Tactics, Techniques and Procedures for Attacking Active Directory�BlackHat USA 2019

• Link to this deck: https://bit.ly/2ZQIfGY

2

Ryan Hausknecht

Andy Robbins

Rohan Vazarkar

Julian Catrambone

Kelly Villanueva

Calvin Hedler

Carlo Alcantara

You can find us at:

Specterops.io

@SpecterOps

Outline (morning segment 1)

10:00-10:15: Derivative Local Admin Lecture

10:15-10:30: Lab

10:30-10:45: ACL Attacks

10:45-11:00: Lab

11:00-11:15: Kerberos Attacks

11:20: Room changeover

3

3

Outline (morning segment 2)

11:30-11:45: Derivative Local Admin Lecture

11:45-12:00: Lab

12:00-12:15: ACL Attacks

12:15-12:30: Lab

12:30-12:45: Kerberos Attacks

4

4

Outline (afternoon segment 1)

2:00-2:15: Derivative Local Admin Lecture

2:15-2:30: Lab

2:30-2:45: ACL Attacks

2:45-3:00: Lab

3:00-3:15: Kerberos Attacks

3:30: Room changeover

5

5

Outline (afternoon segment 2)

3:45-4:00: Derivative Local Admin Lecture

4:00-4:15: Lab

4:15-4:30: ACL Attacks

4:30-4:45: Lab

4:45-5:00: Kerberos Attacks

5:15: Room shutdown

6

6

7

Domain Controller

Data Collector

BloodHound DB

BloodHound Client

Domain-Joined Computers

Domain-Joined Computers

Firewall

TCP 389, 445�UDP 53

TCP 445

TCP 445

TCP 445

TCP 7687

TCP 7687

Data Collection Architecture and Logical Access Requirements

Data Collection w/ SharpHound

• Go to https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors
• Download “SharpHound.exe”
• Run the following as a user that has admin rights on each Windows endpoint:
• sharphound.exe -c all,loggedon
• This will generate a zip file.
• Open the BloodHound UI
• Drag and drop the zip file into the BloodHound UI

8

8

Data Collection w/ SharpHound

• This will collect:
• AD security group memberships
• Group, user, domain and computer properties (SID, enabled, sensitive and cannot be delegated, etc.)
• Interactive user logons per computer
• Local admin, Remote Desktop user, DCOM users per computer
• Abusable ACEs from security principals
• Domain trusts
• OU structure and GPO Links

9

9

Derivative Local Admin

11

12

13

14

15

16

17

18

19

20

21

Domain Admin!

22

Domain Admin!

An effective, albeit tedious and naive approach...

23

Target Users:

Admin-1

Admin-2

Admin-3

Admin-4

Admin-5

Admin-1 Uses These Systems:

Computer-1

Computer-2

Computer-3

Admins on Computer-1:

Admin-1

Admin-2

Admin-10

Group-11

Members of Group 11 Use These Systems:

Computer-1

Computer-2

Computer-5

Admins on Computer-5:

Admin-1

Admin-2

Admin-10

Admin-15

Admin-15 Uses These Systems:

Computer-1

Computer-2

Computer-10

Members of Group-11:

Admin-5

Admin-6

Admin-7

Admin-8

24

Domain Admins

Alice Admin

Computer 1

Bob User

Helpdesk Group

MemberOf

MemberOf

HasSession

AdminTo

Local Admin Abuses

• Local administrators by default have full control of a system.
• This includes SeDebugPrivilege, which allows admins to debug running processes (e.g.: lsass.exe)
• Local admins also by default have remote desktop, DCOM, SCM, WinRM, and WMI access (i.e.: remote code execution)
• Local admins can also disable/bypass host-based security controls, even those that are “protected”
• Bottom line: local admins own computers and anyone else who interactively logs onto the computer.
• Forensic artifact: admins generate 4688 events when spawning high integrity process�

25

25

Lab

• Download the BloodHound GUI here: https://github.com/BloodHoundAD/BloodHound/releases
• Open the BloodHound GUI and connect to the BloodHound database at bolt://206.189.85.93:7687/
• Username: neo4j
• Password: BloodHound
• Find the shortest paths to the Domain Admins group in each domain
• Inspect the local admin rights for the user KXUNA@JAPAN.LOCAL
• Inspect the inbound local admin rights on the computer IO@JAPAN.LOCAL
• Explore other nodes in the database and the attack paths between them
• TIP: Right click the edge (relationship) and click “help”

28

28

ACL Attacks

ForceChangePassword

• The user NDUANE03971 can change the user BBASSFORD07359’s password without knowing the current password
• This is as easy as “net user BBassford07359 Password1 /domain”
• The new password must meet the domain’s password complexity and age requirements
• This then gives NDUANE the ability to impersonate BBASSFORD, and use whatever privileges BBASSFORD has to continue the attack path.
• With domain admin or dcsync-equivalent privileges, an attacker can set BBASSFORD’s password back to what it was before. If done quickly enough, the user will have no idea their password ever changed.
• Forensic artifact: Generates a 4724 and 4738 event on the DC that handled the request.�

30

30

AddMember

• The user CKOWNACKI00973 can add arbitrary principals to the group Domain Admins.
• This is as easy as “net group “Domain Admins” CKOWNACKI00973 /add /domain”
• This then gives CKOWNACKI00973 the same privileges as the Domain Admins group, and the attacker can continue their attack path.
• Forensic artifact: Generates a 4728 event on the DC that handled the request�

31

31

DCSync

32

32

DCSync (continued)

• DCSync is the combination of two privileges: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All
• This privilege allows a principal to remotely retrieve credential material (NT hashes) via the MS-DRSR protocol
• Most commonly, attackers will abuse DCSync rights to gather the krbtgt account credential material, then craft golden tickets
• Forensic artifacts: DsGetNCChanges on the wire – see https://adsecurity.org/?p=1729 �

33

33

GPO Control

• Control of GPOs opens up incredible attack possibilities. You truly can do anything with GPO.
• GPO control is especially interesting because you don’t require logical access to your target computer, or computers used by your target user
• Risk is dependent on what objects the GPO applies to, which we will demonstrate later.
• Forensic artifact: GPO changes generate 5137 events on DCs�

34

34

Lab

• Download the BloodHound GUI here: https://github.com/BloodHoundAD/BloodHound/releases
• Open the BloodHound GUI and connect to the BloodHound database at bolt://206.189.85.93:7687/
• Username: neo4j
• Password: BloodHound
• Find the shortest paths to the Domain Admins group in each domain
• Inspect the outbound privileges for the user YFAN@TOKYO.JAPAN.LOCAL
• Inspect the inbound privileges against the group DOMAIN ADMINS@TOKYO.JAPAN.LOCAL
• TIP: Right click the edge (relationship) and click “help”

37

37

Kerberos Attacks

Three Kerberos Issues to Focus on

1. “Kerberoast”
2. Unconstrained Delegation
3. Constrained Delegation

39

39

Kerberoast

• Technique created by Tim Medin in 2014
• Any domain-authenticated principal can request a TGS ticket for a Kerberos service in the domain
• That ticket is signed/encrypted using the NTLM hash of the account associated with the service
• Weak passwords = easily cracked TGS tickets
• Any user account with an SPN is potentially vulnerable to this attack

40

40

Unconstrained Delegation

• Computers may be trusted for delegation to any kerberos service on any system
• Once an account authenticates to that system via kerberos, the computer can fully impersonate that user to any other system in AD
• If a domain admin authenticates to that system, even using a non-interactive logon, that domain admin is owned!

41

41

Unconstrained Delegation

42

42

Constrained Delegation

• Users/Computers may be trusted for delegation to specific services on specific systems
• In reality, the service portion of the ticket is not verified, meaning you can target ANY service!
• That computer can then impersonate any user in the domain at any time to those specific services
• Accounts marked as “Sensitive and Cannot be Delegated”, or added to the “Protected Users Group” are not vulnerable to this attack

43

43

Constrained Delegation

44

44

THANKS!

​

• specterops.io
• @SpecterOps
• @_wald0
• @CptJesus
• Link to this deck: https://bit.ly/2ZQIfGY
• Join the BloodHound Slack: https://bloodhoundgang.herokuapp.com

45