Extending BloodHound for Red Teamers

Transcript

1. 1 Extending BloodHound for Red Teamers Tom Porter (@porterhau5)

2. 2 Tom Porter @porterhau5 porterhau5.com S R. S E C

   URI T Y C ONS ULT A NT F US IONX • Flow data analytics • Penetration testing • Red teaming • Password analysis & wordlist generation

3. 3 Extending BloodHound • Tracking Compromised Nodes • Visualize Deltas

   in Privilege Gains • Automating via Neo4j REST API • Adding Properties and Relationships • Custom Queries • UI Enhancements https://github.com/porterhau5/BloodHound-Owned https://github.com/porterhau5/BloodHound (forked)

4. 4 BloodHound •Released at DEF CON 24 − Andy Robbins

   (@_wald0) − Rohan Vazarkar (@CptJesus) − Will Schroeder (@harmj0y) •Attack graphs for Active Directory https://github.com/BloodHoundAD/BloodHound

5. 5 BloodHound Stack Bolt

6. 6 Data Collection SharpHound.ps1/SharpHound.exe Originally leveraged PowerView (PowerShell) Rewritten in

   C#: https://github.com/BloodHoundAD/SharpHound

7. 7 Neo4j: A Graph Database Property Graph Model − Nodes

   − Relationships − Labels − Relationship types − Properties − Paths Person Sword House Sword Name : ‘Tyrion’ Name : ‘Lannister’ Name : ‘Widow’s Wail’ MemberOf HasItem ReforgedInto Name : ‘Ice’ *rip Ned

8. 8 Nodes, Labels, and Properties App Icons Domain User Group

   Computer Name: ‘INTERNAL.LOCAL’ Name: ‘[email protected]’ Name: ‘DOMAIN [email protected]’ Name: ‘MGMT3.INTERNAL.LOCAL’

9. 9 Relationships and Relationship Types MemberOf AdminTo HasSession TrustedBy More

   added in 1.3: – The ACL Attack Path Update: https://wald0.com/?p=112

10. 1 0 A Path for Escalation AdminTo HasSession MemberOf HasSession

    MemberOf JDOE APPDEV BSMITH SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS

11. 1 1 Search Container Raw Query Zoom Menu Graph

12. 1 2 Node Info Tab

13. 1 3 Pathfinding

14. 1 4 BPT: Query Debug Mode Learn Cypher as you

    go!

15. 1 5 Understanding Cypher Syntax https://neo4j.com/developer/cypher-query-language/

16. 1 6 Your First Cypher Query

17. 1 7 Only MATCH a Label

18. 1 8 Return the ‘name’ Property

19. 1 9 WHERE Clause

20. 2 0 Find Direct Local Admin Access for a User

21. 2 1 Find Derivative Local Admin Access (3 hops)

22. 2 2 Same Query in BloodHound

23. 2 3

24. 2 4 Extensions • Owned / Wave • Password Reuse

    via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections

25. 2 5

26. 2 6 All Hope Isn’t Lost Password Reuse • Same

    password between accounts • Shared local administrator password Bob Bob-adm SRV1 SRV2 Kerberoasting • Abuse Kerberos SPNs linked to domain accounts • Escalate from low-privileged user to service account Share Plundering • Notes.txt • Configuration files

27. 2 7 1. LLMNR/NBNS MiTM: Capture and crack NTLMv2 hashes

    − 3 accounts obtained 2. Password spray: Fall2017 − 4 more accounts obtained 3. Password reuse: user account and admin account − 1 more account obtained (admin) − 1 computer obtained 4. Secretsdump: dump local account hashes from host − 3 more accounts obtained (local) 5. Pass-the-Hash: local administrator hash against other hosts − 34 more computers obtained An Example Engagement

28. 2 8 When a new set of nodes are owned

    by some method, what other nodes can we now collaterally reach? “Wave” Let’s Use BloodHound to Answer a Question

29. 2 9 ‘owned’ − Method used to compromise the node:

    • LLMNR wpad • Password spray • Mimikatz • Found on SMB share • Phished ‘wave’ − Number representing the order in which the node was compromised: • 1 • 2 • 3, etc. ‘Owned’ and ‘Wave’ Properties

30. 3 0 SET Properties 1. LLMNR/NBNS poisoning for WPAD: [email protected]

    [email protected]

31. 3 1 Node Info Addition

32. 3 2 Collateral Spread

33. 3 3 Collateral Spread – Raw Query

34. 3 4 Add Nodes to 1st Wave

35. 3 5 2nd Set of Owned Nodes 2. Password spray

    (Fall2017): [email protected] [email protected]

36. 3 6 Collateral Spread for 2nd Wave

37. 3 7 Hiding Nodes from Previous Waves

38. 3 8 SET ‘wave’ for Nodes

39. 3 9 Delta in Access

40. 4 0 bh-owned.rb – Ruby script to interacts with Neo4j

    REST API Automation

41. 4 1 3. SMB Share Plundering: [email protected] [email protected] 1. Create

    Cypher query to SET properties 2. Create Cypher query for wave of compromise 3. Wrap it in JSON 4. POST to RESTful endpoint 5. Parse API response, display to user Add wave (-a)

42. 4 2 Wave 3 in BloodHound

43. 4 3 Mac : ~/Library/Application Support/bloodhound/customqueries.json Windows: %APPDATA%\Roaming\bloodhound\customqueries.json Custom Queries

44. 4 4 name: Display name in BloodHound UI requireNodeSelect: Require

    input from the user query: Cypher query to run allowCollapse: Allow Nodes to be collapsed props: Variable used in “query” statement, helps with performance Custom Query Syntax

45. 4 5 4. Mimikatz, Local accounts: [email protected] FILESERVER6.INTERNAL.LOCAL Add 4th

    Wave

46. 4 6 Find all owned Domain Admins

47. 4 7 Find Shortest Paths from owned node to DA

48. 4 8 Show Wave

49. 4 9 Show Wave

50. 5 0 Show Delta for Wave

51. 5 1 Show Delta for 2nd Wave

52. 5 2 Extensions • Owned / Wave • Password Reuse

    via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections

53. 5 3 MemberOf AdminTo HasSession TrustedBy SharesPasswordWith SharesPasswordWith Representing Password

    Reuse

54. 5 4 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH

    SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS A Path for Escalation

55. 5 5 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH

    SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS SharesPasswordWith: Computers

56. 5 6 AdminTo HasSession MemberOf HasSession MemberOf JDOE APPDEV BSMITH

    SRVADM HELPDESK FILESRV01 BSMITH-DA DOMAIN ADMINS SharesPasswordWith: Users

57. 5 7 Accounts with same password: [email protected] [email protected] SharesPasswordWith: Manual

    Way

58. 5 8 Computers with same local admin password SharesPasswordWith: Automated

    (-s)

59. 5 9 Find Clusters of Password Reuse

60. 6 0 Shortest Path to DA using SharesPasswordWith BREYES BREYES.ADMIN

    DOMAIN ADMINS ZDEVENS BLOPER BPICKEREL

61. 6 1 Extensions • Owned / Wave • Password Reuse

    via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections

62. 6 2 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH

63. 6 3 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH Computer Offline

64. 6 4 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH Session Expired

65. 6 5 Blacklisting AdminTo HasSession JDOE APPDEV BSMITH User Disabled

66. 6 6 Adding to the Blacklist Via the UI tooltip

    Via bh-owned.rb

67. 6 7 Blacklist – “Find all Domain Admins” Original Query

    Remove paths that contain “blacklist” property

68. 6 8 Viewing the Blacklist

69. 6 9 Extensions • Owned / Wave • Password Reuse

    via SharesPasswordWith • Blacklisting Nodes & Relationships • Integrating Network Connections

70. 7 0 Netstat Connections Proto Local Address Foreign Address State

    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 10.1.8.83:445 10.1.2.118:53210 ESTABLISHED TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED TCP 10.1.8.83:49297 10.1.7.18:135 ESTABLISHED TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED

71. 7 1 Netstat Connections Proto Local Address Foreign Address State

    TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED Web Apps

72. 7 2 Netstat Connections Proto Local Address Foreign Address State

    TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED RDP/SSH

73. 7 3 Netstat Connections Proto Local Address Foreign Address State

    TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED Databases

74. 7 4 No IP Addresses for a Computer # cat

    dns-mappings.txt 10.1.72.27,"R_AND_D_16.EXTERNAL.LOCAL" 10.1.4.67,"R_AND_D_8.EXTERNAL.LOCAL" 10.1.72.12,"DESKTOP35.EXTERNAL.LOCAL" 10.1.72.13,"SQL4.EXTERNAL.LOCAL" 10.1.4.12,"DESKTOP40.INTERNAL.LOCAL" 10.1.4.13,"SYSTEM33.INTERNAL.LOCAL" ...

75. 7 5 Netstat to Cypher TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED (s:Computer

    {name:’<src>’})-[:Connected_3389]->(d:Computer {name:’<dst>’}) Connected_3389 DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL

76. 7 6 Adding Connections (-c, -d)

77. 7 7 Connections over 389/tcp

78. 7 8 Connections over 445/tcp

79. 7 9 Show Web App Connections Connected_80

80. 8 0 Cypher Query Using Both Datasets “Simple” derivative local

    admin Connected to one or more hosts via RDP

81. 8 1 Escalation Paths to RDP Jumpboxes

82. 8 2 Escalation Paths to RDP Jumpboxes

83. 8 3 Future Research − Incorporating more flow data −

    Critical Path to Compromise − More inclusion of local accounts − Alternative data collection − Ideas? Reach out!

84. 8 4 References • BloodHound on Slack: https://bloodhoundgang.herokuapp.com/ • BloodHound

    project on GitHub: https://github.com/BloodHoundAD/BloodHound • SharpHound project on GitHub: https://github.com/BloodHoundAD/SharpHound • Cypher Reference Card: https://neo4j.com/docs/cypher-refcard/current/ • Rohan Vazarkar - Intro to Cypher: https://blog.cptjesus.com/posts/introtocypher • Andy Robbins – BloodHound 1.3 – The ACL Attack Path Update: https://wald0.com/?p=112 • Rohan Vazarkar – BloodHound 1.4: The Object Properties Update: https://blog.cptjesus.com/posts/bloodhoundobjectproperties • Will Schroeder – Local Group Enumeration: https://www.harmj0y.net/blog/redteaming/local-group-enumeration/ • Tal Be’ery & Marina Simakov – The Enemy Within: Stopping Attacks Against Local Users: https://youtu.be/HE7X7l-k-A4

85. 8 5 Thank you! Twitter/GitHub: @porterhau5 Email: tom [at] porterhau5.com

    https://github.com/porterhau5/BloodHound-Owned https://github.com/porterhau5/BloodHound (forked)