Extending BloodHound for Red Teamers

A088c4b1eeaf7f15b5989cc06160ee9f?s=47 Tom Porter
October 30, 2017

Extending BloodHound for Red Teamers

A088c4b1eeaf7f15b5989cc06160ee9f?s=128

Tom Porter

October 30, 2017
Tweet

Transcript

  1. 1 Extending BloodHound for Red Teamers Tom Porter (@porterhau5)

  2. 2 Tom Porter @porterhau5 porterhau5.com S R. S E C

    URI T Y C ONS ULT A NT F US IONX • Flow data analytics • Penetration testing • Red teaming • Password analysis & wordlist generation
  3. 3 Extending BloodHound • Tracking Compromised Nodes • Visualize Deltas

    in Privilege Gains • Automating via Neo4j REST API • Adding Properties and Relationships • Custom Queries • UI Enhancements https://github.com/porterhau5/BloodHound-Owned https://github.com/porterhau5/BloodHound (forked)
  4. 4 BloodHound •Released at DEF CON 24 − Andy Robbins

    (@_wald0) − Rohan Vazarkar (@CptJesus) − Will Schroeder (@harmj0y) •Attack graphs for Active Directory https://github.com/BloodHoundAD/BloodHound
  5. 5 BloodHound Stack Bolt

  6. 6 Data Collection SharpHound.ps1/SharpHound.exe Originally leveraged PowerView (PowerShell) Rewritten in

    C#: https://github.com/BloodHoundAD/SharpHound
  7. 7 Neo4j: A Graph Database Property Graph Model − Nodes

    − Relationships − Labels − Relationship types − Properties − Paths Person Sword House Sword Name : ‘Tyrion’ Name : ‘Lannister’ Name : ‘Widow’s Wail’ MemberOf HasItem ReforgedInto Name : ‘Ice’ *rip Ned
  8. 8 Nodes, Labels, and Properties App Icons Domain User Group

    Computer Name: ‘INTERNAL.LOCAL’ Name: ‘JDOE@INTERNAL.LOCAL’ Name: ‘DOMAIN ADMINS@INTERNAL.LOCAL’ Name: ‘MGMT3.INTERNAL.LOCAL’
  9. 9 Relationships and Relationship Types MemberOf AdminTo HasSession TrustedBy More

    added in 1.3: – The ACL Attack Path Update: https://wald0.com/?p=112
  10. 1 0 A Path for Escalation AdminTo HasSession MemberOf HasSession

    MemberOf JDOE APPDEV BSMITH SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS
  11. 1 1 Search Container Raw Query Zoom Menu Graph

  12. 1 2 Node Info Tab

  13. 1 3 Pathfinding

  14. 1 4 BPT: Query Debug Mode Learn Cypher as you

    go!
  15. 1 5 Understanding Cypher Syntax https://neo4j.com/developer/cypher-query-language/

  16. 1 6 Your First Cypher Query

  17. 1 7 Only MATCH a Label

  18. 1 8 Return the ‘name’ Property

  19. 1 9 WHERE Clause

  20. 2 0 Find Direct Local Admin Access for a User

  21. 2 1 Find Derivative Local Admin Access (3 hops)

  22. 2 2 Same Query in BloodHound

  23. 2 3

  24. 2 4 Extensions • Owned / Wave • Password Reuse

    via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections
  25. 2 5

  26. 2 6 All Hope Isn’t Lost Password Reuse • Same

    password between accounts • Shared local administrator password Bob Bob-adm SRV1 SRV2 Kerberoasting • Abuse Kerberos SPNs linked to domain accounts • Escalate from low-privileged user to service account Share Plundering • Notes.txt • Configuration files
  27. 2 7 1. LLMNR/NBNS MiTM: Capture and crack NTLMv2 hashes

    − 3 accounts obtained 2. Password spray: Fall2017 − 4 more accounts obtained 3. Password reuse: user account and admin account − 1 more account obtained (admin) − 1 computer obtained 4. Secretsdump: dump local account hashes from host − 3 more accounts obtained (local) 5. Pass-the-Hash: local administrator hash against other hosts − 34 more computers obtained An Example Engagement
  28. 2 8 When a new set of nodes are owned

    by some method, what other nodes can we now collaterally reach? “Wave” Let’s Use BloodHound to Answer a Question
  29. 2 9 ‘owned’ − Method used to compromise the node:

    • LLMNR wpad • Password spray • Mimikatz • Found on SMB share • Phished ‘wave’ − Number representing the order in which the node was compromised: • 1 • 2 • 3, etc. ‘Owned’ and ‘Wave’ Properties
  30. 3 0 SET Properties 1. LLMNR/NBNS poisoning for WPAD: BLOPER@INTERNAL.LOCAL

    JCARNEAL@INTERNAL.LOCAL
  31. 3 1 Node Info Addition

  32. 3 2 Collateral Spread

  33. 3 3 Collateral Spread – Raw Query

  34. 3 4 Add Nodes to 1st Wave

  35. 3 5 2nd Set of Owned Nodes 2. Password spray

    (Fall2017): ZDEVENS@INTERNAL.LOCAL BPICKEREL@INTERNAL.LOCAL
  36. 3 6 Collateral Spread for 2nd Wave

  37. 3 7 Hiding Nodes from Previous Waves

  38. 3 8 SET ‘wave’ for Nodes

  39. 3 9 Delta in Access

  40. 4 0 bh-owned.rb – Ruby script to interacts with Neo4j

    REST API Automation
  41. 4 1 3. SMB Share Plundering: SMADDUX@INTERNAL.LOCAL QBULLIS@EXTERNAL.LOCAL 1. Create

    Cypher query to SET properties 2. Create Cypher query for wave of compromise 3. Wrap it in JSON 4. POST to RESTful endpoint 5. Parse API response, display to user Add wave (-a)
  42. 4 2 Wave 3 in BloodHound

  43. 4 3 Mac : ~/Library/Application Support/bloodhound/customqueries.json Windows: %APPDATA%\Roaming\bloodhound\customqueries.json Custom Queries

  44. 4 4 name: Display name in BloodHound UI requireNodeSelect: Require

    input from the user query: Cypher query to run allowCollapse: Allow Nodes to be collapsed props: Variable used in “query” statement, helps with performance Custom Query Syntax
  45. 4 5 4. Mimikatz, Local accounts: BGRIFFIN@EXTERNAL.LOCAL FILESERVER6.INTERNAL.LOCAL Add 4th

    Wave
  46. 4 6 Find all owned Domain Admins

  47. 4 7 Find Shortest Paths from owned node to DA

  48. 4 8 Show Wave

  49. 4 9 Show Wave

  50. 5 0 Show Delta for Wave

  51. 5 1 Show Delta for 2nd Wave

  52. 5 2 Extensions • Owned / Wave • Password Reuse

    via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections
  53. 5 3 MemberOf AdminTo HasSession TrustedBy SharesPasswordWith SharesPasswordWith Representing Password

    Reuse
  54. 5 4 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH

    SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS A Path for Escalation
  55. 5 5 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH

    SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS SharesPasswordWith: Computers
  56. 5 6 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH

    SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS SharesPasswordWith: Users
  57. 5 7 Accounts with same password: BREYES@INTERNAL.LOCAL BREYES.ADMIN@INTERNAL.LOCAL SharesPasswordWith: Manual

    Way
  58. 5 8 Computers with same local admin password SharesPasswordWith: Automated

    (-s)
  59. 5 9 Find Clusters of Password Reuse

  60. 6 0 Shortest Path to DA using SharesPasswordWith BREYES BREYES.ADMIN

    DOMAIN ADMINS ZDEVENS BLOPER BPICKEREL
  61. 6 1 Extensions • Owned / Wave • Password Reuse

    via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections
  62. 6 2 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH

  63. 6 3 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH Computer Offline

  64. 6 4 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH Session Expired

  65. 6 5 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH User Disabled

  66. 6 6 Adding to the Blacklist Via the UI tooltip

    Via bh-owned.rb
  67. 6 7 Blacklist – “Find all Domain Admins” Original Query

    Remove paths that contain “blacklist” property
  68. 6 8 Viewing the Blacklist

  69. 6 9 Extensions • Owned / Wave • Password Reuse

    via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections
  70. 7 0 Netstat Connections Proto Local Address Foreign Address State

    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 10.1.8.83:445 10.1.2.118:53210 ESTABLISHED TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED TCP 10.1.8.83:49297 10.1.7.18:135 ESTABLISHED TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED
  71. 7 1 Netstat Connections Proto Local Address Foreign Address State

    TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED Web Apps
  72. 7 2 Netstat Connections Proto Local Address Foreign Address State

    TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED RDP/SSH
  73. 7 3 Netstat Connections Proto Local Address Foreign Address State

    TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED Databases
  74. 7 4 No IP Addresses for a Computer # cat

    dns-mappings.txt 10.1.72.27,"R_AND_D_16.EXTERNAL.LOCAL" 10.1.4.67,"R_AND_D_8.EXTERNAL.LOCAL" 10.1.72.12,"DESKTOP35.EXTERNAL.LOCAL" 10.1.72.13,"SQL4.EXTERNAL.LOCAL" 10.1.4.12,"DESKTOP40.INTERNAL.LOCAL" 10.1.4.13,"SYSTEM33.INTERNAL.LOCAL" ...
  75. 7 5 Netstat to Cypher TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED (s:Computer

    {name:’<src>’})-[:Connected_3389]->(d:Computer {name:’<dst>’}) Connected_3389 DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL
  76. 7 6 Adding Connections (-c, -d)

  77. 7 7 Connections over 389/tcp

  78. 7 8 Connections over 445/tcp

  79. 7 9 Show Web App Connections Connected_80

  80. 8 0 Cypher Query Using Both Datasets “Simple” derivative local

    admin Connected to one or more hosts via RDP
  81. 8 1 Escalation Paths to RDP Jumpboxes

  82. 8 2 Escalation Paths to RDP Jumpboxes

  83. 8 3 Future Research − Incorporating more flow data −

    Critical Path to Compromise − More inclusion of local accounts − Alternative data collection − Ideas? Reach out!
  84. 8 4 References • BloodHound on Slack: https://bloodhoundgang.herokuapp.com/ • BloodHound

    project on GitHub: https://github.com/BloodHoundAD/BloodHound • SharpHound project on GitHub: https://github.com/BloodHoundAD/SharpHound • Cypher Reference Card: https://neo4j.com/docs/cypher-refcard/current/ • Rohan Vazarkar - Intro to Cypher: https://blog.cptjesus.com/posts/introtocypher • Andy Robbins – BloodHound 1.3 – The ACL Attack Path Update: https://wald0.com/?p=112 • Rohan Vazarkar – BloodHound 1.4: The Object Properties Update: https://blog.cptjesus.com/posts/bloodhoundobjectproperties • Will Schroeder – Local Group Enumeration: https://www.harmj0y.net/blog/redteaming/local-group-enumeration/ • Tal Be’ery & Marina Simakov – The Enemy Within: Stopping Attacks Against Local Users: https://youtu.be/HE7X7l-k-A4
  85. 8 5 Thank you! Twitter/GitHub: @porterhau5 Email: tom [at] porterhau5.com

    https://github.com/porterhau5/BloodHound-Owned https://github.com/porterhau5/BloodHound (forked)