Extending BloodHound for Red Teamers

1
Extending BloodHound for Red Teamers
Tom Porter (@porterhau5)

View Slide

2
Tom Porter
@porterhau5
porterhau5.com
S R. S E C URI T Y C ONS ULT A NT
F US IONX
• Flow data analytics
• Penetration testing
• Red teaming
• Password analysis & wordlist generation

View Slide

3
Extending BloodHound
• Tracking Compromised Nodes
• Visualize Deltas in Privilege Gains
• Automating via Neo4j REST API
• Adding Properties and Relationships
• Custom Queries
• UI Enhancements
https://github.com/porterhau5/BloodHound-Owned
https://github.com/porterhau5/BloodHound (forked)

View Slide

4
BloodHound
•Released at DEF CON 24
− Andy Robbins (@_wald0)
− Rohan Vazarkar (@CptJesus)
− Will Schroeder (@harmj0y)
•Attack graphs for Active Directory
https://github.com/BloodHoundAD/BloodHound

View Slide

5
BloodHound Stack
Bolt

View Slide

6
Data Collection
SharpHound.ps1/SharpHound.exe
Originally leveraged PowerView (PowerShell)
Rewritten in C#: https://github.com/BloodHoundAD/SharpHound

View Slide

7
Neo4j: A Graph Database
Property Graph Model
− Nodes
− Relationships
− Labels
− Relationship types
− Properties
− Paths
Person
Sword House
Sword
Name : ‘Tyrion’
Name : ‘Lannister’
Name :
‘Widow’s Wail’
MemberOf
HasItem
ReforgedInto
Name : ‘Ice’
*rip Ned

View Slide

8
Nodes, Labels, and Properties
App
Icons
Domain
User
Group
Computer
Name: ‘INTERNAL.LOCAL’
Name: ‘[email protected]’
Name: ‘DOMAIN [email protected]’
Name: ‘MGMT3.INTERNAL.LOCAL’

View Slide

9
Relationships and Relationship Types
MemberOf
AdminTo
HasSession
TrustedBy
More added in 1.3: – The ACL Attack Path Update: https://wald0.com/?p=112

View Slide

1 0
A Path for Escalation
AdminTo HasSession
MemberOf
HasSession MemberOf
JDOE APPDEV BSMITH
SRVADM HELPDESK
FILESRV01 BSMITH-DA DOMAIN ADMINS

View Slide

1 1
Search Container
Raw Query
Zoom
Menu
Graph

View Slide

1 2
Node Info Tab

View Slide

1 3
Pathfinding

View Slide

1 4
BPT: Query Debug Mode
Learn Cypher as you go!

View Slide

1 5
Understanding Cypher Syntax
https://neo4j.com/developer/cypher-query-language/

View Slide

1 6
Your First Cypher Query

View Slide

1 7
Only MATCH a Label

View Slide

1 8
Return the ‘name’ Property

View Slide

1 9
WHERE Clause

View Slide

2 0
Find Direct Local Admin Access for a User

View Slide

2 1
Find Derivative Local Admin Access (3 hops)

View Slide

2 2
Same Query in BloodHound

View Slide

2 3

View Slide

2 4
Extensions
• Owned / Wave
• Password Reuse via SharesPasswordWith
• Blacklisting Nodes & Relationships
• Integrating Network Connections

View Slide

2 5

View Slide

2 6
All Hope Isn’t Lost
Password Reuse
• Same password between accounts
• Shared local administrator password
Bob Bob-adm
SRV1 SRV2
Kerberoasting
• Abuse Kerberos SPNs linked to domain accounts
• Escalate from low-privileged user to service account
Share Plundering
• Notes.txt
• Configuration files

View Slide

2 7
1. LLMNR/NBNS MiTM: Capture and crack NTLMv2 hashes
− 3 accounts obtained
2. Password spray: Fall2017
− 4 more accounts obtained
3. Password reuse: user account and admin account
− 1 more account obtained (admin)
− 1 computer obtained
4. Secretsdump: dump local account hashes from host
− 3 more accounts obtained (local)
5. Pass-the-Hash: local administrator hash against other hosts
− 34 more computers obtained
An Example Engagement

View Slide

2 8
When a new set of nodes are
owned
by some method, what other nodes can we now
collaterally reach?
“Wave”
Let’s Use BloodHound to Answer a Question

View Slide

2 9
‘owned’
− Method used to compromise the node:
• LLMNR wpad
• Password spray
• Mimikatz
• Found on SMB share
• Phished
‘wave’
− Number representing the order in which the node was compromised:
• 1
• 2
• 3, etc.
‘Owned’ and ‘Wave’ Properties

View Slide

3 0
SET Properties
1. LLMNR/NBNS poisoning for WPAD:
[email protected]
[email protected]

View Slide

3 1
Node Info Addition

View Slide

3 2
Collateral Spread

View Slide

3 3
Collateral Spread – Raw Query

View Slide

3 4
Add Nodes to 1st Wave

View Slide

3 5
2nd Set of Owned Nodes
2. Password spray (Fall2017):
[email protected]
[email protected]

View Slide

3 6
Collateral Spread for 2nd Wave

View Slide

3 7
Hiding Nodes from Previous Waves

View Slide

3 8
SET ‘wave’ for Nodes

View Slide

3 9
Delta in Access

View Slide

4 0
bh-owned.rb – Ruby script to interacts with Neo4j REST API
Automation

View Slide

4 1
3. SMB Share Plundering:
[email protected]
[email protected]
1. Create Cypher query to SET properties
2. Create Cypher query for wave of
compromise
3. Wrap it in JSON
4. POST to RESTful endpoint
5. Parse API response, display to user
Add wave (-a)

View Slide

4 2
Wave 3 in BloodHound

View Slide

4 3
Mac : ~/Library/Application Support/bloodhound/customqueries.json
Windows: %APPDATA%\Roaming\bloodhound\customqueries.json
Custom Queries

View Slide

4 4
name: Display name in BloodHound UI
requireNodeSelect: Require input from the user
query: Cypher query to run
allowCollapse: Allow Nodes to be collapsed
props: Variable used in “query” statement, helps with performance
Custom Query Syntax

View Slide

4 5
4. Mimikatz, Local accounts:
[email protected]
FILESERVER6.INTERNAL.LOCAL
Add 4th Wave

View Slide

4 6
Find all owned Domain Admins

View Slide

4 7
Find Shortest Paths from owned node to DA

View Slide

4 8
Show Wave

View Slide

4 9
Show Wave

View Slide

5 0
Show Delta for Wave

View Slide

5 1
Show Delta for 2nd Wave

View Slide

5 2
Extensions
• Owned / Wave

View Slide

5 3
MemberOf
AdminTo
HasSession
TrustedBy
SharesPasswordWith
SharesPasswordWith
Representing Password Reuse

View Slide

5 4
AdminTo HasSession
MemberOf
HasSession MemberOf
JDOE APPDEV BSMITH
SRVADM HELPDESK
A Path for Escalation

View Slide

5 5
AdminTo HasSession
MemberOf
HasSession MemberOf
JDOE APPDEV BSMITH
SRVADM HELPDESK
SharesPasswordWith: Computers

View Slide

5 6
AdminTo HasSession
MemberOf
HasSession MemberOf
JDOE APPDEV BSMITH
SRVADM HELPDESK
SharesPasswordWith: Users

View Slide

5 7
Accounts with same password:
[email protected]
[email protected]
SharesPasswordWith: Manual Way

View Slide

5 8
Computers with same local admin password
SharesPasswordWith: Automated (-s)

View Slide

5 9
Find Clusters of Password Reuse

View Slide

6 0
Shortest Path to DA using SharesPasswordWith
BREYES BREYES.ADMIN DOMAIN
ADMINS
ZDEVENS
BLOPER
BPICKEREL

View Slide

6 1
Extensions
• Owned / Wave

View Slide

6 2
Blacklisting
AdminTo HasSession
JDOE APPDEV BSMITH

View Slide

6 3
Blacklisting
AdminTo HasSession
JDOE APPDEV BSMITH
Computer Offline

View Slide

6 4
Blacklisting
AdminTo HasSession
JDOE APPDEV BSMITH
Session Expired

View Slide

6 5
Blacklisting
AdminTo HasSession
JDOE APPDEV BSMITH
User Disabled

View Slide

6 6
Adding to the Blacklist
Via the UI tooltip
Via bh-owned.rb

View Slide

6 7
Blacklist – “Find all Domain Admins”
Original Query
Remove paths that contain “blacklist” property

View Slide

6 8
Viewing the Blacklist

View Slide

6 9
Extensions
• Owned / Wave

View Slide

7 0
Netstat Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 10.1.8.83:445 10.1.2.118:53210 ESTABLISHED
TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED
TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED
TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED
TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED
TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED
TCP 10.1.8.83:49297 10.1.7.18:135 ESTABLISHED
TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED

View Slide

7 1
Netstat Connections
TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED
TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED
TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED
Web Apps

View Slide

7 2
Netstat Connections
TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED
TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED
RDP/SSH

View Slide

7 3
Netstat Connections
TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED
Databases

View Slide

7 4
No IP Addresses for a Computer
# cat dns-mappings.txt
10.1.72.27,"R_AND_D_16.EXTERNAL.LOCAL"
10.1.4.67,"R_AND_D_8.EXTERNAL.LOCAL"
10.1.72.12,"DESKTOP35.EXTERNAL.LOCAL"
10.1.72.13,"SQL4.EXTERNAL.LOCAL"
10.1.4.12,"DESKTOP40.INTERNAL.LOCAL"
10.1.4.13,"SYSTEM33.INTERNAL.LOCAL"
...

View Slide

7 5
Netstat to Cypher
TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED
(s:Computer {name:’’})-[:Connected_3389]->(d:Computer {name:’’})
Connected_3389
DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL
DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL

View Slide

7 6
Adding Connections (-c, -d)

View Slide

7 7
Connections over 389/tcp

View Slide

7 8
Connections over 445/tcp

View Slide

7 9
Show Web App Connections
Connected_80

View Slide

8 0
Cypher Query Using Both Datasets
“Simple” derivative local admin
Connected to one or
more hosts via RDP

View Slide

8 1
Escalation Paths to RDP Jumpboxes

View Slide

8 2
Escalation Paths to RDP Jumpboxes

View Slide

8 3
Future Research
− Incorporating more flow data
− Critical Path to Compromise
− More inclusion of local accounts
− Alternative data collection
− Ideas? Reach out!

View Slide

8 4
References
• BloodHound on Slack: https://bloodhoundgang.herokuapp.com/
• BloodHound project on GitHub: https://github.com/BloodHoundAD/BloodHound
• SharpHound project on GitHub: https://github.com/BloodHoundAD/SharpHound
• Cypher Reference Card: https://neo4j.com/docs/cypher-refcard/current/
• Rohan Vazarkar - Intro to Cypher: https://blog.cptjesus.com/posts/introtocypher
• Andy Robbins – BloodHound 1.3 – The ACL Attack Path Update: https://wald0.com/?p=112
• Rohan Vazarkar – BloodHound 1.4: The Object Properties Update: https://blog.cptjesus.com/posts/bloodhoundobjectproperties
• Will Schroeder – Local Group Enumeration: https://www.harmj0y.net/blog/redteaming/local-group-enumeration/
• Tal Be’ery & Marina Simakov – The Enemy Within: Stopping Attacks Against Local Users: https://youtu.be/HE7X7l-k-A4

View Slide

8 5
Thank you!
Twitter/GitHub: @porterhau5
Email: tom [at] porterhau5.com
https://github.com/porterhau5/BloodHound-Owned
https://github.com/porterhau5/BloodHound (forked)

View Slide

Extending BloodHound for Red Teamers

Extending BloodHound for Red Teamers

Tom Porter

Other Decks in Technology

Featured

Transcript