Trusts You Might Have Missed

Will (@harmj0y)Justin (@sixdub)

@harmj0y

● Security researcher and red teamer for the Adaptive Threat Division of Veris Group

● Co-founder of the Veil-Framework and Veil’s PowerTools

● Cons: Shmoocon, CarolinaCon, Defcon, Derbycon, various BSides

@sixdub

● Pentester and red teamer for the Adaptive Threat Division of Veris Group

● Lots of interest: red team ops, reverse engineering, adversarial tactics, etc

● Developer on the Veil-Framework and co-founder of Veil’s PowerTools

tl;dr

● Red Team Operations● Active Directory 101● Domain Trusts 101● So what?● Back to the Old School● New School Enumeration● Visualizing Trusts● Abusing Trusts● Demo● On The Horizon

Red TeamOperations

Setting the stage

Red Teaming

● Red teaming means different things to different peopleo physical ops, in-depth social engineering, custom

exploit dev, pure network based operations, etc.

● Common thread of increased time frame and more permissive scope

● Red Team Operations - military concept of adversarial thinking that evolved into adversary emulation

“Assume Breach” Mentality

● With the rash of recent major incidents, organizations have started to realize that they’re probably already owned

● You’re not going to stop the bad guys from getting in the front door

● Companies need to implement an “assume breach” way of thinking

Nothing New?

● Domain trusts have existed for years, and red teams have been abusing them just as long

● While these techniques are public, they’re not as well known as they should be

● Most of what we’re going to talk about is possible through multiple means:o VBScript, PowerShell, native toolso Good to have alternative ways to accomplish the

same goal

Active Directory101

Let’s go back to school

Base Overview

● Multiple Levelso Domain - Logical group of network objects

(computers, users etc)o Trees - Collection of domainso Forests - Collection of trees

● Used to authenticate and authorize users and computers on a networko Also provides security policies, centralized

management, and other rich features

Not So Basic Overview: NTLM

https://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_ntlmauthentication

Not So Basic Overview: Kerberos

http://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_kerberosauthentication

Active Directory Trusts 101

● Trusts allow separate domains to form a relationshipo Allows for the possibility of access to objects

between domains. Authentication linkage!o Allows you to use objects from a remote domain

aka Users from Domain A can be in groups of Domain B

● Forests can also establish trust relationshipso ex. All domains in Forest A will trust domains in

Forest B

Active Directory Trusts 201

● Communications in the trust work via a system of referralso If the SPN being requested resides outside of

primary DC, issue a referral to the forest KDC or trusted domain KDC to receive a ticket

o access is passed around with inter-realm TGTs

● Multiple configuration topographies available

that will determine the behavior of the trustso All a matter of design…

Trust Direction

http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx

Trust Types

● Trusts come in a few varieties:o One way - Only one domain trusts the othero Two way - Both domains trust each othero Transitive - Domain A trusts Domain B and Domain

B trusts Domain C, so Domain A trusts Domain C

● A child domain retains an implicit trust with its parent

● Lots more information at http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

So What?

● Why does this matter?

● Red teams often compromise accounts/machines in a domain that's trusted by their actual target, allowing them to exploit these existing trust relationships to achieve their end goal

● And Enterprise Admin = pwnership over everything below

DomainTrustEnumeration

Know what you have before you start pwning

Old School Enumeration

● Traditional trust enumeration utilizing ntltest:

Old School Enumeration

● Netdom (from servers only):o netdom query trust

● Adfind to enumerate trusts in other domains:

New School Enumeration

● PowerShell: Microsoft’s handy “post-exploitation language” :)

● Essentially a command-line wrapper for .NET with full access to the framework

● Contains various Active Directory hooks that makes enumeration much easier and flexible than before

● To enumerate all domains in the forest:o ([System.DirectoryServices.ActiveDirectory.Fore

st]::GetCurrentForest()).Domains

● To enumerate all trust relationships for the current domain:o ([System.DirectoryServices.ActiveDirectory.Dom

ain]::GetCurrentDomain()).GetAllTrustRelationships()

Trust Enumeration with PowerShell

Using Trusts With PowerShell

● A lot of ADSI native PowerShell AD functionality can easily operate on domains to which there's an existing trust:o finding domain controllers, querying users,

enumerating domain groups, finding domain machines, etc.

● All across trust boundaries with little extra effort, using these enumerated domain contexts

PowerView

● Think dsquery on steroids... and cocaine

● First started because a client banned “net” commands on domain machines

● Otherwise initially inspired by Rob Fuller’s netview.exe toolo Wanted something more flexible that also didn’t drop

a binary to disk

PowerView: Enumerating Trusts

● PowerView has several new functions that allow you to enumerate any existing domain/forest trust relationships:o Get-NetForest: information about the current

domain foresto Get-NetForestTrusts: grab all forest trustso Get-NetForestDomains: enumerate all domains in

the current foresto Get-NetDomainTrusts: find all current domain

trusts, á la nltest

PowerView: Enumerating Trusts

PowerView: Trust Mapping w/ LDAP!

● Sometimes the trust “enclave” is more protected, and mass enumeration across a boundary can seem strangeo Also, your workstation might not be able to directly

contact the DC of a trusted/ing domain

● Get-NetDomainTrustsLDAP - Utilizes LDAP queries only to enumerate trustso Slightly less accurate… but blends better! o And these LDAP queries can be bounced through

your primary DC!

PowerView: Using Trusts

● If a trust exists, most functions in PowerView can now accept a -Domain <name> flag to operate across a trust:

o Get-NetDomainControllers, Get-NetUsers, Get-NetUser, Get-NetComputers, Get-NetGroups, Get-NetGroup, Get-NetFileServers, Get-UserProperties, Invoke-UserFieldSearch, Invoke-Netview, Invoke-UserHunter, etc.

PowerView: Using Trusts

Mapping Domain Trusts

● PowerView also have a function to map all reachable domain trusts:o Invoke-MapDomainTrustso Invoke-MapDomainTrustsLDAP

● Finds all domain trusts for the current domain, then tries to enumerate all trusts for each domain it finds, and so on

● Can dump out a nice .csv of all current trust relationships

AnalysisandVisualization

Raw data ain’t nothin’

Motivations

● Many networks only have a few domains and associated trusts

● While this raw data from PowerView is useful, it can become onerous for networks with many domainso Think dozens+, all interconnected

● Data means nothing if you can’t interpret it usefully

Nodal Analysis

● Concept of applying network and graph theory techniques to identify relevant and useful datao Centralityo Shortest Patho Isolated Nodes

● DomainTrustExplorer!o Used to rapidly triage large networks with a

spaghetti mess of trustso https://github.com/sixdub/DomainTrustExplorer

Nodal Analysis

Visualization

● Visual information processing is much easier for some people

● Seemingly random relationships might reveal important information when visualized in certain methodso Tree vs Node-Link vs Topological

● DomainTrustExplorer dumps to GraphML format

AbusingDomainTrusts

The path to pwnership

Abusing Trusts

● As mentioned, knowing a trust exists can let you query information, but it doesn’t necessarily imply accesso though it often does ;)

● You need to figure out if any users have cross-domain access and to what resources in other domainso trusts are rarely locked down properly, and you can

often jump from one domain to another

Abusing Trusts with PowerView

● To enumerate users who are in groups outside of the user’s primary domain (i.e. across trusts):o Invoke-FindUserTrustGroups -Domain <domain>o Invoke-FindAllUserTrustGroups

● To enumerate users who have local admin privileges on all domain controllers in a particular domain:o Get-GetDomainControllers -Domain <domain> |

Get-NetLocalGroup

● To enumerate groups with users outside of the group’s primary domain:o Invoke-FindGroupTrustUsers -Domain <domain>o Invoke-FindAllGroupTrustUsers

● To find members of the administrators localgroup outside of the primary domain for all machines in a domain:o Invoke-EnumerateLocalTrustGroups -Domain

<domain>

Abusing Trusts with PowerView:BSides Chicago Edition

Abusing Trusts: A Case Study

● Say we land on a machine in the dev.testlab.local domain and work our way to the DC

● We want to compromise the testlab.local forest rooto We’ll do this by abusing trust relationships with

another child domain in the forest

● We’ll step through enumeration, visualization, and abuse

Demo

OnThe Horizon

Whats next...

Improved Data Analysis

● Working on methods to correlate PowerView data with trust information to provide additional contexto Think “this domain group has access to these cross-

domain resources”

● Goal of creating an offensive dashboard for red team operationso @_tomsteele has started some of this work already

https://github.com/tomsteele/domain-trust-grapher

Trust Keys

Trust Keys

Trust Keys

● The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets*o Mimikatz can now extract these trust keys from

domain controllers participating in the trust

● These keys can be used to create “gold-ish” trust tickets for the krbtgt service, with a trusting domain as the targeto these in turn can be used to request TGSes for

specific services on the trusting domain*https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx

Trust Keys: A Domain Trust Golden Ticket

This means that even if the krbtgt hash is rolled twice, you can still abuse a privileged domain trust and possibly recompromise a domain from a trusted source!

Questions?

● Contact us:o @harmj0y (will [at] harmj0y.net) or keybase.io/harmj0yo @sixdub (justin [at] sixdub.net) or keybase.io/sixdub

● Read more:o http://www.harmj0y.net/blog/tag/domain-trusts/ o http://www.sixdub.net/?p=285

● Get the tools:o https://github.com/Veil-Framework/PowerTools/tree/master/Po

werViewo https://github.com/sixdub/DomainTrustExplorer