BloodHound: Attack Graphs Practically Applied to Active Directory
2 likes3,129 views
This document discusses BloodHound, a tool that uses graph databases and analysis to help analyze complex privilege relationships within Active Directory environments. It describes how traditionally these types of analyses were done manually, which was tedious and ineffective for anything but small environments. BloodHound collects data on users, groups, computers and privileges through LDAP and other queries, and then constructs a graph database to allow for easy visualization and identification of attack paths. This helps both offensive and defensive teams more easily understand privilege escalation risks and harden their environments.
BloodHound: Attack Graphs Practically Applied to Active Directory
- 1. BloodHound: Attack Graphs Practically Applied to Active Directory
- 2. HELLO! I am Andy Robbins Adversary Resilience Lead at SpecterOps BloodHound co-creator and developer, Red Teamer You can find me at @_wald0
- 3. HELLO! I am Rohan Vazarkar Adversary Resilience Senior Operator at SpecterOps BloodHound co-creator and developer, Red Teamer You can find me at @CptJesus
- 4. Agenda ▪ The Problem ▪ The Solution ▪ Conclusion 44
- 5. Purpose We want to demonstrate how graphs can be an elegant and practical solution to incredibly complex problems, and inspire you to consider using graphs for problems you face 55
- 6. The Problem
- 7. Pushed Into a Corner, circa 2014-2015 ▪ Remote Code Execution (RCE) flaws in Windows become increasingly rare and risky to exploit ▪ Maturing vulnerability management programs ensure ephemerality of RCE in the enterprise ▪ A common methodology appeared... 77
- 8. 8
- 9. 9
- 10. 10
- 11. 11
- 12. 12
- 13. 13
- 14. 14
- 15. 15
- 16. 16
- 17. 17
- 18. 18 Domain Admin!
- 19. 19 Domain Admin!
- 20. The Data is RIGHT… THERE! ▪ Question: Where are users logged on? ▪ Answer: NetSessionEnum ▪ Question: Who are local admins on a system? ▪ Answer: NetLocalGroupGetMembers ▪ Question: Who belongs to what security group? ▪ Answer: Basic LDAP queries By default, all data is accessible by any domain authenticated principal on systems before Windows 10 Anniversary (1607) 2020
- 21. An effective, albeit tedious and naive approach... 21 Target Users: Admin-1 Admin-2 Admin-3 Admin-4 Admin-5 Admin-1 Uses These Systems: Computer-1 Computer-2 Computer-3 Admins on Computer-1: Admin-1 Admin-2 Admin-10 Group-11 Members of Group 11 Use These Systems: Computer-1 Computer-2 Computer-5 Admins on Computer-5: Admin-1 Admin-2 Admin-10 Admin-15 Admin-15 Uses These Systems: Computer-1 Computer-2 Computer-10 Members of Group-11: Admin-5 Admin-6 Admin-7 Admin-8
- 22. The Problem, In Short ▪ We have a reliable, proven methodology for escalating rights in almost any Active Directory deployment ▪ That methodology is enhanced by data which, by default, anyone in a domain can access ▪ The data is way too complicated to analyze by hand 2222
- 23. The Solution
- 24. It’s a graph, dummy! ▪ Every principal (user, group, computer) is a node ▪ Every privilege (and group membership) is a relationship ▪ Graphs are phenomenally fast at finding paths between disparate nodes 2424
- 25. 25 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group Data Source: LDAP
- 26. 26 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOf Data Source: LDAP
- 27. 27 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOf AdminTo Data Source: NetLocalGroupGetMembers
- 28. 28 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOfHasSession AdminTo Data Source: NetSessionEnum
- 29. Now You’re Thinking With Graphs ▪ Manual “derivative local admin” takes days to months ▪ Data collection, graph analysis, and attack path execution takes minutes to hours 2929
- 32. Conclusion
- 33. Three Problems Graphs Solved ▪ Complexity - Analyzing thousands of paths became possible ▪ Readability - Presenting concepts to non-technical audiences became easier ▪ Accessibility - Opened up the methodology to both the defensive and offensive side 3333
- 34. Three Exciting Defensive Applications ▪ Easier, more effective, more accurate permission auditing ▪ Attack path identification and mitigation/elimination ▪ Empirical key terrain identification 3434
- 35. If There’s One Thing to Take Away From this Talk ▪ Graphs are not the solution to every problem; however, they allow you to look at problems in a unique way and solve complex problems that otherwise would be insanely difficult to visualize, compute, or solve 3535
- 36. Acknowledgements and Prior Work http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf https://www.sixdub.net/?p=591 https://bitbucket.org/iwseclabs/bta https://github.com/ANSSI-FR/AD-control-paths https://powersploit.readthedocs.io/en/latest/Recon/ 3636
- 37. 37 Thank you! QUESTIONS? You can find us at: ▪ specterops.io ▪ @SpecterOps ▪ @_wald0 ▪ @CptJesus ▪ BloodHound: https://bit.ly/GetBloodHound ▪ BloodHound Slack: https://bloodhoundgang.herokuapp.com