the travelling pentester: diaries of the shortest path to compromise
TRANSCRIPT
![Page 1: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/1.jpg)
The Travelling Pentester
Diaries of the Shortest Path to Compromise
![Page 2: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/2.jpg)
About MeI am Will SchroederJob: “Offensive Engineer” at Veris Group’s ATDCo-Founder: Veil-Framework, PowerView, PowerUp, Empire/Empyre, BloodHoundTrainer: Black Hat USA 2014-2017Other: Microsoft PowerShell/CDM MVP
Twitter: @harmj0y
![Page 3: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/3.jpg)
The Bloodhound GangRohan VazarkarJob: Pentester at Veris Group’s ATDTool creator/dev: BloodHound, Python EmPyrePresenter: BSides, Black Hat Arsenal, DEF CONTrainer: Black Hat USA 2016-2017
Twitter: @CptJesus
Andy RobbinsJob: Pentest lead at Veris Group’s ATDTool creator/dev: BloodHoundSpeaker: BSides, ISSA International, Black Hat Arsenal, DEF CONTrainer: Black Hat USA 2016-2017
Twitter: @_wald0
![Page 4: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/4.jpg)
tl;dr
![Page 5: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/5.jpg)
Offensive Background
![Page 6: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/6.jpg)
Our (Current) Ops◇“Assume breach” approach◇Lots of Active Directory and
offensive PowerShell◇Defenses are getting better- we’ve
had to evolve!
![Page 7: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/7.jpg)
“Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in the fight, whether you thought you were or not. Number two, you almost certainly are penetrated.”
Michael HaydenFormer Director of NSA & CIAMicrosoft Enterprise Cloud Red Teaming Whitepaper
![Page 8: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/8.jpg)
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
John LambertGM, Microsoft Threat Intelligence Center
![Page 9: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/9.jpg)
Group: IT
Admins
User:
Bob MemberOf
AdminTo
Computer: Server1 HasSession
User:
Mary
MemberOf
Group: Domain Admins
User:
Alice
Force-Reset-
Password
![Page 10: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/10.jpg)
BloodHound◇Automates the attack
path analysis process◇Components:■ PowerShell ingestor■ neo4j backend■ Cross-platform electron
app front end◇Open source and
BSD 3-clause licensed!
![Page 11: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/11.jpg)
BloodHound Attack Graph Design
Vertices represent users, groups, computers, and domains
Edges identify group memberships, admin rights, user sessions, and now ACL relationships
Paths always lead toward escalating rights. Always.
![Page 12: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/12.jpg)
Who’s Logged in Where?aka “user-hunting”
NetSessionEnum/NetWkstaUserEnumLDAP computer enumeration
NetSessionEnum/NetWkstaUserEnumNetSessionEnum/NetWkstaUserEnum
NetSessionEnum/NetWkstaUserEnum
NetSessionEnum/NetWkstaUserEnum
Attacker
DC
![Page 13: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/13.jpg)
Who’s Logged in Where?“Stealth” user-hunting
NetSessionEnum
Attacker
LDAP enumerationDC
FileServer
NetSessionEnum sessions
sessions
![Page 14: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/14.jpg)
Who’s Logged in Where?Defenses
![Page 15: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/15.jpg)
Who’s Logged in Where?Defenses
![Page 16: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/16.jpg)
Who Can Admin What?
![Page 17: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/17.jpg)
Who Can Admin What?PowerView
![Page 18: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/18.jpg)
Who Can Admin What?Defenses
“Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 16074) the default permissions were changed to allow remote access only to administrators.”
![Page 19: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/19.jpg)
Who Can Admin What?GPO Edition
Restricted Groups
Defined In
Defin
ed In
Group Policy
Preferences
Group Policy Object
OU/site/
domain
Linked To
Contains
Cont
ain
s
Server
WorkstationLocal
Admins
Set
By
Set
By
![Page 20: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/20.jpg)
Who’s in What Groups?
◇Enumerate all groups and extract the members of each
◇PowerView:■ Get-DomainGroup | Get-DomainGroupMember
◇BloodHound:■ Just pulls the member for all group objects
![Page 21: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/21.jpg)
Active Directory DACLs
![Page 22: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/22.jpg)
Previous DACL Work
https://www.sstic.org/media/SSTIC2014/SSTIC-actes/chemins_de_controle_active_directory/SSTIC2014-Slides-chemins_de_controle_active_directory-gras_bouillot.pdf
![Page 23: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/23.jpg)
◇Offline (ntds.dit) and some online DACL collection capabilities
◇Backend neo4j database allows for control flow discovery
◇Code released at https://github.com/ANSSI-FR/AD-control-paths
Previous DACL Work
![Page 24: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/24.jpg)
Who Has Rights Over What Objects?
◇By default, any user can enumerate all DACLs for all objects in the domain■ Through .NET methods or by specifying ntsecuritydescriptor in the LDAP query props
◇PowerView: Get-DomainObjectACL◇BloodHound enumerates just the
control relationships we care about
![Page 25: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/25.jpg)
Computer:
Server1
User:
Mary
User:
Alice
ForceChangePassword
Group: IT
Admins
GenericWrite
GenericAll
WriteDACL
WriteOwner
AllExtendedRights
![Page 26: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/26.jpg)
Computer:
Server1
Group: Exchange Admins
User:
Alice
AddMembers
Group: IT
Admins
GenericWrite
GenericAll
WriteDACL
WriteOwner
AllExtendedRights
![Page 27: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/27.jpg)
◇Default Rights■ GenericAll - ALL THE RIGHTS■ GenericWrite - write all object properties■ WriteDacl - modify the DACL for the object■ WriteOwner - modify an object owner■ WriteProperty Self-Membership/Script-Path – modify group membership/user script path
◇Extended Rights■ User-Force-Change-Password
BloodHoundCurrently Collected ACLs
![Page 28: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/28.jpg)
◇DS-Replication-Get-Changes-All
◇Modification rights to GPC-File-Sys-Path for GPOs
◇“Kerberoastable” accounts
◇Read rights to ms-MCS-AdmPwd
BloodHoundFuture Collected ACLs
![Page 29: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/29.jpg)
BloodHound(Short) Demo
![Page 30: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/30.jpg)
Case Studies(in Failure)Details have been changed to protect the innocent ;)
![Page 31: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/31.jpg)
Case #1
1. Service binary rotated the local admin passwords monthly
2. .NET coded, predictable algorithm based on the date and hostname, no salt
3. Pulled apart app, build weaponized code, had admin access to every gold image system
4. Performed the ‘credential shuffle’ by hand with PowerView, took about 2 weeks
Local Passwords Are Hard
![Page 32: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/32.jpg)
Case #2
1. Kerberoasted 2 services accounts, allowing for access to a handful of systems
2. BloodHound analysis determined one user logged into one system we controlled had direct access to 5 systems, but derivative access to hundreds
3. Bonus: all user accounts had reversible encryption set
4. Elevated, hopped down the chain, DCSynced to recover ultimate target’s plaintext, grabbed the objective
Kerberos is Hard As Well
![Page 33: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/33.jpg)
Case #3
1. VULNERABLE SERVICE on terminal-type machines, allowed elevation
2. All terminal servers had the same (and enabled) local admin account
3. No formal trust, but correlated similar accounts between the two accessible domains
4. Developed GPO correlation technique on the engagement to hop to 2 cross-network targets
5. Group Policy Preferences in cross-network target, allowed compromise to a handful of machines
GPP and GPOs and extra SIDs, Oh My
![Page 34: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/34.jpg)
Case #3
6. Quick escalation to elevated domain rights7. DCSynced to recover krbtgt of child
domain8. Hopped to child domain controller to build
a Golden Ticket with extra SIDs9. Injected and was able to hop up the trust
and DCSync the corporate root domain
GPP and GPOs and extra SIDs, Oh My
![Page 35: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/35.jpg)
Sniffing Out ACLs with BloodHoundCase #4
![Page 36: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/36.jpg)
Sniffing Out ACLs with BloodHoundCase #4
![Page 37: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/37.jpg)
How it Could HaveBeen Prevented
LAPShttps://technet.microsoft.com/en-us/mt227395.aspx
![Page 38: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/38.jpg)
How it Could HaveBeen Prevented
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access
![Page 39: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/39.jpg)
How it Could HaveBeen Prevented
◇Managed service accounts◇ATA◇SAMRi10 / NetCease◇Credential Guard◇Red Forest Architecture◇PowerUp◇GET RID OF GPP◇Separate forests to enforce trust◇Centralized logging/analysis◇Increased endpoint telemetry
![Page 40: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/40.jpg)
How it Could Have Been PreventedDACLs
¯\_( ツ )_/¯
![Page 41: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/41.jpg)
How WeGet CaughtOur Biggest Pain Points
![Page 42: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/42.jpg)
PowerShell Logging
◇INSTALL V5!
https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
![Page 43: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/43.jpg)
Endpoint Telemetry
◇Command line logging is a huge pain■ Many many attacker toolsets end up calling shell commands
◇Mining things like process tree traces at scale can give enormous insight
◇Windows Defender ATP, Sysmon, etc.
![Page 44: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/44.jpg)
Closing Thoughts
![Page 45: The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://reader031.vdocuments.us/reader031/viewer/2022020213/589981341a28abb97c8b53cb/html5/thumbnails/45.jpg)
Thank You!@harmj0ywill [at] harmj0y.netblog.harmj0y.net