Module 03

Win Attack LAB: AD Information gathering

1. Introduction

In this challenge we will query the Active Directory for vital information and gather data about valuable targets and possible further attacks. While the main tool will be Bloodhound, we will also use PingCastle to perform a quick AD health check.

2. Ping Castle

PingCastle offers several different methods to assess the security level of an Active Directory. For now, we will run a simple health-check.

In order to run PingCastle, navigate to the installation directory in a command prompt. Make sure that the command prompt is running as your domain user, not as local admin!:

.\PingCastle.exe

Once the tool has started use option1 - healthcheck

Next confirm the domain and wait until the checks are done:

You can then analyse the results from the generated html file:

You can find an overview and description of all checks performed by PingCastle here: https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html

3. Bloodhound

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment ([https://github.com/BloodHoundAD/BloodHound]).

First, we need to run the collector to collect the actual data from the Active Directory. The most simple way is to run it as a domain user on a domain-joined machine. In this case, you will run it from your Windows 10 client as "tmassie".

The tool is already installed on your Windows 10 client. To run it, open a command prompt (as regular user) and navigate to the installation directory:

cd c:\temp\tools\SharpHound

.\SharpHound.exe -c All,GPOLocalGroup

You should now find a ZIP file containing the collected data in the SharpHound directory:

Copy the content to your kali attack box.

Starting bloodhound:

apt-get install hl-bloodhound

First, we need to start the neo4j database. On your local machine, start a root shell and type the following command:

neo4j console

Finally, open a second root terminal and start BloodHound:

bloodhound

Credentials are:

neo4j

compass

You can import the zip file with drag and drop into bloodhound. Then, open the Bloodhound menu (top left corner), scroll down and click on "Refresh Database Stats":

BloodHound offers you different ways to analyze and interact with the collected data. You can either browse through all collected objects (like computers, users, groups etc.), use the built-in queries to retrieve data or define your own queries. Below, you can find some examples.

Analyzing the data:

BloodHound offers you different ways to analyze and interact with the collected data. You can either browse through all collected objects (like computers, users, groups etc.), use the built-in queries to retrieve data or define your own queries. Below, you can find some examples.

In the menu, you can search for objects by typing user or computer names:

Some of an object's properties represent connections to other objects. A good example of this is a user, which is logged in on a computer. This is represented in BloodHound as a Session (and the relation hasSession). If an object has sessions and you want to display the connections, simply click on the property and the GUI will update accordingly. For example, in the screenshot below, you can see that the user aalfort has a session on the machine client1.winattacklab.local

Another important connection between object are administrative privileges. When looking at a user, this is represented as the first degree (or group delegated) local admin rights. For example, by looking at the group delegated admin rights of the user aalfort, we can see that this user is in a group called FS1ADMINS which in turn has administrative privileges on the host FS1:

BloodHound comes with a list of pre-built queries, which can be used to retrieve valuable information and connections between objects. You can browse these queries from the menu. Clicking on a query then brings up the requested data (if available).

Below, an example of the query Find all Domain Admins is shown:

4. Questions

1. Based on what you learned from Bloodhound, what is your next target?

2. What is required to get the credentials for the next target?

3. How do we get the credentials for the next target?

4. Why do you think the query "Shortest Paths to Domain Admins from Owned Principals" does not show any results?

5. Answers

1. Based on the analysis we assume that FS1 is a file server and would be the final target. But to get there the first/next target/step is to own AALFORT. Aalfort is member of the FS1ADMINS group and has an acitve session on CLIENT1 we already own.

2. Because AALFORT has an active session on CLIENT1 the NTLM hash on this logon session can provide the key to the final target (credential abuse). To process the credential abuse the attacker should have the following permissions:

   • administrative privileges – Integrity level high or system on CLIENT1 (required to access LSASS memory)

   • SeDebugPrivileges enabled for Mimikatz to dump the LSASS memory. Mimikatz requires this privilege as it interacts with processes such as LSASS. (The debug privilege determines which users can attach a debugger to any process or to the kernel. By default this privilege is given to Local Administrators. In a default installation of Windows Server 2016 the group policy is not defined which means that only Local Administrators have this permission.)

3. With the active session from AALFORT on CLIENT1 an credential dump with a tool like Mimikatz can provide the credentials

4. The fact that the owned principals aren’t member of the domain admin group nor have an active session (at the moment) it’s not possible to find a valid path to the Domain Admins.