Extending BloodHound for Red Teamers

Slide 1

Slide 1 text

1 Extending BloodHound for Red Teamers Tom Porter (@porterhau5)

Slide 2

Slide 2 text

2 Tom Porter @porterhau5 porterhau5.com S R. S E C URI T Y C ONS ULT A NT F US IONX • Flow data analytics • Penetration testing • Red teaming • Password analysis & wordlist generation

Slide 3

Slide 3 text

3 Extending BloodHound • Tracking Compromised Nodes • Visualize Deltas in Privilege Gains • Automating via Neo4j REST API • Adding Properties and Relationships • Custom Queries • UI Enhancements https://github.com/porterhau5/BloodHound-Owned https://github.com/porterhau5/BloodHound (forked)

Slide 4

Slide 4 text

4 BloodHound •Released at DEF CON 24 − Andy Robbins (@_wald0) − Rohan Vazarkar (@CptJesus) − Will Schroeder (@harmj0y) •Attack graphs for Active Directory https://github.com/BloodHoundAD/BloodHound

Slide 5

Slide 5 text

5 BloodHound Stack Bolt

Slide 6

Slide 6 text

6 Data Collection SharpHound.ps1/SharpHound.exe Originally leveraged PowerView (PowerShell) Rewritten in C#: https://github.com/BloodHoundAD/SharpHound

Slide 7

Slide 7 text

7 Neo4j: A Graph Database Property Graph Model − Nodes − Relationships − Labels − Relationship types − Properties − Paths Person Sword House Sword Name : ‘Tyrion’ Name : ‘Lannister’ Name : ‘Widow’s Wail’ MemberOf HasItem ReforgedInto Name : ‘Ice’ *rip Ned

Slide 8

Slide 8 text

8 Nodes, Labels, and Properties App Icons Domain User Group Computer Name: ‘INTERNAL.LOCAL’ Name: ‘[email protected]’ Name: ‘DOMAIN [email protected]’ Name: ‘MGMT3.INTERNAL.LOCAL’

Slide 9

Slide 9 text

9 Relationships and Relationship Types MemberOf AdminTo HasSession TrustedBy More added in 1.3: – The ACL Attack Path Update: https://wald0.com/?p=112

Slide 10

Slide 10 text

1 0 A Path for Escalation AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS

Slide 11

Slide 11 text

1 1 Search Container Raw Query Zoom Menu Graph

Slide 12

Slide 12 text

1 2 Node Info Tab

Slide 13

Slide 13 text

1 3 Pathfinding

Slide 14

Slide 14 text

1 4 BPT: Query Debug Mode Learn Cypher as you go!

Slide 15

Slide 15 text

1 5 Understanding Cypher Syntax https://neo4j.com/developer/cypher-query-language/

Slide 16

Slide 16 text

1 6 Your First Cypher Query

Slide 17

Slide 17 text

1 7 Only MATCH a Label

Slide 18

Slide 18 text

1 8 Return the ‘name’ Property

Slide 19

Slide 19 text

1 9 WHERE Clause

Slide 20

Slide 20 text

2 0 Find Direct Local Admin Access for a User

Slide 21

Slide 21 text

2 1 Find Derivative Local Admin Access (3 hops)

Slide 22

Slide 22 text

2 2 Same Query in BloodHound

Slide 23

Slide 23 text

2 3

Slide 24

Slide 24 text

2 4 Extensions • Owned / Wave • Password Reuse via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections

Slide 25

Slide 25 text

2 5

Slide 26

Slide 26 text

2 6 All Hope Isn’t Lost Password Reuse • Same password between accounts • Shared local administrator password Bob Bob-adm SRV1 SRV2 Kerberoasting • Abuse Kerberos SPNs linked to domain accounts • Escalate from low-privileged user to service account Share Plundering • Notes.txt • Configuration files

Slide 27

Slide 27 text

2 7 1. LLMNR/NBNS MiTM: Capture and crack NTLMv2 hashes − 3 accounts obtained 2. Password spray: Fall2017 − 4 more accounts obtained 3. Password reuse: user account and admin account − 1 more account obtained (admin) − 1 computer obtained 4. Secretsdump: dump local account hashes from host − 3 more accounts obtained (local) 5. Pass-the-Hash: local administrator hash against other hosts − 34 more computers obtained An Example Engagement

Slide 28

Slide 28 text

2 8 When a new set of nodes are owned by some method, what other nodes can we now collaterally reach? “Wave” Let’s Use BloodHound to Answer a Question

Slide 29

Slide 29 text

2 9 ‘owned’ − Method used to compromise the node: • LLMNR wpad • Password spray • Mimikatz • Found on SMB share • Phished ‘wave’ − Number representing the order in which the node was compromised: • 1 • 2 • 3, etc. ‘Owned’ and ‘Wave’ Properties

Slide 30

Slide 30 text

3 0 SET Properties 1. LLMNR/NBNS poisoning for WPAD: [email protected] [email protected]

Slide 31

Slide 31 text

3 1 Node Info Addition

Slide 32

Slide 32 text

3 2 Collateral Spread

Slide 33

Slide 33 text

3 3 Collateral Spread – Raw Query

Slide 34

Slide 34 text

3 4 Add Nodes to 1st Wave

Slide 35

Slide 35 text

3 5 2nd Set of Owned Nodes 2. Password spray (Fall2017): [email protected] [email protected]

Slide 36

Slide 36 text

3 6 Collateral Spread for 2nd Wave

Slide 37

Slide 37 text

3 7 Hiding Nodes from Previous Waves

Slide 38

Slide 38 text

3 8 SET ‘wave’ for Nodes

Slide 39

Slide 39 text

3 9 Delta in Access

Slide 40

Slide 40 text

4 0 bh-owned.rb – Ruby script to interacts with Neo4j REST API Automation

Slide 41

Slide 41 text

4 1 3. SMB Share Plundering: [email protected] [email protected] 1. Create Cypher query to SET properties 2. Create Cypher query for wave of compromise 3. Wrap it in JSON 4. POST to RESTful endpoint 5. Parse API response, display to user Add wave (-a)

Slide 42

Slide 42 text

4 2 Wave 3 in BloodHound

Slide 43

Slide 43 text

4 3 Mac : ~/Library/Application Support/bloodhound/customqueries.json Windows: %APPDATA%\Roaming\bloodhound\customqueries.json Custom Queries

Slide 44

Slide 44 text

4 4 name: Display name in BloodHound UI requireNodeSelect: Require input from the user query: Cypher query to run allowCollapse: Allow Nodes to be collapsed props: Variable used in “query” statement, helps with performance Custom Query Syntax

Slide 45

Slide 45 text

4 5 4. Mimikatz, Local accounts: [email protected] FILESERVER6.INTERNAL.LOCAL Add 4th Wave

Slide 46

Slide 46 text

4 6 Find all owned Domain Admins

Slide 47

Slide 47 text

4 7 Find Shortest Paths from owned node to DA

Slide 48

Slide 48 text

4 8 Show Wave

Slide 49

Slide 49 text

4 9 Show Wave

Slide 50

Slide 50 text

5 0 Show Delta for Wave

Slide 51

Slide 51 text

5 1 Show Delta for 2nd Wave

Slide 52

Slide 52 text

5 2 Extensions • Owned / Wave • Password Reuse via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections

Slide 53

Slide 53 text

5 3 MemberOf AdminTo HasSession TrustedBy SharesPasswordWith SharesPasswordWith Representing Password Reuse

Slide 54

Slide 54 text

5 4 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS A Path for Escalation

Slide 55

Slide 55 text

5 5 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS SharesPasswordWith: Computers

Slide 56

Slide 56 text

5 6 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS SharesPasswordWith: Users

Slide 57

Slide 57 text

5 7 Accounts with same password: [email protected] [email protected] SharesPasswordWith: Manual Way

Slide 58

Slide 58 text

5 8 Computers with same local admin password SharesPasswordWith: Automated (-s)

Slide 59

Slide 59 text

5 9 Find Clusters of Password Reuse

Slide 60

Slide 60 text

6 0 Shortest Path to DA using SharesPasswordWith BREYES BREYES.ADMIN DOMAIN ADMINS ZDEVENS BLOPER BPICKEREL

Slide 61

Slide 61 text

6 1 Extensions • Owned / Wave • Password Reuse via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections

Slide 62

Slide 62 text

6 2 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH

Slide 63

Slide 63 text

6 3 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH Computer Offline

Slide 64

Slide 64 text

6 4 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH Session Expired

Slide 65

Slide 65 text

6 5 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH User Disabled

Slide 66

Slide 66 text

6 6 Adding to the Blacklist Via the UI tooltip Via bh-owned.rb

Slide 67

Slide 67 text

6 7 Blacklist – “Find all Domain Admins” Original Query Remove paths that contain “blacklist” property

Slide 68

Slide 68 text

6 8 Viewing the Blacklist

Slide 69

Slide 69 text

6 9 Extensions • Owned / Wave • Password Reuse via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections

Slide 70

Slide 70 text

7 0 Netstat Connections Proto Local Address Foreign Address State TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 10.1.8.83:445 10.1.2.118:53210 ESTABLISHED TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED TCP 10.1.8.83:49297 10.1.7.18:135 ESTABLISHED TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED

Slide 71

Slide 71 text

7 1 Netstat Connections Proto Local Address Foreign Address State TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED Web Apps

Slide 72

Slide 72 text

7 2 Netstat Connections Proto Local Address Foreign Address State TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED RDP/SSH

Slide 73

Slide 73 text

7 3 Netstat Connections Proto Local Address Foreign Address State TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED Databases

Slide 74

Slide 74 text

7 4 No IP Addresses for a Computer # cat dns-mappings.txt 10.1.72.27,"R_AND_D_16.EXTERNAL.LOCAL" 10.1.4.67,"R_AND_D_8.EXTERNAL.LOCAL" 10.1.72.12,"DESKTOP35.EXTERNAL.LOCAL" 10.1.72.13,"SQL4.EXTERNAL.LOCAL" 10.1.4.12,"DESKTOP40.INTERNAL.LOCAL" 10.1.4.13,"SYSTEM33.INTERNAL.LOCAL" ...

Slide 75

Slide 75 text

7 5 Netstat to Cypher TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED (s:Computer {name:’’})-[:Connected_3389]->(d:Computer {name:’’}) Connected_3389 DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL

Slide 76

Slide 76 text

7 6 Adding Connections (-c, -d)

Slide 77

Slide 77 text

7 7 Connections over 389/tcp

Slide 78

Slide 78 text

7 8 Connections over 445/tcp

Slide 79

Slide 79 text

7 9 Show Web App Connections Connected_80

Slide 80

Slide 80 text

8 0 Cypher Query Using Both Datasets “Simple” derivative local admin Connected to one or more hosts via RDP

Slide 81

Slide 81 text

8 1 Escalation Paths to RDP Jumpboxes

Slide 82

Slide 82 text

8 2 Escalation Paths to RDP Jumpboxes

Slide 83

Slide 83 text

8 3 Future Research − Incorporating more flow data − Critical Path to Compromise − More inclusion of local accounts − Alternative data collection − Ideas? Reach out!

Slide 84

Slide 84 text

8 4 References • BloodHound on Slack: https://bloodhoundgang.herokuapp.com/ • BloodHound project on GitHub: https://github.com/BloodHoundAD/BloodHound • SharpHound project on GitHub: https://github.com/BloodHoundAD/SharpHound • Cypher Reference Card: https://neo4j.com/docs/cypher-refcard/current/ • Rohan Vazarkar - Intro to Cypher: https://blog.cptjesus.com/posts/introtocypher • Andy Robbins – BloodHound 1.3 – The ACL Attack Path Update: https://wald0.com/?p=112 • Rohan Vazarkar – BloodHound 1.4: The Object Properties Update: https://blog.cptjesus.com/posts/bloodhoundobjectproperties • Will Schroeder – Local Group Enumeration: https://www.harmj0y.net/blog/redteaming/local-group-enumeration/ • Tal Be’ery & Marina Simakov – The Enemy Within: Stopping Attacks Against Local Users: https://youtu.be/HE7X7l-k-A4

Slide 85

Slide 85 text

8 5 Thank you! Twitter/GitHub: @porterhau5 Email: tom [at] porterhau5.com https://github.com/porterhau5/BloodHound-Owned https://github.com/porterhau5/BloodHound (forked)