Embed Size (px)
Citation preview
4/3/19
1
1
How to efficiently assess Active Directories of Any Scale with Directory Ranger, BloodHound and CypherDogJD & Michael Thumann
2
#whoamiSecurity Consultant & Windows Automation Engineer
Contact:ERNW GmbHJDCarl-Bosch-Str. 469115 Heidelberg
4/3/19
2
3
#whoamiLead Architect @ERNW SecTools
Contact:ERNW SecTools GmbHMichael ThumannCarl-Bosch-Str. 469115 HeidelbergEmail: [email protected]
44
Introduction
4/3/19
3
5
Microsoft Active Directoryo A directory serviceo Introduced with Windows 2000 Server in 2000 Jo Authenticates and authorizes all users and computerso A kind of database that contains
o Userso Groupso Computerso Serviceso Corresponding attributes
o The key to the crown jewels of a corporate network
6
Worst case Hacko A complete compromise of your directory serviceo Consequences:
o The attacker can impersonate every usero The attacker can access every server/system/resource
integrated into the directory serviceo The attacker can access/modify any unencrypted data
stored in that environmento The attacker can even access/modify encrypted data in
that environment, if Microsoft’s Data Protection API (DPAPI) is used
4/3/19
4
7
What is requiredo An initial attack vector like
o Executed email attachmento Drive-by-download from malicious websiteo Exploited vulnerability
o Access to a client/workstationo Hijacking the user of the cliento Elevated privileges e.g. local admino A path to domain admin privilegeso Vulnerabilities/Misconfiguration
88
Bloodhound – Path to Domain Admin
4/3/19
5
9
An Active Directory Attack Paths Graphing tool
10
ScreenShot2
4/3/19
6
11
ScreenShot1
12
ScreenShot3
4/3/19
7
13
BloodHoundWhy?
14
Attackers think in Graphs,Defenders think in lists…
[John Lambert – MS Threat Intel]
4/3/19
8
15
BloodHoundBy who?
16
@Harmj0y@_Wald0@CptJesus
4/3/19
9
17
BloodHoundFor who?
18
Everybody!![Red|Blue|Any]
4/3/19
10
19
BloodHoundWhen?
20
Do not run BloodHound in your environment if your AD security isn’t “mature” yet…
[unless if you like pain]
4/3/19
11
21
WTF!?
22
BloodHoundHow?
4/3/19
12
23
- Data Collection with Sharphound- Stored in Neo4j Database- Displayed in Web UI
24
CypherWhat?
4/3/19
13
25
Cypher is the Neo4j DBquery language
26
MATCH (x) RETURN x// Return All Nodes
4/3/19
14
27
MATCH (x:User) RETURN x// Return All User Nodes
28
MATCH (x:User {name: ‘Bob’}) MATCH (y:Group{name:‘[email protected]’})MATCH p=shortestPath((x)-[*1..]->(y))RETURN p// Return shortest Path from Bob to GroupX
4/3/19
15
29
CypherDogWow!
30
A PoSh Clientfor Bloodhound
[Become a Dog Whisperer]
4/3/19
16
31
32
4/3/19
17
33
34
4/3/19
18
35
36
4/3/19
19
3737
DirectoryRanger – Vulnerabilities/Misconfiguration
38
Typical Use Caseso Audit/Vulnerability Assessments for ADso Merger & Acquisitiono Trust Relationships in Supply Chains
4/3/19
20
39
Audit/Vulnerability Assessments for ADso Self assessment due to compliance
requirements like PCI, HiPAA, …o Like an audit interview with an integrated
questionnaireo Technical scan with standard user privileges
and without agent installationo Analyze collected data for security issues
40
Merger & Acquisitiono Assessments of foreign Active Directory
infrastructureo Answer the question: “How secure is the
other AD?” before establishing trust relationships
o Define tasks before integrating the other infrastructure
4/3/19
21
41
Trust Relationships in Supply Chainso Assessments of a Partner Active Directory
infrastructure within a supply chaino Answer the question: “How secure is the
other AD?” before making a decision about establishing trust relationships
o Define tasks and requirements
42
4/3/19
22
43
Follow Uso On Twitter ;-)
44
www.ernw-sectools.de
www.insinuator.net
Thank you for your attention!
@DirectoryRanger
