Six Degrees of Domain Admin - BloodHound at DEF CON 24
-
Upload
andy-robbins -
Category
Technology
-
view
9.390 -
download
0
Transcript of Six Degrees of Domain Admin - BloodHound at DEF CON 24
![Page 1: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/1.jpg)
Six Degrees of Domain Admin
![Page 2: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/2.jpg)
About UsI am Andy RobbinsJob: Pentester at Veris Group’s ATDSpeaker: BSidesLV/Seattle, ISC2 World Congress, ISSA InternationalTrainer: Black Hat USA 2016Other: Ask me about ACH
Twitter: @_wald0
![Page 3: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/3.jpg)
About UsI am Rohan VazarkarJob: Pentester at Veris Group’s ATDTool creator/dev: EyeWitness, Python Empyre, etc.Presenter: BSidesDC/LV/DE, Black Hat ArsenalTrainer: Black Hat USA 2016
Twitter: @CptJesus
![Page 4: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/4.jpg)
About UsI am Will SchroederJob: Researcher at Veris Group’s ATDTool creator/dev: Veil-Framework, PowerView, PowerUp, Empire/EmpyreSpeaker: Ask meTrainer: Black Hat USA 2014-2016Other: Microsoft PowerShell/CDM MVP
Twitter: @harmj0y
![Page 5: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/5.jpg)
The Current State of Active Directory Domain Privilege Escalation
![Page 6: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/6.jpg)
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
John LambertGM, Microsoft Threat Intelligence Center
![Page 7: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/7.jpg)
AD Domain Priv Esc◇Active Directory is ubiquitous◇Ubiquity = Attention = Research
time and $$$◇Sometimes we get easy buttons!
![Page 8: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/8.jpg)
DA
![Page 9: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/9.jpg)
DA��
��
��
��
��
��
��
![Page 10: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/10.jpg)
Derivative Local Admin
“The chaining or linking of administrator rights through compromising other privileged accounts”
Justin Warner @sixdub
![Page 11: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/11.jpg)
��
��Bob PC1 Mary PC2
![Page 12: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/12.jpg)
��Bob Help
DeskServer Admins
PC2
![Page 13: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/13.jpg)
Challenges◇Extremely time consuming and
tedious◇Not comprehensive◇Limited situational awareness◇Did you even need DA?
![Page 14: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/14.jpg)
Graph Theory
And attack graph design
![Page 15: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/15.jpg)
Basic Elements of a Graph
Vertices represent individual elements of a system
Edges generically represent relationships between vertices
Paths are sets of vertices and edges that connect non-adjacent vertices
![Page 16: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/16.jpg)
Vertex 1
Vertex 2Edge
![Page 17: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/17.jpg)
Vertex 1
Vertex 3
Vertex 2
Vertex 4
![Page 18: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/18.jpg)
BloodHound Attack Graph Design
Vertices represent users, groups, computers, and domains
Edges identify group memberships, admin rights, user sessions, and domain trusts
Paths always lead toward escalating rights. Always.
![Page 19: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/19.jpg)
Group: IT
Admins
User:
BobMemberOf
AdminTo
Computer: Server1 HasSession
User:
Mary
MemberOf
Group: Domain Admins
![Page 20: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/20.jpg)
Put Simply…◇Who is logged on where?◇Who has admin rights where?◇What users and groups belong to
what groups?
![Page 21: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/21.jpg)
Stealthy Data Collection with PowerView
![Page 22: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/22.jpg)
“The best tool these days for understanding Windows networks is PowerView…”Phineas Phisherhttp://pastebin.com/raw/0SNSvyjJ
![Page 23: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/23.jpg)
PowerView
◇A pure PowerShell v2.0+ domain/network situational awareness tool
◇Collects the data that BloodHound is built on and doesn’t need elevated privileges for most collection methods!
![Page 24: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/24.jpg)
Who’s Logged in Where?
◇Invoke-UserHunter:■ Get-NetSession – sessions w/ a remote machine■ Get-NetLoggedOn/Get-LoggedOnLocal – who’s logged in on what machine
◇-Stealth:■ Enumerate commonly trafficked servers and query remote sessions for each
aka “user hunting”
![Page 25: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/25.jpg)
Who Can Admin What?
◇We can enumerate members of a local group on a remote machine, without admin privileges!■ The WinNT service provider or NetLocalGroupMembers()
◇PowerView:■ Get-NetLocalGroup –ComputerName IP [-API]
![Page 26: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/26.jpg)
Who Can Admin What?GPO Edition
◇GPOs can set local administrators◇GPOs are applied to OUs/Sites■ correlation == local admin information
through communication with only a DC!
◇PowerView:■ Find-GPOLocation
![Page 27: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/27.jpg)
Who’s in What Groups?
◇Enumerate all groups and pull the members of each
◇PowerView:■ Get-NetGroup | Get-NetGroupMember
◇That’s it!
![Page 28: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/28.jpg)
Bringing it All TogetherThe BloodHound Ingestor
Get-BloodHoundData automates gathering PowerView data for a domain
Export-BloodHoundData exports collected data to a neo4j batch REST API for ingestion
Export-BloodHoundCSVexports collected data to a series of CSVs for offline ingestion
![Page 29: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/29.jpg)
BloodHoundLive demo!
![Page 30: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/30.jpg)
BloodHound◇Built with Linkurious.js◇Compiled with Electron◇Uses a neo4j graph database◇Fed by the custom PowerShell
ingestor
![Page 31: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/31.jpg)
bit.ly/GetBloodHound
![Page 32: Six Degrees of Domain Admin - BloodHound at DEF CON 24](https://reader035.fdocuments.net/reader035/viewer/2022062412/5877a4e61a28ab826e8b5e6f/html5/thumbnails/32.jpg)
Thanks!@_wald0@CptJesus@harmj0y