The Ace is the Place: Stealthy LDAP Domain Reconnaissance - BSides Portland 2022

all right awesome awesome hello everyone uh welcome to my talk the the ace is a place or stealthy ldap domain reconnaissance a little bit about myself my name is Garrett Foster I'm a senior security consultant on Optics attack and Pen team my primary role is on this team are to perform targeted internal and perimeter penetration tests as well as uh recently to perform red team engagements with some light adult supervision foreign so for this talk we're going to cover a quick high level overview of what a security descriptor is in active directory and why they're valuable to attackers um and then we'll talk about Bloodhound kind of a well-known tool for performing Recon of a Target domain and then kind of show the risks associated associated with running Bloodhound when using it during an evasive engagements and then I'll introduce the tool I wrote aced to alleviate some of those risks and then following that I'll show a quick demo of how how that works okay so the the security descriptor is and it's an attribute in ldap that stores a compact binary representation of the security associated with a securable object so essentially it's a collection of data that identifies the ownership and permissions on that object so it consists of four things it's uh you've got the object owner which is identified by a sid or security identifier a sid is a unique value that identifies a trustee such as a user or group similar to how we all have a Social Security number uh the primary primary group ID of the object such as the domain users or domain computers Group which is also identified a reference biased then you have the the sackle which is the system Access Control list and this apple provides uh administrators a way to audit a securable object so anytime that the object is red it will trigger an alert that that will kind of give the administrators some more information and then there's the dackle or the discretionary actions control list which is where we'll be focusing primarily the DAC will list trustees that are denied or allowed access to a securable object so each entry in this list are called Access Control entries or Aces so Aces themselves have several pieces of information the first is the Sid so that's that's the specific trustee that has the right that we're going over then there's the access type whether it's going to be access allowed or access denied then we've got the access mask so what is the specific right uh that is being granted to this the to the sit then we've got inheritance which is whether the right is explicitly granted so if it's just that individual account or whether it's the the group that it's a member of that's granting the right and then then you've got the object type which I mentioned is sometimes so object types you'll you'll find those in the Ace entry when you want to limit the right to something specific so I get a good example of this is when you've got like a lower tier help desk group that you want to give them the right to change all of your users passwords but not give them the right like full control over all the users so this is this is an example of what a a DACA would look like if you were working from active directory users and computers so on the left you've got the the different Ace types so at the top you'll see that there's an access deny and then the rest are allowed then you've got the Sid which identifies the the principle that the right is assigned to the access mask and then inheritance so for each row is an ace so why is ldap and ACL Recon useful for for attackers um the first thing it identifies targets of interest in an environment such as like a user group OU whatever it may be so with with red teaming the target isn't always domain admin we we only need just enough access to reach the targets or the goal for the assessment so and by analyzing ACLS we can we can chain multiple abuses together and build attack paths to move laterally or to escalate privileges um so many red teamers including some on my team uh make a living bypassing endpoint protections however that that's not in my wheelhouse and I I found that the best way to avoid endpoint protection is just don't touch them so let's live in all that so the the challenges in performing this Recon is uh there's a few so in a perfect world the flow of these ACLS would show you if you you looked up an object it would tell you everywhere it has access but that's just not the case so it has an inbound flow so when you're creating an object you can only see all the rights against that one object and then remember that the structure of the dacal is in binary form so each piece needs to be translated to human readable format which can be incredibly time consuming so what's the solution here um automation so there's there's already several tools that exist that are really really useful for this um and probably the most famous is Vector office's bloodhound now for all the veteran red teamers listening please bear with me while I go through this when an attacker runs Bloodhound the the entire domain is being extracted every single object and then it's being ingested into an interactive graphical interface and then it so it creates this big map of the domain and it shows you how all those objects are connected and then the directional flows of those relationships so in the screenshot on the right that's an example of what bloodhound's graphical interface looks like so you can see how each different icon represents a different object in the domain so the green objects are the users the yellows are the groups or we'll use and then the red icons if you can see them are computers so and then all of the chains connecting them are ACL relationships and how they might be abused so this does solve our challenges we were worried about that directional flow and we wish we could see everything outbound so now with the Bloodhound we can and then it's it automates that that translation so now we've we've automated the Sid translation all of the different pieces of the ace and it's it's arguably the fastest and easiest way to map out a Target environment so while all of this is true it really doesn't fit into the evasive nature of red team operations for for several reasons so Bloodhound has been around for several years now um and Defenders are very aware of its existence and and have several opportunities to to detect its activity blood out and similar tools generate a tremendous amount of network traffic which can trigger internal IDs and IPS Solutions especially if it's running over clear text ldap so that it can just sniff fit everything in the clear so and then as the tool resolves hosts if the the requisite flags are enabled when running the tool it will actually attempt to connect to each host that it resolves through DNS and try to identify session data so if there's any logged in users at the time as well as uh what users or principles might have local admin rights and then previously I mentioned cycles and how they can be used for auditing so since um Bloodhound pulls data comprehensively it's the entire domain administrators can create accounts with an attached sackle so the the idea here is that these accounts should never be touched they just sit there kind of doing nothing for a while and then if the account is read then that identifies that something might be nefarious in their environment so another option which is is a little bit difficult to tune is to enable expensive ldap querying and then essentially the idea here is that you you identify thresholds for with like common ldap results so ldap queries happen all the time but with Bloodhound you're literally running thousands tens of thousands of ldap queries so you can set a threshold that's unexpected and then when that happens you also know when when something's up so when do you run Bloodhound during a red team you don't um so while I was shadowing and learning the ropes I noticed that things really started to slow down uh during domain reconnaissance we have our own internal methods which are are effective but it was slower um and and being the very impatient person that I am I wanted something that would pick up the pace I wanted to be able to resolve ACLS the same way Bloodhound does but with a little less shocking awe and a little more of a tactical approach so I developed taste some of the the features with a star that it was designed um primarily focused on on being stealthy um which I'll describe a little bit more in the next slide and then as you're running these queries the the dackle associated with the account is actually being parsed and returned to you in real time so each each principle that you query for is going to show up in your terminal so while the tool is parsing the the the the ldap that you're querying for or the the decal that you're querying for it's actually logging the corresponding ldap search in the background so it's storing it in a text file foreign and then it has compatibility with a tool called buff hound and block found is a a tool developed by a photo list and it was created for transforming the logs generated by trusted sex ldap search buff into a bloodhound compatible format so you could take all the logs that were generated during your operation you're doing ldap queries and actually convert them to Bloodhound compatible so you could have all the the graphical fun that comes with it so I excuse me so the logging that Ace performs is actually the same compatibility so it all those logs can can then be transformed by found and then ingested into blood out but with the Bloodhound support now you've got the opportunity for operators to ingest the queries that they're running with aced so if multiple people are running it and then actually be able to get uh the data shared between everyone okay so a little bit about the stealth um State Ace was designed to have a small Network traffic footprint only generating as many queries as needed to partially resolve the dackle and focuses only on those Ace types that we care about which is the abusable Ace types if it's not an abusable ace it just skips over it ACE also supports ldap over SSL so your recon traffic can be encrypted and then kind of avoid those IDs and IPS Solutions it does no host enumeration Ace only lives in ldap and won't reach out in touch host to enumerate session or local admin data and Ace focuses on resolving only one principle at a time rather than the entire domain which provides a bit more control over what is and isn't being queried which helps to reduce the risk of triggering those honey accounts cackles then it has minimal ldap queries the longer your session lasts when running Ace the fewer ldap queries it needs to perform thanks to Sid caching so to identify what a sid is referencing we need to resolve it with an ldap query once a Sit is resolved it's cached so the next time you run a query Ace checks if this state has already been resolved if it exists it's returned from the store the stored list instead of performing at a query so therefore the more queries you run the longer your Sid cache and the more effective your searches are well-known rids are built in a relative identifier is the last part of a sid so like 500 5 12 5 13. several objects are constant globally in active directory such as the domain administrators group or Enterprise admins and they all share the same grid regardless of the domain since we already know this we know the expected grid for these accounts there's no need to query for it if the ace applies to a specific object type it contains the entire library for the active directory schema and how those those object types are mapped to their specific grid so instead of having to do a query for that we've got it met we've got it stored and we don't actually have to perform an ldap query so this is an example of the real-time dackle parsing the the top piece is going to be all of your specific object types that attackers might care about and then the bottom are going to be your more generic and right so these are like the axis allowed lists and these are the axis allowed object types on the next is a is an example of what the ldap search logging looks like so after you you actually look up an account this is being logged into a text file in the background and I mentioned previously ball found was designed to work with trusted sex ldap search buff and that's what you're you're seeing here um I know it's probably a little bit difficult to see in the back so I'm sorry um but uh on the left is the the ldap search buff running and then on the right is boss found actually parsing those logs and then transforming them into Bloodhound compatible format and then this is a screenshot that shows the result of that parsing that data so all of it is compatible with blow down it's very a very very cool tool okay so I will stop yammering and try to provide a bit of a demonstration so for this simple demo I'd like to kind of demonstrate what's my envisioned workflow with Ace is uh so we'll start from a low privileged user on myself I'm playing the role of an Insider threat my goal is to achieve domain administrator access so the first query that I'm going to run is for the domain admins group okay so you'll see here that that both the the dackle before the account was returned and resolved and you can see that the domain admins and Enterprise admins are all are all showing up and then on the right I'm actually tailing the log file so that you can view it in real time for each query that you run so let's see if there's anything uh misconfigured over domain admins so we're going to actually investigate the built-in administrators Group which is uh has a common misconfiguration and sometimes users add principles to that and don't really understand the rights associated with it so by by actually investigating the log generated by Ace we can look at the membership of the group and see that the the kind of the the expected group memberships are there so the domain admins Enterprise admins and so on but we've actually got an outlier oh there's Alfonso Cruz so let's look into Alfonso Cruz's tackle and see if we can find anything misconfigured there so the the result is over on the left is actually the parseed Apple for Alfonso so we're going to look through it and see if we can find anything that kind of sticks out if you look at the bottom Herschel Becker actually has generic All rights and generic all there's plenty of abuse cases associated with that so Herschel we're going to investigate Herschel and see if there's anything we could abuse in that case so by parsing herschel's tackle we can find that our account Garrett actually can change that user's password so we have effectively created a chain that we can walk back from the domain admins group kind of a Nuance with Ace is that if you want to be able to ingest it correctly you have to have every object so you query for the Garrett dackle and then uh that'll get parsed out by bot found on the next slide so once you've completed kind of your attack chain you're done with the investigation you'll transform it with the fordalus's buff found it you can see that it parses all five objects we've got our users or groups and then all of the ACL relationships so once that data is complete and you import it into buff into Bloodhound now you can see the entire chain that we enumerated in real time into a graphical format that you can share with the rest of the team so you can see the entire chain both directions and it's that familiar kind of Bloodhound GUI that everyone knows and loves so with Ace you can you can steadily pinpoint a Target and then work your way backwards to build your potential attack pass and perform kind of like the domain Recon while still being able to leverage all the features of Bloodhound and then so there's no you know no need to manually parse the dackles anymore so that was it but I do want to real quick have some acknowledgments uh dear Connor malema um I stole a lot of code from you I thank you very much for all the inspiration um Adam Brown and Matt Krill who were the developers of ballfound give them a follow they have a lot of great content and then my whole team had opted for putting up with me uh constantly asking asking them to test out my tools um but that's it thanks any questions before I step down awesome thanks everyone appreciate it [Applause]