Trusts You Might Have Missed
Transcript of Trusts You Might Have Missed
@harmj0y
● Security researcher and red teamer for the Adaptive Threat Division of Veris Group
● Co-founder of the Veil-Framework and Veil’s PowerTools
● Cons: Shmoocon, CarolinaCon, Defcon, Derbycon, various BSides
@sixdub
● Pentester and red teamer for the Adaptive Threat Division of Veris Group
● Lots of interest: red team ops, reverse engineering, adversarial tactics, etc
● Developer on the Veil-Framework and co-founder of Veil’s PowerTools
tl;dr
● Red Team Operations● Active Directory 101● Domain Trusts 101● So what?● Back to the Old School● New School Enumeration● Visualizing Trusts● Abusing Trusts● Demo● On The Horizon
Red Teaming
● Red teaming means different things to different peopleo physical ops, in-depth social engineering, custom
exploit dev, pure network based operations, etc.
● Common thread of increased time frame and more permissive scope
● Red Team Operations - military concept of adversarial thinking that evolved into adversary emulation
“Assume Breach” Mentality
● With the rash of recent major incidents, organizations have started to realize that they’re probably already owned
● You’re not going to stop the bad guys from getting in the front door
● Companies need to implement an “assume breach” way of thinking
Nothing New?
● Domain trusts have existed for years, and red teams have been abusing them just as long
● While these techniques are public, they’re not as well known as they should be
● Most of what we’re going to talk about is possible through multiple means:o VBScript, PowerShell, native toolso Good to have alternative ways to accomplish the
same goal
Base Overview
● Multiple Levelso Domain - Logical group of network objects
(computers, users etc)o Trees - Collection of domainso Forests - Collection of trees
● Used to authenticate and authorize users and computers on a networko Also provides security policies, centralized
management, and other rich features
Not So Basic Overview: NTLM
https://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_ntlmauthentication
Not So Basic Overview: Kerberos
http://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_kerberosauthentication
Active Directory Trusts 101
● Trusts allow separate domains to form a relationshipo Allows for the possibility of access to objects
between domains. Authentication linkage!o Allows you to use objects from a remote domain
aka Users from Domain A can be in groups of Domain B
● Forests can also establish trust relationshipso ex. All domains in Forest A will trust domains in
Forest B
Active Directory Trusts 201
● Communications in the trust work via a system of referralso If the SPN being requested resides outside of
primary DC, issue a referral to the forest KDC or trusted domain KDC to receive a ticket
o access is passed around with inter-realm TGTs
● Multiple configuration topographies available
that will determine the behavior of the trustso All a matter of design…
Trust Direction
http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx
Trust Types
● Trusts come in a few varieties:o One way - Only one domain trusts the othero Two way - Both domains trust each othero Transitive - Domain A trusts Domain B and Domain
B trusts Domain C, so Domain A trusts Domain C
● A child domain retains an implicit trust with its parent
● Lots more information at http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx
So What?
● Why does this matter?
● Red teams often compromise accounts/machines in a domain that's trusted by their actual target, allowing them to exploit these existing trust relationships to achieve their end goal
● And Enterprise Admin = pwnership over everything below
Old School Enumeration
● Netdom (from servers only):o netdom query trust
● Adfind to enumerate trusts in other domains:
New School Enumeration
● PowerShell: Microsoft’s handy “post-exploitation language” :)
● Essentially a command-line wrapper for .NET with full access to the framework
● Contains various Active Directory hooks that makes enumeration much easier and flexible than before
● To enumerate all domains in the forest:o ([System.DirectoryServices.ActiveDirectory.Fore
st]::GetCurrentForest()).Domains
● To enumerate all trust relationships for the current domain:o ([System.DirectoryServices.ActiveDirectory.Dom
ain]::GetCurrentDomain()).GetAllTrustRelationships()
Trust Enumeration with PowerShell
Using Trusts With PowerShell
● A lot of ADSI native PowerShell AD functionality can easily operate on domains to which there's an existing trust:o finding domain controllers, querying users,
enumerating domain groups, finding domain machines, etc.
● All across trust boundaries with little extra effort, using these enumerated domain contexts
PowerView
● Think dsquery on steroids... and cocaine
● First started because a client banned “net” commands on domain machines
● Otherwise initially inspired by Rob Fuller’s netview.exe toolo Wanted something more flexible that also didn’t drop
a binary to disk
PowerView: Enumerating Trusts
● PowerView has several new functions that allow you to enumerate any existing domain/forest trust relationships:o Get-NetForest: information about the current
domain foresto Get-NetForestTrusts: grab all forest trustso Get-NetForestDomains: enumerate all domains in
the current foresto Get-NetDomainTrusts: find all current domain
trusts, á la nltest
PowerView: Trust Mapping w/ LDAP!
● Sometimes the trust “enclave” is more protected, and mass enumeration across a boundary can seem strangeo Also, your workstation might not be able to directly
contact the DC of a trusted/ing domain
● Get-NetDomainTrustsLDAP - Utilizes LDAP queries only to enumerate trustso Slightly less accurate… but blends better! o And these LDAP queries can be bounced through
your primary DC!
PowerView: Using Trusts
● If a trust exists, most functions in PowerView can now accept a -Domain <name> flag to operate across a trust:
o Get-NetDomainControllers, Get-NetUsers, Get-NetUser, Get-NetComputers, Get-NetGroups, Get-NetGroup, Get-NetFileServers, Get-UserProperties, Invoke-UserFieldSearch, Invoke-Netview, Invoke-UserHunter, etc.
Mapping Domain Trusts
● PowerView also have a function to map all reachable domain trusts:o Invoke-MapDomainTrustso Invoke-MapDomainTrustsLDAP
● Finds all domain trusts for the current domain, then tries to enumerate all trusts for each domain it finds, and so on
● Can dump out a nice .csv of all current trust relationships
Motivations
● Many networks only have a few domains and associated trusts
● While this raw data from PowerView is useful, it can become onerous for networks with many domainso Think dozens+, all interconnected
● Data means nothing if you can’t interpret it usefully
Nodal Analysis
● Concept of applying network and graph theory techniques to identify relevant and useful datao Centralityo Shortest Patho Isolated Nodes
● DomainTrustExplorer!o Used to rapidly triage large networks with a
spaghetti mess of trustso https://github.com/sixdub/DomainTrustExplorer
Visualization
● Visual information processing is much easier for some people
● Seemingly random relationships might reveal important information when visualized in certain methodso Tree vs Node-Link vs Topological
● DomainTrustExplorer dumps to GraphML format
Abusing Trusts
● As mentioned, knowing a trust exists can let you query information, but it doesn’t necessarily imply accesso though it often does ;)
● You need to figure out if any users have cross-domain access and to what resources in other domainso trusts are rarely locked down properly, and you can
often jump from one domain to another
Abusing Trusts with PowerView
● To enumerate users who are in groups outside of the user’s primary domain (i.e. across trusts):o Invoke-FindUserTrustGroups -Domain <domain>o Invoke-FindAllUserTrustGroups
● To enumerate users who have local admin privileges on all domain controllers in a particular domain:o Get-GetDomainControllers -Domain <domain> |
Get-NetLocalGroup
● To enumerate groups with users outside of the group’s primary domain:o Invoke-FindGroupTrustUsers -Domain <domain>o Invoke-FindAllGroupTrustUsers
● To find members of the administrators localgroup outside of the primary domain for all machines in a domain:o Invoke-EnumerateLocalTrustGroups -Domain
<domain>
Abusing Trusts with PowerView:BSides Chicago Edition
Abusing Trusts: A Case Study
● Say we land on a machine in the dev.testlab.local domain and work our way to the DC
● We want to compromise the testlab.local forest rooto We’ll do this by abusing trust relationships with
another child domain in the forest
● We’ll step through enumeration, visualization, and abuse
Improved Data Analysis
● Working on methods to correlate PowerView data with trust information to provide additional contexto Think “this domain group has access to these cross-
domain resources”
● Goal of creating an offensive dashboard for red team operationso @_tomsteele has started some of this work already
https://github.com/tomsteele/domain-trust-grapher
Trust Keys
● The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets*o Mimikatz can now extract these trust keys from
domain controllers participating in the trust
● These keys can be used to create “gold-ish” trust tickets for the krbtgt service, with a trusting domain as the targeto these in turn can be used to request TGSes for
specific services on the trusting domain*https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx
Trust Keys: A Domain Trust Golden Ticket
This means that even if the krbtgt hash is rolled twice, you can still abuse a privileged domain trust and possibly recompromise a domain from a trusted source!
Questions?
● Contact us:o @harmj0y (will [at] harmj0y.net) or keybase.io/harmj0yo @sixdub (justin [at] sixdub.net) or keybase.io/sixdub
● Read more:o http://www.harmj0y.net/blog/tag/domain-trusts/ o http://www.sixdub.net/?p=285
● Get the tools:o https://github.com/Veil-Framework/PowerTools/tree/master/Po
werViewo https://github.com/sixdub/DomainTrustExplorer