Trusts You Might Have Missed - 44con
-
Upload
will-schroeder -
Category
Internet
-
view
3.137 -
download
4
Transcript of Trusts You Might Have Missed - 44con
Trusts You Might Have Missed
@harmj0yCo-founder of Empire/EmPyre, PowerTools, Veil-Framework
PowerSploit/BloodHound developer
Microsoft PowerShell MVP
tl;dr ⊙ Red Teaming⊙ Active Directory and Trusts 101⊙ Old vs New School Enumeration⊙ Abusing Trusts⊙ BloodHound⊙ Mimikatz and Trusts⊙ Demo
1“Red Teaming”
Bridging the Gap
⊙ Red teaming means different things to different people○ common thread of increased time frame
and more permissive scope
⊙ We tend towards longer running, remote network operations with a focus on Windows
Red Teaming
“ Fundamentally, if somebody wants to get in, they're getting in...Accept that...What we tell clients is:Number one, you're in the fight, whether you thought you were or not.Number two, you're almost certainly penetrated.
Michael HaydenFormer Director of CIA & NSA
⊙ Domain trusts have existed for years, and red teams have been abusing them just as long○ Techniques are public but not as well
known as they should be
⊙ Possible through multiple means, “offense in depth”○ VBScript, PowerShell, native tools
Nothing New?
2Domain Trusts
A Quick Refresher
⊙ Multiple Levels○ Domain- logical group of network objects
(computers, users, etc.)○ Trees- collection of domains○ Forests- collection of trees
⊙ Used to authenticate and authorize users and computers on a network
⊙ The domain is not the trust boundary, the forest is!!!
Active Directory Overview
⊙ Trusts allow domains to form inter-connected relationships○ A trust just links up the authentication
systems of two domains and allows authentication traffic to flow between them
○ Done by exchanging an “inter-realm trust key” that can relay kerberos traffic
⊙ Forests can also establish trust relationships○ ex. all domains in Forest A will trust
domains in Forest B
Trusts 101
⊙ Communications in the trust work via a system of referrals:○ If the SPN being requested resides
outside of the primary domain, the DC issues a referral to the forest KDC (or trusted domain KDC) to receive a ticket
○ Access is passed around w/ inter-realm TGTs signed by the inter-realm key
⊙ Multiple configuration topographies available that will determine the behavior of the trusts
Trusts 201
Kerberos and Domain
Trusts
http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx
Trust Direction
⊙ Trusts come in a few varieties:○ One way- one domain trusts the other○ Two way- both domains trust each other○ Transitive- domain A trusts Domain B
and Domain B trusts Domain C, so Domain A trusts Domain C
⊙ A child domain retains an implicit two-way transitive trust with its parent○ http://technet.microsoft.com/en-us/libr
ary/cc773178(v=ws.10).aspx
Trust Types
⊙ Why does this matter?
⊙ Trusts can introduce unintentional avenues of access into a target
⊙ Enterprise Admin = pwnership over everything below○ but at a minimum trusts let you query AD
information for a foreign domain!
Who Cares?
3Trust
EnumerationOld School vs. New
nltest.exeand
adfind.exe
⊙ A pure PowerShell domain/network situational awareness tool○ think dsquery on steroids... and cocaine
⊙ Built to automate large components of our tradecraft used to facilitate red team engagements
⊙ Now integrated into PowerSploit○ everything is version PS v2.0 compliant
PowerView
⊙ Get-NetForest: information about the current domain forest
⊙ Get-NetForestDomain: enumerate all domains in the current forest
⊙ Get-NetDomainTrust: find all current domain trusts, à la nltest
⊙ Get-NetForestTrust: grab all forest trusts
PowerView: Enumerating
Trusts
⊙ If a trust exists, most functions in PowerView can accept a -Domain <name> flag to operate across a trust:○ Get-NetDomainController, Get-NetUser,
Get-NetComputer, Get-NetGroup, Get-NetGroupMember, Get-NetFileServer, Invoke-UserHunter, etc.
PowerView: Using Trusts
PowerView: Using Trusts
⊙ PowerView also has a function to map all reachable domain trusts:○ Invoke-MapDomainTrust
⊙ Finds all domain trusts for the current domain, enumerates all trusts for each domain it finds, and so on○ can dump out a nice .csv of all current
trust relationships
PowerView: Mapping
Trusts
Trust Mappings
⊙ Raw trust mappings are digestible for small domains○ But the complexity can explode for really
large environments
⊙ Data means nothing if you can’t interpret it usefully
⊙ @sixdub’s DomainTrustExplorer can transform CSV output to graphml
Processing Raw Data
Trust Visualization
4Abusing
Domain TrustsThe Path to Pwnership
1. Map the trusts and their types (intra-forest or otherwise) reachable from your current domain
2. Enumerate users/groups from one domain that have access to resources in other domainsa. uncovering the hidden ‘trust mesh’ of accesses
that administrators have set up3. Selectively compromise specific target
accounts in order to hop across the trust boundary
A Trust Attack
Strategy
⊙ To enumerate users who are in groups outside of the user’s primary domain (i.e. across trusts):○ Find-ForeignUser -Domain <domain>○ This is a domain’s “outgoing” access
⊙ To enumerate groups with users outside of the group’s primary domain:○ Find-ForeignGroup -Domain <domain>○ This is the “incoming” access to a domain
⊙ Lots of Get-NetLocalGroup
Abusing Trusts With PowerView
Abusing Trusts With PowerView
5
⊙ Automates AD attack path finding
⊙ A graphing front end build on neo4j with a customized version of PowerView as the data collector○ Export as CSV or inputs directly into the
neo4j RESTful API
⊙ Released at DEF CON 24○ http://bit.ly/getbloodhound
BloodHound Overview
BloodHound Path Finding
BloodHound and Domain
Trusts
⊙ Domains are represented in the schema only for visualizing their relationships à la DomainTrustExplorer
⊙ The normal schema just has [email protected] and machine.domain2.local○ This lets us easily find cross-domain
paths without having to specifically model domains in the schema
BloodHound Visualizing
Trusts
BloodHound Hopping
Trusts
BloodHound Foreign
Users/Groups
6Mimikatz and
TrustsThanks @gentilkiwi
and @pyrotek3 !
⊙ “The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets”*○ Mimikatz can extract these trust keys
from domain controllers participating in the trust
⊙ These keys can be used to create “golden” trust referral tickets for the krbtgt service, with a trusting domain as the target
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx
Mimikatz and Trust Keys
Even Crazier...
⊙ Mimikatz can now include extra account SIDs from other domains when it constructs a Golden Ticket○ with the /sids flag
⊙ If you get the krbtgt hash of a domain controller of a child domain in a forest, you can set the SID history to be “Enterprise Admins” of the parent domain○ This allows you to compromise the forest
root!
The Trustpocalypse
If you compromise one domain controller of a child domain in a forest, you can compromise the entire forest!
The Trustpocalypse
Advice From @gentilkiwi
Caveat:SID Filtering
⊙ If SID filtering is enabled, DCs in a trusting domain remove SIDs that aren’t contained in the trusted domain○ Applies to SIDHistory!
⊙ This prevents the malicious SIDHistory Mimikatz attack
⊙ Enabled by default for external/interforest trusts
Caveat:Quarantined
Within Forest
⊙ Parent-child trusts can be marked as ‘quarantined’
⊙ This will filter out all SIDs, EXCEPT the “Enterprise Domain Controllers” SID (S-1-5-9) ;)
⊙ This means it’s still possible to craft a Golden Ticket in such a way to hop up the trust!
⊙ Say we land on a machine in the dev.testlab.local domain
⊙ We want to compromise the external.local forest
⊙ We’ll do this by abusing trust relationships to hop to testlab.local and then external.local
Demo Setup
Demo
Credits Special thanks to:⊙ @_wald0⊙ @CptJesus⊙ @sixdub⊙ @gentilkiwi⊙ @pyrotek3
Thanks!Any questions?@harmj0y
will [at] harmj0y.net
http://blog.harmj0y.net/