Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

BloodHound: Attack Graphs Practically Applied to Active Directory

4 527 vues

Publié le

Presented at Microsoft's BlueHat v18 in Redmond, Washington in September of 2018.

Publié dans : Technologie
  • Login to see the comments

BloodHound: Attack Graphs Practically Applied to Active Directory

  1. 1. BloodHound: Attack Graphs Practically Applied to Active Directory
  2. 2. HELLO! I am Andy Robbins Adversary Resilience Lead at SpecterOps BloodHound co-creator and developer, Red Teamer You can find me at @_wald0
  3. 3. HELLO! I am Rohan Vazarkar Adversary Resilience Senior Operator at SpecterOps BloodHound co-creator and developer, Red Teamer You can find me at @CptJesus
  4. 4. Agenda ▪ The Problem ▪ The Solution ▪ Conclusion 44
  5. 5. Purpose We want to demonstrate how graphs can be an elegant and practical solution to incredibly complex problems, and inspire you to consider using graphs for problems you face 55
  6. 6. The Problem
  7. 7. Pushed Into a Corner, circa 2014-2015 ▪ Remote Code Execution (RCE) flaws in Windows become increasingly rare and risky to exploit ▪ Maturing vulnerability management programs ensure ephemerality of RCE in the enterprise ▪ A common methodology appeared... 77
  8. 8. 8
  9. 9. 9
  10. 10. 10
  11. 11. 11
  12. 12. 12
  13. 13. 13
  14. 14. 14
  15. 15. 15
  16. 16. 16
  17. 17. 17
  18. 18. 18 Domain Admin!
  19. 19. 19 Domain Admin!
  20. 20. The Data is RIGHT… THERE! ▪ Question: Where are users logged on? ▪ Answer: NetSessionEnum ▪ Question: Who are local admins on a system? ▪ Answer: NetLocalGroupGetMembers ▪ Question: Who belongs to what security group? ▪ Answer: Basic LDAP queries By default, all data is accessible by any domain authenticated principal on systems before Windows 10 Anniversary (1607) 2020
  21. 21. An effective, albeit tedious and naive approach... 21 Target Users: Admin-1 Admin-2 Admin-3 Admin-4 Admin-5 Admin-1 Uses These Systems: Computer-1 Computer-2 Computer-3 Admins on Computer-1: Admin-1 Admin-2 Admin-10 Group-11 Members of Group 11 Use These Systems: Computer-1 Computer-2 Computer-5 Admins on Computer-5: Admin-1 Admin-2 Admin-10 Admin-15 Admin-15 Uses These Systems: Computer-1 Computer-2 Computer-10 Members of Group-11: Admin-5 Admin-6 Admin-7 Admin-8
  22. 22. The Problem, In Short ▪ We have a reliable, proven methodology for escalating rights in almost any Active Directory deployment ▪ That methodology is enhanced by data which, by default, anyone in a domain can access ▪ The data is way too complicated to analyze by hand 2222
  23. 23. The Solution
  24. 24. It’s a graph, dummy! ▪ Every principal (user, group, computer) is a node ▪ Every privilege (and group membership) is a relationship ▪ Graphs are phenomenally fast at finding paths between disparate nodes 2424
  25. 25. 25 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group Data Source: LDAP
  26. 26. 26 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOf Data Source: LDAP
  27. 27. 27 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOf AdminTo Data Source: NetLocalGroupGetMembers
  28. 28. 28 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOfHasSession AdminTo Data Source: NetSessionEnum
  29. 29. Now You’re Thinking With Graphs ▪ Manual “derivative local admin” takes days to months ▪ Data collection, graph analysis, and attack path execution takes minutes to hours 2929
  30. 30. 30 BloodHound 1.0 Schema
  31. 31. 31 BloodHound 2.0 Schema
  32. 32. Conclusion
  33. 33. Three Problems Graphs Solved ▪ Complexity - Analyzing thousands of paths became possible ▪ Readability - Presenting concepts to non-technical audiences became easier ▪ Accessibility - Opened up the methodology to both the defensive and offensive side 3333
  34. 34. Three Exciting Defensive Applications ▪ Easier, more effective, more accurate permission auditing ▪ Attack path identification and mitigation/elimination ▪ Empirical key terrain identification 3434
  35. 35. If There’s One Thing to Take Away From this Talk ▪ Graphs are not the solution to every problem; however, they allow you to look at problems in a unique way and solve complex problems that otherwise would be insanely difficult to visualize, compute, or solve 3535
  36. 36. Acknowledgements and Prior Work http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf https://www.sixdub.net/?p=591 https://bitbucket.org/iwseclabs/bta https://github.com/ANSSI-FR/AD-control-paths https://powersploit.readthedocs.io/en/latest/Recon/ 3636
  37. 37. 37 Thank you! QUESTIONS? You can find us at: ▪ specterops.io ▪ @SpecterOps ▪ @_wald0 ▪ @CptJesus ▪ BloodHound: https://bit.ly/GetBloodHound ▪ BloodHound Slack: https://bloodhoundgang.herokuapp.com

×