Icebreaker: From internal jumpbox to domain admin in one command

The project represents quite a lot of hard work over the last few years in taking separate tools and sort of knitting them together and making the overall exploitation process a little bit smoother. It definitely can save a significant amount of time in real world scenarios and having these techniques, some of which we are already very familiar with in red teaming but presenting them in a new light and through using a set of common interface commands and things like that will definitely be something that as security professionals and researchers we can enjoy. Thank you, Brian. Oh, man. I gotta follow that voice. Okay. All right, so I'm Dan. I'm taking the rest of your time today with this tool called Icebreaker. It's fully functional. It's written entirely in Python. I use it on every internal pentest I go on. So it's field tested over about three years in one component or another. So let's talk about specifically what's happening.

The general workflow that we find when we get credentials to a device with a normal user and it ends up not being an admin and then eventually escalating to an admin on a device or we are on that path to become a full domain admin. We eventually reached that scenario where credentials, either a set of local admin credentials or an admin that had cached a set of hash keys would essentially provide us with a route to becoming a full admin on the domain. This provides you with that starting sequence, that sequence of five essential steps. So first step here is the setup and usage. You should already have git on most working setups. Then standard process of using the shell scripts and essentially giving icebreaker your targets list.

And from there on, we take each of the components of Icebreaker and apply it in turn starting with some reconnaissance and using essentially standard common scripting components in order to glue each of those standard security research tools together in order to make that flow nice and simple. The results give us a nice simple set of potential paths to full domain privilege for an attacker. The standard process here is using Attack 1 into Attack 2 into Attack 3. Attack 1 is your reconnaissance and trying to essentially obtain some information about names of users who might be an admin on a machine that we have already identified as being a potential candidate for full privilege. And after that process, we essentially look at essentially taking some of those names and creating a path to taking control over those individual accounts by trying some weak but very popular passwords in some environments in order to gain control.

And the Icebreaker output that we get after the scan shows us some interesting things. We've got a user found who is a clear admin based on the names given by the domain. We get user results for a standard admin level of account. This gives us that crucial starting spot from where the actual full compromise path can be identified. Here we go. Step number 4 of Attack Level 2. Identifying accounts with hashes identified and so on and giving us each of those credentials as we find them. Essentially the output gives us each of those potential routes which can lead to a full takeover of each of those accounts identified as admin on each of the candidate boxes identified in step one and reconnaissance.

So having gotten each of those credentials identified, we essentially move on to taking active control of those boxes by sending and receiving each of those NTLM credentials recorded. This effectively gives us control over standard admin accounts and having gained control over those accounts across the target domain, the final step represents a full domain admin takeover using the established techniques from standard security research. Icebreaker brings each of those established techniques together and provides the user with an easy and very convenient way for each of those separate steps in a complicated domain takeover to be processed.