 Hi, my name is Jonas and I'm going to present a tool that I've made called Impround. It's a tool for finding attack paths in Active Directory that breaks the tier model using Bloodhound. So, first I will talk a little bit about myself so you get to know me better. Then I will talk about Active Directory security and how you can find attack paths using the awesome tool Bloodhound. Then I will talk a little bit about the Active Directory tier model and how you can find a tier breaking attack path using Impround. At last I would like to talk about what Impround cannot do so what you have to find manually. So, again, my name is Jonas and I work for a small company in Denmark called Improsec. I work primarily with Active Directory security so I do assessments where I help clients find security holes in their Active Directory configuration and attack paths that could lead a low privilege user to domain admin access. But what I do most of the time is actually to help clients fix these problems and implement security measures like implementing tiering. I've only been in the industry for two years so I'm definitely not as experienced as some of the other speakers. But I hope I will still be able to entertain you for the next 25 minutes or so. So, Active Directory is an old system from year 2000 I think. There's been really many vulnerabilities found over the years and many which Microsoft has not been able to patch because the problems are like part of the fundamentals protocols and systems so it's not something you can patch. One big problem in all systems is that if you have two users logging into the same computer then the users can steal the credentials of the other user from memory. So, credentials stealing. Another big problem in Active Directory is the control drift and by that I mean the permissions configured in the ACLs of the Active Directory because in large environments there will be so many permissions configured and it's very difficult to get an overview of all these permissions and what the implications are for these permissions. So, credential stealing and control drift is the two main security vulnerabilities that I will focus on in this presentation. So, yeah, to make matters even worse for the systems admins and defenders it's actually quite easy to find and chain these misconfigurations and vulnerabilities because you can use the awesome Bloodhound to identify these attack paths for you. So, what Bloodhound will do is that it collects a lot of data from the DAG and puts it into a graph database and then you can use Bloodhound to find the shortest path from a compromised user to a given target. In the example I have in the slides it's a user called KR and a long attack path to the domain admins groups that it would have taken hours to find this attack path manually. So, yeah, Bloodhound can really help attack us with that. Yeah, so what can attack us? So, what can they do? No, sorry, what can defenders do to try to prevent these domain takeovers? Microsoft has recommended to implement the tier model, which means that you divide the AD into three tiers. So we have tier zero, which is the most important servers that being domain controllers, PKI, ADFS and other systems that allow one to take over the rest of the domain. Then you have tier one, which are the normal servers and then tier two are the workstations and devices that the regular users of the company interact with. And the idea is that if an attacker, for example, gets a shell in tier one, the attacker should not be able to compromise anything from tier zero, at least not using credential stealing or abusing permission set and ACLs in the AD. So what does it mean to implement tiering in an environment? That means to implement logon restrictions and control restrictions. The logon restrictions will protect against the credential stealing. So that means that you will create separate accounts for each tier. So let's say you have an assist admin that needs to manage many systems across all the three tiers. Then that user or this person will have a separate account for each tier because his tier zero domain admin user will only be able to log into tier zero systems. So we prevent that the credentials of this user will exist in tier one and tier two and thereby attackers cannot steal the credentials of the domain admin in other tiers than tier zero. Microsoft suggests that you could allow tier one users to log into tier zero. So that will be like this error here. If you ask me that then this is a really bad idea because then you will have tier one users and tier zero users logging into the same system and then you have a vulnerability. So yeah, you shouldn't allow this one and of course the same principle true for tier two and tier one. The control restrictions, they are protecting against abusing ACL permissions. So that means that all AD objects that belong to tier zero, they are allowed to have permissions on other AD objects in every tier. So that like the green arrow and the yellow arrow of course only by as required by role. But there's no way at tier one admin or tier one computer or group GPO should have any permissions on tier zero systems. And this of course the same for tier two to tier one. So I was in need of two to actually identify the attack paths that breaks these tiering lines because it's very often when people try to implement tiering it doesn't go so well because of service accounts for example. It's easy enough to tell an admin user to use three different accounts for three different set of servers. But it's another story with service accounts of course. And there are really many things where tiering is hard to implement especially when it's a big messy AD environment. And as already said it's difficult to look through all the ACLs manually. So I was in need of a tool so that's why I created the impround. And what impround does is that it connects to the bloodhound database which is Neo4j graph database. So in order to use impround you need to run bloodhound as you will normally do collect all the data with the collection method all and the local GPO so you get all the data imported through bloodhound. And then the data will automatically be stored in the Neo4j database and then you can connect to the database with impround. And yeah, I will now show you how it works. Let me see. I have this small test environment here. So this is my test environment where I have three tiers. I've made an OU for each tier and put in some accounts and servers. Very few. And I have left the built-in groups in users and built-in. I've just left them where they are initially. So and then I ran bloodhound and I have my bloodhound in this. Here I have my bloodhound and you can see that I have only a few users and groups and OUs and a few GPOs as well. So in order to use impround you have to download it from GitHub. It's an open source tool so you can also check out the source code. And I have written a blog post, made a demo video with some install instruction, a user guide and some guidelines. So you can check all that out if you like or just download the tool. I've already done that so I have it here. So you will be prompted to log in with the same credentials you use for the bloodhound database. And here will be shown the OU structure of the domain you have collected data from. If you have more domains it will be placed under here. So here you see the same structure as we saw just before. Of course there's not all the built-in containers that are not so relevant for attacking AD because bloodhound does not collect funds, security principles, keys and stuff like that. So what you will do here is to set a tier level for each object. It will by default set some permissions based on some assumptions. For example that administrators are of course tier zero and the group users belong to tier two. So if you want to change some of these groups, for example, let's say you have domain admins. Let's try to put that into tier three. And then let's say that we need all the members to be in tier three as well. So we use this button and I will show that the built-in administrator changes to tier three as well. Let's just set that back again. You can also set all the children of an OU or container to a specific tier. So tier zero, we like to have that in tier zero of course to use this button. And then all the children of this OU is now tier zero. We'll do the same for this one and of course also this one. When you think you're done with setting the tier levels of all the objects, then you can use this button, set tier for GPOs and that will ensure that all the GPOs are in the right tier. In the way that if a GPO is linked to tier zero OU, then it will be tier zero GPO because then you can use that GPO to add yourself to administrators of all the servers that are in this tier zero OU. If a GPO is linked only to tier one OU, then it will be a tier one GPO. So let's see what happens when we click this button. You see that this GPO changed to tier one and I think also this one changed. Yes, when you complete it down, then you can click this button to get the tiering violations and you'll get that as two CSV files. Let's go and check those out. You can also use this button to delete the tiering in the database. So impound will create some labels and add those labels to the bloodhound database. You will not see them in bloodhound, but you'll be in the database and you can delete that using this button. So over here we have the CSV files and we're going to copy those to a machine where I have Excel. Here we go and data which is here. So the first one here is called AD objects and that is just a long list of all the objects in the domain and which tier level you have put them in. So that's a file where you can double check that you have done it correctly and put all the objects in right here. Later you can use it and check where I put this group because I found out that it actually belongs to a tier zero and I thought it was a tier two group or something. Let's take the other file, tiering violations. So there's only very few tiering violations in my every small domain and that is this user which belongs to tier one. It's called T1 admin and it has these permissions to provide right owner, right daggle owns on a GPO that's in tier zero. The name of the zero zero enable PowerShell script block logging. So this is something I've seen in a real environment that a server admin which belongs to tier one creates a GPO, link it to the tier one servers and then later at tier zero admin sees this GPO and thinks, oh, this is a great GPO I will link that to the tier zero servers as well. But that's a problem because the tier one admin still has permissions on this GPO. So now the tier one admin can actually take over all the tier zero servers which this GPO is applied to. So yeah, that is something you could report to the client if you use the imprownd in an environment. Now I would like to talk a little bit about what imprownd cannot do. Yeah, there's some limitations in Bloodhound and this is really not to point fingers at the spectraps or anything because I really think it's great that these guys have made Bloodhound. It's really amazing. I'm very thankful that they did that and make it public and free. But there are some limitations. Bloodhound does not collect user rights assignments for the domain joint devices, windows machines. So we cannot check if users are actually allowed to log into systems. In tiering that would be to check whether or not the domain admins are still capable of logging into, let's say, workstations, which is a default thing which should be prevented because if domain admins has this permission it will be used at some point. So another thing, but yeah, I also have to say that it's also very difficult to collect all these user rights assignments because they are on the machine only. So you cannot and you cannot collect it without logging in as administrator on a system to actually collect that. And of course that not functionality Bloodhound has right now. You could collect it from GPOs that are linked to servers or workstations but it will be difficult to figure out these user rights assignments and there will be no guarantee that these users can actually log on because it also depends on of course what's open in the firewall and what services are running and many things. Yeah, another thing Bloodhound does not collect all AD permissions. I have found one that should be collected but isn't and I can actually show you that because I've made that one in my lab. So just go to my lab here and look at the security of this. So this user G2 user has full control on this object only and that was the user container users container. That means that it has full control on only the container. So users contains all these built in groups but the G2 user has only permission on the container not the children. And I can actually show you that this can be exploited because I've actually allowed this G2 user to log on. I'm at the main controller that is of course a finding as well. If I can type in the password correctly, success. Okay, and then I will open my hack here and let's first start off with who am I slash all. So we are the G2 user and we are a member of built in users, authenticated users, but not any previous group. But yeah, let's try to add ourselves to DNS admins and domain admins and see what happens. And we get some errors because we do not have the permissions to that. But if we add a new AC in the ACL of users, we can actually do it. So this will allow us to have generic all on all. So that means this permission will be inherited to other objects or children objects of users. And now we can do this and now we only get an error for domain admins and not for DNS admins. So now we are the member of the DNS admins boom. And as yeah, it doesn't it doesn't work for domain admins because domain admins is a protected group in AD. So it will have the security description for from admin SD holder. But DNS admins are not a protected group. So we can actually add ourselves to DNS admins. And as you probably already know, DNS admins can escalate to domain admins if DNS is hosted on the domain controller, which is very usual, usually the case. Yeah. And let's just verify that this is not something you can find in the bloodhound. Let's search for to user. Here it is. And the DNS admins. Yeah, no query. Oh, no self from the query. So, yeah, that is of course something you should check yourself. You can see that it doesn't show anything but the fact that the tier two user is a member of domain users. Yeah, I have created the issue on GitHub to let the guys from spectrums know about this issue and they will probably fix it at some point. But yeah, so right now you need to check check for some configuration mistakes manually when when you're using imp around to find. Yeah, or when you're trying to find the attack paths that breaks the tier model. Yeah. So that was actually all I had to say. I hope you enjoyed the presentation. It was really a great honor for me to be speaking at this awesome village. And I hope you all will have a great Defcon. Bye.