Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Extending BloodHound for Red Teamers

Tom Porter
October 30, 2017

Extending BloodHound for Red Teamers

Tom Porter

October 30, 2017
Tweet

Other Decks in Technology

Transcript

  1. 1
    Extending BloodHound for Red Teamers
    Tom Porter (@porterhau5)

    View Slide

  2. 2
    Tom Porter
    @porterhau5
    porterhau5.com
    S R. S E C URI T Y C ONS ULT A NT
    F US IONX
    • Flow data analytics
    • Penetration testing
    • Red teaming
    • Password analysis & wordlist generation

    View Slide

  3. 3
    Extending BloodHound
    • Tracking Compromised Nodes
    • Visualize Deltas in Privilege Gains
    • Automating via Neo4j REST API
    • Adding Properties and Relationships
    • Custom Queries
    • UI Enhancements
    https://github.com/porterhau5/BloodHound-Owned
    https://github.com/porterhau5/BloodHound (forked)

    View Slide

  4. 4
    BloodHound
    •Released at DEF CON 24
    − Andy Robbins (@_wald0)
    − Rohan Vazarkar (@CptJesus)
    − Will Schroeder (@harmj0y)
    •Attack graphs for Active Directory
    https://github.com/BloodHoundAD/BloodHound

    View Slide

  5. 5
    BloodHound Stack
    Bolt

    View Slide

  6. 6
    Data Collection
    SharpHound.ps1/SharpHound.exe
    Originally leveraged PowerView (PowerShell)
    Rewritten in C#: https://github.com/BloodHoundAD/SharpHound

    View Slide

  7. 7
    Neo4j: A Graph Database
    Property Graph Model
    − Nodes
    − Relationships
    − Labels
    − Relationship types
    − Properties
    − Paths
    Person
    Sword House
    Sword
    Name : ‘Tyrion’
    Name : ‘Lannister’
    Name :
    ‘Widow’s Wail’
    MemberOf
    HasItem
    ReforgedInto
    Name : ‘Ice’
    *rip Ned

    View Slide

  8. 8
    Nodes, Labels, and Properties
    App
    Icons
    Domain
    User
    Group
    Computer
    Name: ‘INTERNAL.LOCAL’
    Name: ‘[email protected]
    Name: ‘DOMAIN [email protected]
    Name: ‘MGMT3.INTERNAL.LOCAL’

    View Slide

  9. 9
    Relationships and Relationship Types
    MemberOf
    AdminTo
    HasSession
    TrustedBy
    More added in 1.3: – The ACL Attack Path Update: https://wald0.com/?p=112

    View Slide

  10. 1 0
    A Path for Escalation
    AdminTo HasSession
    MemberOf
    HasSession MemberOf
    JDOE APPDEV BSMITH
    SRVADM HELPDESK
    FILESRV01 BSMITH-DA DOMAIN ADMINS

    View Slide

  11. 1 1
    Search Container
    Raw Query
    Zoom
    Menu
    Graph

    View Slide

  12. 1 2
    Node Info Tab

    View Slide

  13. 1 3
    Pathfinding

    View Slide

  14. 1 4
    BPT: Query Debug Mode
    Learn Cypher as you go!

    View Slide

  15. 1 5
    Understanding Cypher Syntax
    https://neo4j.com/developer/cypher-query-language/

    View Slide

  16. 1 6
    Your First Cypher Query

    View Slide

  17. 1 7
    Only MATCH a Label

    View Slide

  18. 1 8
    Return the ‘name’ Property

    View Slide

  19. 1 9
    WHERE Clause

    View Slide

  20. 2 0
    Find Direct Local Admin Access for a User

    View Slide

  21. 2 1
    Find Derivative Local Admin Access (3 hops)

    View Slide

  22. 2 2
    Same Query in BloodHound

    View Slide

  23. 2 3

    View Slide

  24. 2 4
    Extensions
    • Owned / Wave
    • Password Reuse via SharesPasswordWith
    • Blacklisting Nodes & Relationships
    • Integrating Network Connections

    View Slide

  25. 2 5

    View Slide

  26. 2 6
    All Hope Isn’t Lost
    Password Reuse
    • Same password between accounts
    • Shared local administrator password
    Bob Bob-adm
    SRV1 SRV2
    Kerberoasting
    • Abuse Kerberos SPNs linked to domain accounts
    • Escalate from low-privileged user to service account
    Share Plundering
    • Notes.txt
    • Configuration files

    View Slide

  27. 2 7
    1. LLMNR/NBNS MiTM: Capture and crack NTLMv2 hashes
    − 3 accounts obtained
    2. Password spray: Fall2017
    − 4 more accounts obtained
    3. Password reuse: user account and admin account
    − 1 more account obtained (admin)
    − 1 computer obtained
    4. Secretsdump: dump local account hashes from host
    − 3 more accounts obtained (local)
    5. Pass-the-Hash: local administrator hash against other hosts
    − 34 more computers obtained
    An Example Engagement

    View Slide

  28. 2 8
    When a new set of nodes are
    owned
    by some method, what other nodes can we now
    collaterally reach?
    “Wave”
    Let’s Use BloodHound to Answer a Question

    View Slide

  29. 2 9
    ‘owned’
    − Method used to compromise the node:
    • LLMNR wpad
    • Password spray
    • Mimikatz
    • Found on SMB share
    • Phished
    ‘wave’
    − Number representing the order in which the node was compromised:
    • 1
    • 2
    • 3, etc.
    ‘Owned’ and ‘Wave’ Properties

    View Slide

  30. 3 0
    SET Properties
    1. LLMNR/NBNS poisoning for WPAD:
    [email protected]
    [email protected]

    View Slide

  31. 3 1
    Node Info Addition

    View Slide

  32. 3 2
    Collateral Spread

    View Slide

  33. 3 3
    Collateral Spread – Raw Query

    View Slide

  34. 3 4
    Add Nodes to 1st Wave

    View Slide

  35. 3 5
    2nd Set of Owned Nodes
    2. Password spray (Fall2017):
    [email protected]
    [email protected]

    View Slide

  36. 3 6
    Collateral Spread for 2nd Wave

    View Slide

  37. 3 7
    Hiding Nodes from Previous Waves

    View Slide

  38. 3 8
    SET ‘wave’ for Nodes

    View Slide

  39. 3 9
    Delta in Access

    View Slide

  40. 4 0
    bh-owned.rb – Ruby script to interacts with Neo4j REST API
    Automation

    View Slide

  41. 4 1
    3. SMB Share Plundering:
    [email protected]
    [email protected]
    1. Create Cypher query to SET properties
    2. Create Cypher query for wave of
    compromise
    3. Wrap it in JSON
    4. POST to RESTful endpoint
    5. Parse API response, display to user
    Add wave (-a)

    View Slide

  42. 4 2
    Wave 3 in BloodHound

    View Slide

  43. 4 3
    Mac : ~/Library/Application Support/bloodhound/customqueries.json
    Windows: %APPDATA%\Roaming\bloodhound\customqueries.json
    Custom Queries

    View Slide

  44. 4 4
    name: Display name in BloodHound UI
    requireNodeSelect: Require input from the user
    query: Cypher query to run
    allowCollapse: Allow Nodes to be collapsed
    props: Variable used in “query” statement, helps with performance
    Custom Query Syntax

    View Slide

  45. 4 5
    4. Mimikatz, Local accounts:
    [email protected]
    FILESERVER6.INTERNAL.LOCAL
    Add 4th Wave

    View Slide

  46. 4 6
    Find all owned Domain Admins

    View Slide

  47. 4 7
    Find Shortest Paths from owned node to DA

    View Slide

  48. 4 8
    Show Wave

    View Slide

  49. 4 9
    Show Wave

    View Slide

  50. 5 0
    Show Delta for Wave

    View Slide

  51. 5 1
    Show Delta for 2nd Wave

    View Slide

  52. 5 2
    Extensions
    • Owned / Wave
    • Password Reuse via SharesPasswordWith
    • Blacklisting Nodes & Relationships
    • Integrating Network Connections

    View Slide

  53. 5 3
    MemberOf
    AdminTo
    HasSession
    TrustedBy
    SharesPasswordWith
    SharesPasswordWith
    Representing Password Reuse

    View Slide

  54. 5 4
    AdminTo HasSession
    MemberOf
    HasSession MemberOf
    JDOE APPDEV BSMITH
    SRVADM HELPDESK
    FILESRV01 BSMITH-DA DOMAIN ADMINS
    A Path for Escalation

    View Slide

  55. 5 5
    AdminTo HasSession
    MemberOf
    HasSession MemberOf
    JDOE APPDEV BSMITH
    SRVADM HELPDESK
    FILESRV01 BSMITH-DA DOMAIN ADMINS
    SharesPasswordWith: Computers

    View Slide

  56. 5 6
    AdminTo HasSession
    MemberOf
    HasSession MemberOf
    JDOE APPDEV BSMITH
    SRVADM HELPDESK
    FILESRV01 BSMITH-DA DOMAIN ADMINS
    SharesPasswordWith: Users

    View Slide

  57. 5 7
    Accounts with same password:
    [email protected]
    [email protected]
    SharesPasswordWith: Manual Way

    View Slide

  58. 5 8
    Computers with same local admin password
    SharesPasswordWith: Automated (-s)

    View Slide

  59. 5 9
    Find Clusters of Password Reuse

    View Slide

  60. 6 0
    Shortest Path to DA using SharesPasswordWith
    BREYES BREYES.ADMIN DOMAIN
    ADMINS
    ZDEVENS
    BLOPER
    BPICKEREL

    View Slide

  61. 6 1
    Extensions
    • Owned / Wave
    • Password Reuse via SharesPasswordWith
    • Blacklisting Nodes & Relationships
    • Integrating Network Connections

    View Slide

  62. 6 2
    Blacklisting
    AdminTo HasSession
    JDOE APPDEV BSMITH

    View Slide

  63. 6 3
    Blacklisting
    AdminTo HasSession
    JDOE APPDEV BSMITH
    Computer Offline

    View Slide

  64. 6 4
    Blacklisting
    AdminTo HasSession
    JDOE APPDEV BSMITH
    Session Expired

    View Slide

  65. 6 5
    Blacklisting
    AdminTo HasSession
    JDOE APPDEV BSMITH
    User Disabled

    View Slide

  66. 6 6
    Adding to the Blacklist
    Via the UI tooltip
    Via bh-owned.rb

    View Slide

  67. 6 7
    Blacklist – “Find all Domain Admins”
    Original Query
    Remove paths that contain “blacklist” property

    View Slide

  68. 6 8
    Viewing the Blacklist

    View Slide

  69. 6 9
    Extensions
    • Owned / Wave
    • Password Reuse via SharesPasswordWith
    • Blacklisting Nodes & Relationships
    • Integrating Network Connections

    View Slide

  70. 7 0
    Netstat Connections
    Proto Local Address Foreign Address State
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 10.1.8.83:445 10.1.2.118:53210 ESTABLISHED
    TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED
    TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED
    TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED
    TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED
    TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED
    TCP 10.1.8.83:49297 10.1.7.18:135 ESTABLISHED
    TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED

    View Slide

  71. 7 1
    Netstat Connections
    Proto Local Address Foreign Address State
    TCP 10.1.8.83:49188 54.91.1.122:443 ESTABLISHED
    TCP 10.1.8.83:49295 10.1.72.47:80 ESTABLISHED
    TCP 10.1.8.83:49296 52.27.96.23:443 ESTABLISHED
    Web Apps

    View Slide

  72. 7 2
    Netstat Connections
    Proto Local Address Foreign Address State
    TCP 10.1.8.83:49276 10.1.6.115:22 ESTABLISHED
    TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED
    RDP/SSH

    View Slide

  73. 7 3
    Netstat Connections
    Proto Local Address Foreign Address State
    TCP 10.1.8.83:49230 10.1.17.47:1433 ESTABLISHED
    Databases

    View Slide

  74. 7 4
    No IP Addresses for a Computer
    # cat dns-mappings.txt
    10.1.72.27,"R_AND_D_16.EXTERNAL.LOCAL"
    10.1.4.67,"R_AND_D_8.EXTERNAL.LOCAL"
    10.1.72.12,"DESKTOP35.EXTERNAL.LOCAL"
    10.1.72.13,"SQL4.EXTERNAL.LOCAL"
    10.1.4.12,"DESKTOP40.INTERNAL.LOCAL"
    10.1.4.13,"SYSTEM33.INTERNAL.LOCAL"
    ...

    View Slide

  75. 7 5
    Netstat to Cypher
    TCP 10.1.8.83:49298 10.1.7.18:3389 ESTABLISHED
    (s:Computer {name:’’})-[:Connected_3389]->(d:Computer {name:’’})
    Connected_3389
    DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL
    DESKTOP7.INTERNAL.LOCAL MANAGEMENT3.INTERNAL.LOCAL

    View Slide

  76. 7 6
    Adding Connections (-c, -d)

    View Slide

  77. 7 7
    Connections over 389/tcp

    View Slide

  78. 7 8
    Connections over 445/tcp

    View Slide

  79. 7 9
    Show Web App Connections
    Connected_80

    View Slide

  80. 8 0
    Cypher Query Using Both Datasets
    “Simple” derivative local admin
    Connected to one or
    more hosts via RDP

    View Slide

  81. 8 1
    Escalation Paths to RDP Jumpboxes

    View Slide

  82. 8 2
    Escalation Paths to RDP Jumpboxes

    View Slide

  83. 8 3
    Future Research
    − Incorporating more flow data
    − Critical Path to Compromise
    − More inclusion of local accounts
    − Alternative data collection
    − Ideas? Reach out!

    View Slide

  84. 8 4
    References
    • BloodHound on Slack: https://bloodhoundgang.herokuapp.com/
    • BloodHound project on GitHub: https://github.com/BloodHoundAD/BloodHound
    • SharpHound project on GitHub: https://github.com/BloodHoundAD/SharpHound
    • Cypher Reference Card: https://neo4j.com/docs/cypher-refcard/current/
    • Rohan Vazarkar - Intro to Cypher: https://blog.cptjesus.com/posts/introtocypher
    • Andy Robbins – BloodHound 1.3 – The ACL Attack Path Update: https://wald0.com/?p=112
    • Rohan Vazarkar – BloodHound 1.4: The Object Properties Update: https://blog.cptjesus.com/posts/bloodhoundobjectproperties
    • Will Schroeder – Local Group Enumeration: https://www.harmj0y.net/blog/redteaming/local-group-enumeration/
    • Tal Be’ery & Marina Simakov – The Enemy Within: Stopping Attacks Against Local Users: https://youtu.be/HE7X7l-k-A4

    View Slide

  85. 8 5
    Thank you!
    Twitter/GitHub: @porterhau5
    Email: tom [at] porterhau5.com
    https://github.com/porterhau5/BloodHound-Owned
    https://github.com/porterhau5/BloodHound (forked)

    View Slide