Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar

hey folks welcome to breaking ground I hope you guys had a nice lunch and are not too sleepy because uh we're doing Six Degrees of domain admin we're going to learn about active directory privilege escalation so I'm pretty excited before we begin I'd like to thank our sponsors really quickly besides is sponsored This Time by ver Sprite productivity Amazon tenal and source of knowledge they all are hanging out in our chill out Lounge so go say hi get some cool swag um if you could please turn off your cell phones or turn them on silent and be respectful that would be nice and that's all I have for you so I'll hand it over to the speakers let

them introduce themselves and take it away thank you all right welcome everybody uh the title of our talk is six degrees of domain admin if you're not familiar with with with what this reference is there's this thing called Six Degrees of Kevin Bacon where you can take any actor any movie and in Six Degrees of Separation you can more than likely connect that person or movie or director or whoever to Kevin Bacon so we've taken that same concept and we' have applied it to active directory privilege escalation and we are super excited to talk about it so let's go to the next slide uh my name is Andy Robbins uh I've been a professional penetration tester for four

years I originally cut my teeth uh in the financial services industry uh focusing on community and Regional Size credit unions and Banks if you're interested in talking about a files I would love to talk to those about or talk about those with you um otherwise you can find me on Twitter at _ Waldo with a zero at the end hi I'm Rohan Berserker I'm one of the penetration testers at varis I've been in the doing penetration testing for about two and a half years now uh I contribute to a bunch of Open Source projects namely eyewitness and Empire uh other than that I mean I'm just a web dev so he's way more than that so hi my name is W shider my handle

is har jooy I'm one of the big kind of offensive developers in our team and I also do offensive red team pen testing type engagements I'm the co-founder lead developer or one of the main developers on the veil framework powerview power up Empire all that kind of fun stuff so yeah take it away cool all right so first we're going to talk about kind of what the current state of active directory domain privilege escalation is so by a show of hands can I ask uh anybody who is involved in ad security at all either on offense or defense cool so most of the room awesome so you should be pretty familiar with the concepts that we're going to be

talking about uh so let's goe and go to the next slide so if you're involved in active directory security you have more than likely seen this quote it's probably one of the most overused quotes in our industry so John Lambert the general manager at the m Microsoft threat Intelligence Center had a blog post with this title so Defenders think in lists attackers think in graphs as long as this as long as this is true attackers will win so I would what I would ask everybody is just keep this thought in mind uh during our talk um what I'm hoping that we can show you is that not only are attackers thinking in graphs but now we're actually going to

be using them as well all right so so active directory as we all know uh is effectively ubiquitous uh across the entire world um if you see sha meta's talk at Defcon or black hat one of the points that he brings up is that 98% of the Fortune 500 companies in America use active directory pretty much a given right so what does that ubiquity mean that ubiquity means that active directory gets a lot of attention both from the defensive perspective and also the offensive perspective there's a lot of time research money effort Blood Sweat tears that goes into understanding how best to defend and attack active directory environments so as penetration testers and as red teamers what that

means is that every so often we get these nice easy buttons that make our jobs super awesome and we get to look like an elite hacker because we popped a box with ms0 8067 or we escalated rights to Da with MS 1468 and like yes I am an awesome hacker because I used a certain module to do that right so these easy buttons as awesome as they are are also ephemeral they have a tendency to go away as especially as our client organizations mature certain practices uh so their vulnerability management practices get better they're actually starting to pay attention to some of the things that we've been saying for years run vulnerability scanners do centralized patch management

audit the results of those what does that mean that means that you have a certain window of opportunity to use those easy buttons on your assessments unless your client is really not at that stage yet which is also a lot of fun so uh let's go ahead and go to the next slide so here's a typical situation that you might find yourself when you're on an a pen test that you are uh uh focusing on active directory so you get your initial foothold into the environment maybe this is an interpreter session that you got from fishing maybe this is Beacon if you use Cobalt strike maybe you started off with layer 2 access and you use responder to get your

initial privilege on a machine somewhere in the in the environment now thanks to some work by Will Schroeder you can use uh Powershell and power riew to collect information about the environment that you're in so all of these like dotted boxes these are going to represent systems that we know exist in the environment but we don't have any kind of a privilege to yet additionally we can find out where a domain admin user is logged on you don't need administrative rights to find this information who like by a show of hands who does this all the time like on on your assessment you're using like invoke user Hunter you're using get n session you're finding out where the target is

in the environment what box you need to land on and run mimic cats and steal their credential all right now in this kind of like you know maybe a little less mature type environment let's say you're able to escalate your rights locally on the system you run hash dump you collect the nlm hashes for local users including the rid 500 user and maybe they've applied KB 2871 997 the pass the hash killer but not really pass the hash killer patch or maybe they haven't bottom line is you escalate rights on this one machine and then you gain kind of notional administrator privileges to everything in the environment so did that click work okay there we go cool so

the solid blue lines on these computers are going to represent systems that we now have the ability to uh pivot to and lo and behold who should appear but the domain admin on this system that we can pivot to so we PIV it over to that machine we run mimic cats we collect that domain admin's password and clear text and we win we're we're we're awesome we're pin testers we're Elite hack sores uh we give the report to the client and they think that we're most of they're the most amazing person on the planet right who's done an assessment where the escalation path looked almost exactly like that a lot of you awesome so let's take a look at a slightly

different environment so again we get our initial access through Beacon interpreter responder whatever you got your initial access and again you can figure out where the domain admin is logged in on the environment however this environment actually does have fairly mature uh patch management V unability management processes so you can't find ms0 8067 you can't find Tom Cat you can't find JBoss ketcher pod has been gone for a decade right um so let's uh hit next let's say that eventually we do find some kind of privilege um I would say that nine times out of 10 the way that we on our operations usually get our initial foothold into an environment are clear text credentials that are left over in

open file shares and what I mean by open file Shares are shares that any user who is authenticated to active directory has the ability to read so what does that most commonly mean like gpp login scripts Etc we find this all the time so let's say in this situation we found that as well at this point we need to make a choice we need to make our best educated guess on what system is the best to Pivot to we see these three users and these systems that we can pivot to but we know that none of them are a domain admin and we also know we also know that none of them have local administrator

rights on that system that that the da that the da was logged on in the first place so essentially we have to guess or you can go through the analysis uh which is a royal pain so let's say we make a choice we decide we're going to Pivot to this guy's box next we find out what systems does this new user that we have the ability to impersonate have access to and we find out that our scope of administrator privileges in the environment is starting to grow very uh slowly now we need to make another choice we can either say all right well I have these two other boxes in this first stage that I could pivot to so do

I want to go there or do I want to go to one of these new boxes that I have privilege on let's say I choose to go to this one on the top right I see that maybe there's something in his uh user account property that indicates like maybe he has some kind of privilege like he's a sequel admin uh uh or he's a uh you know he's a patch management type admin something like that A W sus admin now we pivot to that guy's system we figure out what CR what uh admin rights does this new user have in the environment when we find out there's nothing new we are still where we were

and so we're going through this kind of credential dance this kind of credential Shuffle where we have to go to this box get the password find out way have abmin rights to and if we fail like we did just now we have to go a step back and it sucks and you get really upset and you reset and you make another guess and so this time we guess let's go to this guy over here um and then we find out what admin rights this new user has so lo and behold what should appear but this new user that we just popped has admin rights on the system where the da was logged on awesome so what does that give us that

gives us access to the domain admin account which now we have access to the entire environment so this kind of like credential Shuffle or what Microsoft refers to as an identity snowball attack uh by a show of hands who has executed an attack path like this most of you awesome sweet I'm glad you're here so this concept we refer to as derivative local admin uh our coworker Justin Warner termed this phrase um after seeing this kind of pattern on our assessments over and over and over and over the way that Justin describes this is the chaining or linking of administrator rights through compromising other privileged accounts makes sense good definition concise so put another way let's say we

have this user Bob okay now Bob has admin rights to this computer called pc1 on pc1 is this username Mary Mary has admin rights on this system called PC2 so Bob deres administrator privileges to PC2 through compromising Mary as she is logged on to pc1 another way that this can happen is through security group delegation in active directory so let's say that Bob is a member of a group called helpes desk let's say that help desk doesn't have any privileges in the environment how ever help desk is also a member of this group called server admins which does have privilege in the environment that delegation that right that privilege rolls downhill as you add groups into

groups so Bob is a member of that group that group is a member of that group that group has admin rice of PC2 Bob has abmin rice of PC2 every that makes sense so far awesome all right so while the derivative local admin attack is highly effective and I would say that on Almost 100% of our engagements if we get any kind of privilege given enough time we can turn that privilege into domain admin or Enterprise admin there are some significant challenges and weaknesses with this approach as well first of all this approach is extremely timec consuming and tedious work every step of the way you're having to reset and gain your new situational awareness you need

to find out where does this user that I now have access to have privilege that means that you're going to touch possibly every system in the environment again which if you're on a red team assessment or you're trying to evade detection is Bad News Bears don't want to do that we want to hit every system one time and get all the information that we need so additionally uh the information that you're getting when you're executing this attack path is not comprehensive so the biggest weakness I would say is this right here so you take your report to your client you say here is this attack path that attack path you really couldn't understand or identify until it

was already executed additionally there are probably other attack paths in the environment that unfortunately is just not really possible to know about uh without some kind of tool like what we are talking about today next you have limited situational awareness uh during the entire course of your uh escalation uh process okay finally um you may not have even needed domain admin rights in the first place to meet your objective if your objective was to get access to a SQL server or a web server it makes sense to go after a DA because that da is going to have access to what you need or they're going to have access to the workstation uh who has a user on it that

has the access that you need cool so we're going to be talking about graph Theory briefly so go back in time go back to computer science 102 if you don't have a CS background don't worry because neither do I but this is pretty easy to understand we're also going to be talking about the design of our attack path everybody good so far lots of nding heads cool so what are the basic elements of a graph first of all in a graph you have vertices vertices represent an individual element of a represented system so put another way let's say that we are uh building a GPS program right Google Maps fun fact uses graphs for uh

uh for navigation purposes let's say the C Washington is a vertex Portland Oregon may also be a Vertex waa Wala Washington could be a Vertex Las Vegas could be a Vertex next we have edges edges generically represent a relationship that connect these vertices if Seattle Washington is a vertex and Portland Oregon is a vertex Interstate 5 is The Edge that connects those two vertices finally we have paths paths are a collection of vertices and edges that connect otherwise disparate or disconnected nodes so there is not a highway that directly connects Las Vegas to Seattle Washington but there is a collection of interstat State highways towns that you can go through that will get you from point A to point B awesome

put in a visual uh context uh we have two vertexes or two vertices in this graph we have vertex one and vertex 2 there is also an edge that connects vertex one to vertex 2 it is a directed Edge so it is one way only you cannot go from vertex 2 to vertex one against the wrong direction against this Edge you can go from vertex one to vertex 2 on this slide uh let's talk a little bit about paths as you can see and like this is this is fairly like uh simple to look at and understand vertex 1 to Vertex 4 there is pretty obviously a path okay from vertex 3 to Vertex 4 is there a path there's not

because these edges are one way make sense cool so we have a tool that we are going to be demoing called blood hound uh the design for The Blood Hound graph is as follows the vertices In The Blood Hound graph represent the basic object an active directory every User Group computer and domain is a vertex the edges Rel uh the edges represent the relationships between these different vertices which I'll talk about in more depth on the next slide finally the paths the paths are the most critical part of Blood Hound the paths always Point towards escalating rights or always towards compromising a system or compromising a user or a user who's a member of a specified group

so let's take a look at this visually like I said every vertex is an active directory object so we have two users on this graph we have Bob and Mary we have two groups it admins and domain admins and we have a computer called server one next we determine the group memberships so we see that Bob is a member of the group called it admins we see that Mary is a member of the group called domain admins next we determine privilege we determine what groups what users have uh administrator privileges to what objects so this group called it admins has admin rights to this computer called server one finally we determine who is logged on where and we find that Mary is logged

on to this computer so this computer has a session called Mary can you see the path from Bob to domain admins awesome so let's put this really simply first of all all the information that we're talking about here you do not need privilege to gather an active directory uh thanks to Winn providers uh API calls will is going to go into a little more depth on that so we need three pieces of information we need to know what users are logged on to what machines again you can find that without privilege secondly we need to find out who has admin rights where which you don't need privilege to do and finally we need to find out what

users belong to what groups and what groups belong to what groups this is all we need this is all the information we need to build our graph I'm going to pass it over to will cool all right so I'm going to go over some stealthy data collection with power viiew so did anyone read the uh pce spin dump from Phineas Fisher from the hacking team stuff we obviously do not cond known in any way using our tools for elicit purposes but uh you know thank thanks phas for the the publicity I suppose for uh calling out power viiew so it a little bit of a surprise seeing seeing all that in there so what is

power viiew power viiew is a pure Powers shell 2.0 compliant Windows domain and situational awareness tool it kind of came about from you know starting to do these more advanced red team engagements uh and starting to do this kind of you know the uh the precursor to these types of path hopping manually when uh when I first started about two and a half years ago and I took a lot of this trade craft and began to automate it using Powershell which our favorite term for it is Microsoft's post exploitation language so the entire project is one single file itself selfcontained you don't have to install any additional modules you don't have to you know drop

anything to dis we like to run power viiew very frequently through Cobalt strikes Beacon it's also pretty much completely implemented into the Powershell Empire project which I spoke on in this room last year about so go back real quick um Power viiew will collect all the data that blood hound needs to build is a tech grass and also has some really nice uh export functions and transformation functions built specifically for blood hound which I'll go over and again if you have elevated rights in a domain meaning domain admin or server admin you can get much more information but you can get a huge amount of this information even if you are a basic unprivileged domain user so

I'm going to go through the three different areas of information that Andy said were required for this attack graph design and show you how powerview collects that data under the hood so the first thing is who's logged in where we turn this user hunting so the main function for this in powerview is invoke user Hunter it was one of the first ones that we ran so the there's a tool net.exe written by Rob Fuller that did something kind of similar at a more basic level in a compile C++ binary kind of took that expanded upon it and ran with it made it a much more flexible solution so invoke user Hunter will use two powerview functions under the hood

it uses git net session and git net logged on and G Net logged on local so G Net session uses the net session and num Windows API under the hood and it does some like really nice fancy trickery and Powershell to access that without dropping any files to disk Gad loged on uses Network station and num and uh the logged on local is a new edition that uses remote registry if it's enabled you can run these and get this information back without being without needing administrative rights in the remote system you're querying there's also a stealth option what this will do is it enumer all the users in the entire domain and it pulls out all

like the file paths profile paths and those particular uh type of active directory properties which might indicate a file server being used so it gets a set of H likely highly trafficed servers that most users touch and then it just runs a G Net session against each one and you can map back what users are logged on where again with no elevated privileges all right now who can admin what we have the first piece on who's located where now we need to know how to take those pieces and say who can actually triage this access so this is one of the craziest things to me found this about two and a half years ago I think there wasn't a

huge amount of information about it publicly but we can enumerate the members of a local group on a remote system without needing administrative privileges on that system I've no idea why this is allowed we're super happy it's allowed because otherwise this tool might not exist but it it kind of blows my mind there's two ways to do this the first is using go back real quick uh the first is using something called the Winn service provider which is a backwards compatibility um type artifact in Windows so this was a remnant of like Windows n domain deployments or the net local group members Windows API call with both these you can just point them to a remote server and it'll just spit

back not just what the not just the user that's a part of the local administrators or any other local group you would like like remote desktop you can also get the Sid last log on time password last change and a huge amount of information that an unprivileged user has no right enumerating from these remote systems but we're allowed to in powerview if you want to execute this you can do the G Net local group one of the most common functions that will run you can just do a computer name an IP net bios name and if you would like to use the API method instead of Winn the Winn approach which is the def fault you

can pass the optional Das API flag this is a bit of a new addition uh few months ago I did a little bit of work with Sean meaf and we realized that you can actually correlate Group Policy object information to determine the same type of of data so gpos uh Group Policy objects are just uh collections of settings that are apply to particular machines one of these settings is who is the member of the local administrators group on the machine it makes sense it lets you do really easy you know kind of mass management of this type of data in an Enterprise so if we correlate this data and do a little bit of tricking the back

end and if you're interested in this you know talk to me in the hallway I love this stuff but through just quering information on a domain controller so we're not touching every single system like we did with the previous approach we're only talking to a domain controller we're pulling Group Policy object back information back we're linking that with where those policies apply for sites and U and we we can get a really nice mapping of who can administer What machines with just communication to a domain controller which is super normal there's I can't imagine a way this would be detected maybe there's some Fender that can detect anomalous ldap queries but I haven't seen it yet and it's it's much

faster but you don't get quite as much information it's not quite as accurate so the Power view commandlet that does this is f gopl location you can provide a username or group name if you want to figure out what a specific person can administer in the domain by default it'll just dump all this data out pretty sweet the last part is who's in what groups this is the the simplest one of all so we want to enumerate all the groups just pull the group names through ldap and then pull out the membership for each and power viw we can do this super easily gnet group pipe it to gnet group member if you're not familiar with

your Powershell this is the pipeline it passes fully serialized objects between different uh commandlets or functions that you're running so I'll a lot of times by hand we might do gnet group with wild cards to say okay who or what groups have admin in them and then let me enumerate all those users and things like that if you do this by default it'll just dump out all the nested group relationships in the entire domain and that's it pretty simple the the least crazy of all of them so powerview has existed for a couple years uh again we've been doing a lot of these approaches manually uh Blood Hound is going to include a slightly customized

version of power viiew that has a couple extra functions in it it's what we call The Blood Hound ingestor so there's three commandlets there are three functions that are built into to the The Blood Hound version there's g- Bloodhound data and this will automate you know enumerating every machine in the domain and either by default touching every machine and gathering this information for completeness uh there's also the stealth options um you know just hit DCS just do sessions you know there there's tons of flexibility with how to run it the second one is export Blood Hound data which will take all these objects that return from get Bloodhound data it'll jsonify them up and build the custom Cipher queries that

are used by the the backend solution for blood hound and it stuffs them into a rest API for ingestion so the key here is we can do all this without touching disc if we want to and we have the ability to bend our traffic back to the analysis server that we control and also we have the option to just export all this stuff to a custom CSV schema that we developed so if you can't or if you don't have the bandwidth through an agent to actually send all this data back and don't want to wait you can export it to a CSV xville that CSV somehow and blood hound will accept CSD ingestion as well awesome okay we're almost ready to

show it to you but we got a couple of other uh house cleaning items to to share with you so uh Blood Hound is the name of the product uh a couple of facts about Bloodhound let's go to the next slide and the first item on here is that blood hound uh is a uh a web application that is built with link curious. JS linkurious enabled us to quickly uh prototype and get the thing into a state where it was actually usable without becoming experts in like D3 or Sigma which are the most widely used uh graph drawing libraries for JavaScript uh next uh we stuff everything into uh an electron binary uh so it is platform independent uh it

doesn't require a web server to use we're trying to make it as operationally friendly to use as possible next uh it uses Neo forj as its graph database uh we decided to go with Neo forj and we also decided to go with linkurious because they offered free and open source uh uh Solutions uh that we could use to keep our tool free and open source uh finally the information uh uh to go into the database is fed uh right now EX exclusively by thehell ingestor uh that Will was just talking about all right so I believe we have a video showing a demonstration of how easy it is to use this operationally uh for collecting

information once you have your initial uh access into active directory there I got it you want to talk through this will sure okay so in this case we're just showing it from a Windows system you could do this over a remote rat if you would like we imported the Powershell script uh straight off the dis but we could also do this into memory if if that's uh what we' like to do this is a slightly older version so the syntax has changed a bit we apologize but the uh we're going to have a ton of documentation of Wiki and stuff that that shows exactly how to use it in the current state so we're going

to run get blood hound data I know the text is a bit small um just get blood hound data and passing the UR U for the rest API ingestion endpoint what's really nice with neo4j is we also have a batch ingestion endpoint so you're not having to do a call every single time you can batch up like a you know a thousand queries at once and just stuff it into the backend database um through here we're doing verb to show kind of like backend for both debugging messages it's doing the enumeration of all the sessions all the computers and you kind of see the little pieces there yeah so this very small little lab with seven

systems and you can see that the collection finished in about 7 Seconds we did this on an OP where our client had 200,000 workstations and servers it took approximately 24 hours to collect the information needed to populate the graph database Rohan is now going to show you the front end uh so once you've actually populated the database with the info you need which again you can do with the Powershell injust now you're interfacing with the data Through The Blood Hound interface uh which Rohan will show right now all right so we do have all this prepackaged in an electron container right now uh fun little story about two weeks before this conference uh my cooworker here told me

not to rewrite into electron and I completely ignored him and did it anyway so in general I tried to give the advice that if you have a working product or pocc maybe you might not want to do a a ground up from scratch rewrite a week and a half before Vegas but I'm I'm happy with the end result and I'm happy he did it he put a huge amount of time in to it yeah he's also not my supervisor so all right so on the back end here we actually have a neo4j database running uh this is actually data from a lab environment that will very generously put together for us this is all semi- procedurally

generated randomized data this sample database is going to be distributed with the code on Saturday when it's released so if you guys will you guys will have like a sample data set to play around with with the tool so when you initially start up The Blood Hound application the first view you're presented with is any group that has the word domain admins in the name as well as what users are part of that group or what groups are part of those groups uh this is oftentimes one of the first things we try to enumerate and we look at this data a lot so it's really great to have this easily visible so we're going to start by uh

showing off some of the autocomplete here uh anything that is in the database whether it's a computer a user or a group you can autocomp complet using using the search bar here so just to give you guys a user we're going to start with we'll take uh this dude here whose name is a little weird if you click on any user you're presented with a good bit of information over on the side over here uh one of the first things you get is first-degree group membership this is what groups the user is part of directly you can also query unruled group membership we're going to change the layout here so it's a little bit nicer

uh you can see what groups this user is part of by going through other groups yeah so what I would what I would add to this is that the what we were looking at before where you just see the first degree group memberships that's what you would see if you did like net user blah doain that's the only results that you would see so that's this first degree of separation those first deg grade group memberships and then you can see what effective group memberships this user gains through delegated groups now you can see that this this user is a member of a group that's nested in like five other groups and on assessment that's the kind of thing that's actually pretty

difficult to enumerate in a meaningful fashion it's a lot of data that you have to keep track of uh where this user a member of the first deegree local admin which is direct admin to a computer if you do a net local group administrator on a computer their name would show up this would show up here the next thing you can look at is group delegated local admin rights so this is where the user has local admin because of his group membership so you can see that this me this user is a member of the domain admin group which is going to give him access to a lot of other things now in interest of performance we actually do

fold nodes into each other so you'll see that there's an 87 next to this one there's actually 87 computers hidden in this graph that you can't see but you can expand that data if you would like is that which where we'll get to okay all right the next thing we can calculate and this is the really cool stuff that we really wrote Blood Hound for is derivative local admin rights now derivative local admin rights will show you where a user has local admin to due to any form of path it can whether it's through a group or if it's grabbing a user from another system where that user is already logged in so just as an

example this user is a member of the domain admins Group which gives him local admin to laptop 5 laptop 5 has the user G shul at internal. local logged in and due to the fact that we can recover the credentials or steal the token of the logged in user we can now impersonate G and use that to move further throughout the domain or into a different domain yep now were this user logged anywhere in anywhere you'd be able to quate the sessions uh one of the things that is obvious here is that these graphs get out of hand pretty quickly provided from domain as large enough so we added a very handy feature for you to be able to search through

these graphs so in this uh graph here we're going to look for a group called research and when you click on this it'll zoom in on the graph and show you where that that group is clicking on a group will give you a lot of extra information on the group as well you can query who the direct members of that group are you can query who the unrolled members of that group are once again this this query usually takes quite a bit of time to run if you're trying to recurse through groups so having it all easily accessible in this fashion makes it a lot easier to work with you can also see where this group is a direct

admin to so because these are all Edge nodes they've all been collapsed into here we can right click on a node and hit expand and you'll get all these nodes very easily visible for you a group can also have deriva of local Lain rights the same as a user so when we click on this you'll see that uh through all the different sessions and admins and admin rights we can go further and further down through our domain on this graph here we have another node SQL 2 SQL 2 is a computer computers also have their own set of data that's associated with them you can say who's the direct admin to this system you can say who are the unrolled

admins despite the fact that there's only six explicit admins to the system once you unroll group membership and members of those groups you get 51 administrators these are the kind of things that clients often don't know about just because as a domain continues to expand groups become nested and people forget what group does what it is possible for a computer to be part of a group uh this particular computer is not nor is this computer in the local adment group of any computer which we talked about as a very stealthy and interesting persistence mechanism however you can still calculate derivative local admin rights from a computer it'll use the exact same methods through sessions group

membership and admin rights to go further and further throughout the network it is also possible for you to enumerate the sessions that are on a computer same as just about any of the other things in power viiew uh however we're going to look at this one here and you can see uh the tack paths get increasingly longer as you get more and more privileges finally we're going to go on to one of the most useful features of Blood Hound which is pathf finding by clicking on this button here you can ask Blood Hound to generate you a path from any node to any other node provided the path exists so just to give you guys

as a user here we will go for uh our favorite group ever which is domain admin so as soon as you do this Blood Hound will query the database and try to find any path that exist between these two nodes now this is a particularly interesting one for us uh the user Jade ruin which is where we started is the member of the external. local domain as you move through this chain you'll see that he's a member of a group which gives him admin to a system which has a session for another user who's actually a member of a group in another domain so we've now gone from the external about local domain to the interal of that

local domain uh jumping domain trust hops has always been a very interesting task that can be quite tedious uh Blood Hound has absolutely no issues finding the paths across domains just through the data it already has following this path you'll get a nested group membership here which will give you admin to another system which gives you the context of another user which takes you finally to your target group yeah so what I would say is as an operator when you're looking at this graph Blood Hound is telling you exactly what you need to do to become a domain admin so I need to start as this user on the left I need to Pivot to this computer here where I need

to steal this user's credential and then I can either take this path or that path pop one of the three computers that are one degree away from domain admins steal a user uh password and then because those users are part of the domain admin's group I've arrived at domain admin just show you guys another uh more complicated path we'll take another user Jay nickel now Jay nickel is a member of a group here which is a member of another group and this group has admin rights to several other systems now you can pick any of these systems and the tag path will still be valid different users are logged onto these systems and each of

these paths takes you through a different group but still ends up on the same system which is desktop 11 desktop 11 will give you the session for another user and you can follow this chain all the way through more nested groups or through you or another computer and your eventual result is a domain adens group now another thing that we've been working on a lot is a pre-built analytics queries um one of the things we like to do is find shortest paths to Da this is a fantastic capability you can show to a client when you click this button you'll get a list of every group with domain admins I can click on one of these and

get a graph that's going to absolutely blow up my screen so any of these external points here have valid paths to The Domain admin. internal. looc group uh this is the kind of thing you can show a client and say this is how many different paths I could have token taken to get to The Domain admins group uh this is a far more comprehensive solution than finding a single path and showing it to a client yeah imagine the difference between delivering a report to your client saying this is the one attack path that we identified and executed and it took us three weeks to find versus spending a day ingesting data and being able to

tell them these are all of the possible attack paths that existed in your environment during this period we can identify hot spots in this graph and we can do analysis saying these are the reasons why these attack paths exist and give them very fine grain recommend ations on what changes they need to make whether it's user Behavior or privilege uh that exists in the in the domain to eliminate most or eventually all of these attack paths we do have a few other buil analy queries here user with most sessions computer with most sessions these help you identify users who are logging in the most or computers that are being logged into the most we also do have the

ability to map all the domain trusts in your domain this is all queried as part of the get blood hound data uh I was talking about deliverables for clients you can export a graph to either Json or an image uh the image will something great you can throw in your out brief or you can give them Json if they want to look at the raw data themselves uh now we do actually have the ability uh the GL Blood Hound data function will export to CSV and you can do all that CSV inje directly Through The Blood Hound user interface this is great if you want to take all the data offline or you can't get a link from the

client Network back out to your database you can just ingest it through here and it's functionally exactly the same cool that's our demo we're going to plug back into the [Applause] deck awesome so Defcon on Saturday 1 p.m. track 1 is when we will be making Blood Hound free and open source so we have a couple of things in need to Quick TW week we're not quite ready to release it right now at that time go to bit.ly SLG get Bloodhound that'll redirect you to the GitHub repository where you can download Blood Hound we're going to have a Wiki that will show you usage we'll have the example database we'll have the source we'll also have pre-compiled

binaries for you or we'll have instructions on how you can build from if you would if you would like to do so that's it thank you very much on Twitter you can find meore Waldo with a zero Rohan you can find him at Captain Jesus will schroer you can find him at har jooy thank you very

much I think we have time for questions yeah we have 15 minutes for questions we have 15 minutes for questions anybody have a question yes oh

[Music] okay are there any tools commercially available for clients to do this type of analysis the question was are there any commercial tools available already for clients to do this kind of analysis uh the answer to that is yes and no uh yes in that Microsoft actually built something very very similar to this in 2009 which they they called heat ray there is research done by Alice Jen and John dunigan at Microsoft uh security Research Center they built something called heat ray uh that like I said uh operated on uh identity snowball attacks however it was never made public and I don't know why uh there may be other commercial Solutions uh if there are I

don't know about them and there's a really cool white paper on the heat ray approach that was released if you just search Microsoft heat ray yeah that blog post uh the you know attackers thinking graphs Defenders thinking list go to that blog post at the very bottom go to the resources and you can find a direct link to the PDF uh which is that white paper of that research I highly recommend reading it also we have like for people who ask questions so you know whoever ask this question you

there was a question in the back yeah oh yeah we also have stickers if you would like a cool sticker to put on your laptop so first so first U congratulations for for the uh for the great tool thank you and great and great talk thank you in terms of the queries it is possible to Import and Export them the queries exactly so let's say that I have a type of a of a p that that that I want to export yes and use in in another time yes you can so Rohan showed the attack paths going from one user to The Domain admins and I believe your question is if you can export that graph

uh so you can use it in a different tool no no let's say that um if I if I can follow C certain types of of of a note uh to reach some to reach something uh if it is possible for me to export that logic so let's say if I can found this type of uh group and then the other one I I will I I I I will reach uh da so if I can uh export that type of query and then to use database uh yes so the query language that we're using in Blood Hound is the ne forj query language which is called Cipher we are sharing what those queries are um if that doesn't quite answer your

question maybe we can talk offline about it okay thank

you two questions the first one did you have a path of Le resistance so you kind of can show the easiest path and the second question question is how about updating so you had the big line where it took 24 hours you want to do it later how does that work all right so his first question was uh remind me your first question I'm sorry path of least resistance P okay path of least resistance so by default Blood Hound is running a query in Cipher called all shortest paths this is going to uh typically run Dyer's algorithm to identify the shortest path from one node to the other what we are planning to implement which we do not have right now

is something called conditional pathf finding so say for example I don't want necessarily the shortest path but I want a path that meets certain criteria uh based on maybe scope or Rules of Engagement uh or I like let's say for example that I don't want to touch any Windows 2012 systems so show me a path from this node to the other and don't include any Windows 2012 systems or I can say I explicitly want to include a certain system in that attack path uh your second question updating your second question was updating I'm going to let Rohan answer that for or I'm sorry updating the interface is very simple through electron it's it's going to be similar

to Chrome you close it you open it but that wasn't your question your question was updating the information in the database right okay so that brings into uh the difference between what is kind of static information and what's dynamic in active directory privilege and group membership information is going to be relatively static it's not going to change all that much day-to-day user log on information is going to be much more Dynamic so you can add information to the database and it won't currently it will not clobber information that's currently in there so you're going to be adding more user session information every time you do this something that we want to add is temporal information to these edges so

say for example on August 9th I did a I did a collection and I knew this user was logged on here but then by the time August 12th rolls around that session may not be available so something we are planning on implementing are is again with conditional pathf finding show me a path that doesn't rely on a relationship that is outdated which I can Define uh myself so show me a path that is likely to be still valid by showing me something that is from today or something that is from yesterday what that will also do is it'll equip uh incident handlers or forensic staff uh to you know look at a system that may

have been compromised and say you know this compromise happened on March 21st I want to go into my blood hound data and I want to say show me what show me what this database looked like on March 21st and show me not only the system that was compromised show me all of the possible other systems that the attacker could have possibly spread to so that I can increase and hone in on my uh forensic scope just to just to add a small little thing to that uh we've actually run this we've used this tool on a few assessments at this point uh and in most cases if a user is logged into the box or has a session uh they're usually

going to be logging back into that box again uh users and uh other things in the domain tend to keep reusing the same active directory objects so from our experience the session data despite the fact that it can be outdated has never actually yielded a path that did was not valid even a day maybe two or three later so any other questions if you want to chat with us we'll be out in the main room for a little bit yeah we've also got little cool stickers if you would like one come up here and and grab one uh again thank you very much