The Travelling Pentester

Diaries of the Shortest Path to

Compromise

About MeI am Will SchroederJob: “Offensive Engineer” at Veris Group’s ATD

Co-Founder: Veil-Framework, PowerView, PowerUp,

Empire/Empyre, BloodHound

Trainer: Black Hat USA 2014-2017

Other: Microsoft PowerShell/CDM MVP

Twitter: @harmj0y

The Bloodhound Gang

Rohan VazarkarJob: Pentester at Veris Group’s ATD

Tool creator/dev: BloodHound, Python

EmPyre

Presenter: BSides, Black Hat Arsenal, DEF

CON

Trainer: Black Hat USA 2016-2017

Twitter: @CptJesus

Andy RobbinsJob: Pentest lead at Veris Group’s ATD

Tool creator/dev: BloodHound

Speaker: BSides, ISSA International, Black

Hat Arsenal, DEF CON

Trainer: Black Hat USA 2016-2017

Twitter: @_wald0

tl;dr

Offensive

Background

Our (Current) Ops◇“Assume breach” approach

◇Lots of Active Directory and offensive

PowerShell

◇Defenses are getting better- we’ve had to

evolve!

“Fundamentally, if someone wants to

get in, they’re getting in…accept that.

What we tell clients is: Number one,

you’re in the fight, whether you

thought you were or not. Number two,

you almost certainly are penetrated.”

Michael Hayden

Former Director of NSA & CIA

Microsoft Enterprise Cloud Red Teaming Whitepaper

“Defenders think in lists.

Attackers think in graphs.

As long as this is true,

attackers win.”

John Lambert

GM, Microsoft Threat Intelligence Center

Group:

IT

Admins

User:

Bob

Computer:

Server1User:

Mary

Group:

Domain

Admins

User:

Alice

BloodHound

◇Automates the attack path

analysis process

◇Components:￭ PowerShell ingestor

￭ neo4j backend

￭ Cross-platform electron

app front end

◇Open source and

BSD 3-clause

licensed!

BloodHound Attack

Graph Design

Vertices represent

users, groups,

computers, and

domains

Edges identify

group

memberships,

admin rights, user

sessions, and now

ACL relationships

Paths always lead

toward escalating

rights. Always.

Who’s Logged in Where?aka “user-hunting”

NetSessionEnum/NetWkstaUserEnum

Attacker

DC

Who’s Logged in Where?“Stealth” user-hunting

Attacker

DC

File

Server

NetSessionEnum sessions

sessions

Who’s Logged in Where?Defenses

Who’s Logged in Where?Defenses

Who Can Admin What?

Who Can Admin What?PowerView

Who Can Admin What?Defenses

“Windows 10 had introduced an option to control the

remote access to the SAM, through a specific registry

value. On Windows Anniversary update (Windows 10

Version 16074) the default permissions were changed to

allow remote access only to administrators.”

Who Can Admin What?GPO Edition

Restricted

Groups

Group

Policy

Preferences

Group

Policy

Object

OU/site/

domain

Conta

ins

ServerWorkstationLocal

Admins

Who’s in What Groups?

◇Enumerate all groups and extract the

members of each

◇PowerView:￭ Get-DomainGroup | Get-DomainGroupMember

◇BloodHound:￭ Just pulls the member for all group objects

Active Directory

DACLs

Previous DACL Work

https://www.sstic.org/media/SSTIC2014/SSTIC-actes/chemins_de_controle_active_directory/SSTIC2014-Slides-

chemins_de_controle_active_directory-gras_bouillot.pdf

◇Offline (ntds.dit) and some online DACL

collection capabilities

◇Backend neo4j database allows for

control flow discovery

◇Code released at

https://github.com/ANSSI-FR/AD-control-

paths

Previous DACL Work

Who Has Rights Over

What Objects?

◇By default, any user can enumerate all

DACLs for all objects in the domain￭ Through .NET methods or by specifying

ntsecuritydescriptor in the LDAP query props

◇PowerView: Get-DomainObjectACL

◇BloodHound enumerates just the control

relationships we care about

Computer:

Server1

User:

Mary

User:

Alice

ForceChangePassword

Group:

IT

Admins

GenericWrite

GenericAll

WriteDACL

WriteOwner

AllExtendedRights

Computer:

Server1

Group:

Exchange

Admins

User:

Alice

AddMembers

Group:

IT

Admins

GenericWrite

GenericAll

WriteDACL

WriteOwner

AllExtendedRights

◇Default Rights￭ GenericAll - ALL THE RIGHTS

￭ GenericWrite - write all object properties

￭ WriteDacl - modify the DACL for the object

￭ WriteOwner - modify an object owner

￭ WriteProperty Self-Membership/Script-Path –

modify group membership/user script path

◇Extended Rights￭ User-Force-Change-Password

BloodHoundCurrently Collected ACLs

◇DS-Replication-Get-Changes-All

◇Modification rights to GPC-File-Sys-Path

for GPOs

◇“Kerberoastable” accounts

◇Read rights to ms-MCS-AdmPwd

BloodHoundFuture Collected ACLs

BloodHound(Short) Demo

Case Studies

(in Failure)Details have been changed to

protect the innocent ;)

Case #1

1. Service binary rotated the local admin

passwords monthly

2. .NET coded, predictable algorithm based on the

date and hostname, no salt

3. Pulled apart app, build weaponized code, had

admin access to every gold image system

4. Performed the ‘credential shuffle’ by hand with

PowerView, took about 2 weeks

Local Passwords Are Hard

Case #2

1. Kerberoasted 2 services accounts, allowing for

access to a handful of systems

2. BloodHound analysis determined one user

logged into one system we controlled had direct

access to 5 systems, but derivative access to

hundreds

3. Bonus: all user accounts had reversible

encryption set

4. Elevated, hopped down the chain, DCSynced to

recover ultimate target’s plaintext, grabbed the

objective

Kerberos is Hard As Well

Case #3

1. VULNERABLE SERVICE on terminal-type

machines, allowed elevation

2. All terminal servers had the same (and enabled)

local admin account

3. No formal trust, but correlated similar accounts

between the two accessible domains

4. Developed GPO correlation technique on the

engagement to hop to 2 cross-network targets

5. Group Policy Preferences in cross-network

target, allowed compromise to a handful of

machines

GPP and GPOs and extra SIDs, Oh My

Case #3

6. Quick escalation to elevated domain rights

7. DCSynced to recover krbtgt of child domain

8. Hopped to child domain controller to build a

Golden Ticket with extra SIDs

9. Injected and was able to hop up the trust and

DCSync the corporate root domain

GPP and GPOs and extra SIDs, Oh My

Sniffing Out ACLs with BloodHound

Case #4

Sniffing Out ACLs with BloodHound

Case #4

How it Could Have

Been Prevented

LAPS

https://technet.microsoft.com/en-us/mt227395.aspx

How it Could Have

Been Prevented

https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access

How it Could Have

Been Prevented

◇Managed service accounts

◇ATA

◇SAMRi10 / NetCease

◇Credential Guard

◇Red Forest Architecture

◇PowerUp

◇GET RID OF GPP

◇Separate forests to enforce trust

◇Centralized logging/analysis

◇Increased endpoint telemetry

How it Could Have Been Prevented

DACLs

¯\_(ツ)_/¯

How We

Get CaughtOur Biggest Pain Points

PowerShell Logging

◇INSTALL V5!

https://www.crowdstrike.com/blog/investigating-powershell-command-

and-script-logging/

Endpoint Telemetry

◇Command line logging is a huge pain￭ Many many attacker toolsets end up calling shell

commands

◇Mining things like process tree traces at

scale can give enormous insight

◇Windows Defender ATP, Sysmon, etc.

Closing Thoughts

Thank You!@harmj0y

will [at] harmj0y.net

blog.harmj0y.net