into specific machines
● But “...you also need to have admin access on
the computers you are running the utility
against.”
https://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/
PVEFindADUser.exe
netview.exe
● Rob Fuller (@mubix’s) netview.exe project,
presented at Derbycon 2012, is a tool to
“enumerate systems using WinAPI calls”
● Finds all machines on the network,
enumerates shares, sessions, and logged in
users for each hosto And now can check share access, highlight high
value users, and use a delay/jitter :)
o and also, no admin privs needed!
https://github.com/mubix/netview
netview.exe
Nmap
● If you have a valid domain account, or local
account valid for several machines, you can
use smb-enum-sessions.nse
● Don’t need to have admin privileges!
nmap -sU -sS --script smb-enum-
sessions.nse --script-args
'smbuser=jasonf,smbpass=BusinessBus
inessBusiness!' -p U:137,T:139
192.168.52.0/24
http://nmap.org/nsedoc/scripts/smb-enum-sessions.html
Nmap
Email Headers
● If you have access to someone’s email
(Mimikatz+OWA, etc.) internal headers can
provide a wealth of information
● Search for any chains to/from target users,
and examine headers for given email chains
● If the “X-Originating-IP” header is present,
you can trace where a user sent a given
email from
PowerShell“Microsoft’s Post-Exploitation Language”
Invoke-UserHunter
● Flexible function that:o queries AD for hosts or takes a target list
o queries AD for users of a target group, or takes a
list/single user
o uses Win32 API calls to enumerate sessions
(NetSessionEnum) and logged in users
(NetWkstaUserEnum), matching against the target
user list
● Can also check to see if you have local
admin access on targetso but no admin privs needed to get good info!
Invoke-UserHunter
Invoke-StealthUserHunter
● Uses an old red teaming trick
1. Queries AD for all users and extracts all
homeDirectory fields to identify likely domain file
servers
2. Runs NetSessionEnum against each file server to
enumerate remote sessions, matching against target
user list
● Gets reasonable coverage with a lot less
traffic than UserHuntero and again, no admin privs needed
Invoke-StealthUserHunter
Invoke-UserLogonHunter
● Sometimes you have DA, but need to target
specific users (think the IR team :)
● Domain controller event logs make it trivial to
track down domain users, provided you have
domain admin access
● Get-UserLogonEvents implements
@sixdub’s work on offensive event parsingo Invoke-UserLogonHunter rolls this all into a
weaponized form
Invoke-UserEventHunter
Questions?
● Contact me:o @harmj0y
o harmj0y in #veil and #armitage on Freenode
● Read more:o http://blog.harmj0y.net
o https://www.veil-framework.com
● Get PowerView:o https://github.com/Veil-Framework/PowerTools
