How to use "mathematical modeling-graph theory model" for automated intranet penetration testing
Privilege escalation in the Active Directory domain is an important part of the struggle between most intruders and the Intranet administrator. Although obtaining the permissions of the domain or enterprise intranet administrator is not the ultimate goal of evaluation, it often makes the target to be tested easier to win.
The typical process of elevation of permissions in a domain is to collect plain text creden。, tokens of users who have logged on to the system, or escalate permissions using tools such as Mimikatz. Find the system that the domain administrator has logged on to and collect the Administrator Logon creden.
However, if you do not quickly obtain the Administrator permission in a more complex situation, or you do not have the Administrator's machine located in the Intranet, you may intrude into the Intranet, two or three hosts continue penetration as springboards, which requires a considerable amount of analysis (and may be incorrect) on the intrusion routes ).
In the last practice, we obtained the permissions of common domain users. In this Intranet environment, thousands of workstations and servers are added to multiple untrusted domains in the Active Directory forest. Our goal is to escalate permissions to enterprise administrator permissions (if possible). Fortunately, the topology of the Intranet network is not so complex. However, the client host configuration uses extremely strict and minimum permissions, effectively blocking the conventional elevation of permission. After finding a method for Elevation of Privilege, we may eventually get the Administrator account of a server, which is now called "Steve-Admin ".
"Steve-Admin" is the administrator of a server. At the same time, it must be an administrator who can log on to any server on the Intranet. We will get a list of servers in the intranet and find which users have logged on to these servers. Then, we need to determine which users we need to analyze. Users not logged on can be viewed as administrators of hosts that are not logged on as domain administrators. I need to select an account and find one or more hosts with administrator permissions on these hosts. Then, continue to list the users logging on to these hosts, and continue in this way until we finally find a feasible route. In an environment with hundreds of thousands of computers and users, this process may take many days or even weeks.
In this article, I will explain how to prove this idea and automate this process.
Preparations before 0 × 01
The proof process of this idea relies heavily on some existing tools and those who are generous, and very smart and hardworking.
-PowerView by Will Schroeder (@ harmj0y)-https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
-Derivative local administrator tool by Justin Warner (@ sixdub)-http://www.sixdub.net /? P = 591
-A program that uses PowerShell to implement the Dijkstra algorithm by Jim Truher (@ mongotruher)-https://jtruher3.wordpress.com/2006/10/16/dijkstra/
-Active Directory control path tool by Emmanuel Gras and Lucas Bouillot-https://github.com/ANSSI-FR/AD-control-paths
-Domain trust node analysis tool by Justin Warner (@ sixdub)-http://www.sixdub.net /? P = 285
0 × 02 Graph Theory
Imagine trying to find the path from "Steve-Admin" to "Enterprise Administrator" as a path from Seattle, Washington to Portland, Oregon. As a person, you can look at the map, and then it is easy to determine that the fifth state highway will be a good choice. A computer can use mathematics to find the path between Seattle and Portland, or between Steve-Admin and Enterprise Administrator (if any.
Power View shows us most of the data in the automation process from "Steve-Admin" to "Enterprise Administrator. The rest of the data can be obtained using a branch of mathematics created by Euler in the 18th century, now known as the "graph theory" method.
-Vertices: a vertex (or node) represents the point of a single element in the represented system. You can use the city in the map as a vertex.
-Edges: an edge is used to connect multiple vertices. The edge can be directed (for example, unidirectional) or undirected (for example, bidirectional ). An edge generally represents a relationship. If Seattle and Portland are treated as vertices, intercontinental I-5 may be considered a bidirectional edge connecting these cities.
-A track is a set of nodes connected to the edge of a node and connected to another node. These nodes can be adjacent or not adjacent.
-The vertex that shares an edge can be considered adjacent.
0 × 03 Graphic Design
For the proof of the above ideas, I came up with this problem and considered a goal in the design-to automatically find the shortest path of a domain administrator, you do not need to write data to a disk or perform offline analysis. Therefore, the graph design may not be suitable for other problems.
I focused primarily on simplicity when designing this diagram. After a lot of errors, I finally got a feasible design:
-Each user and computer is a vertex.
-All edges are directed and unweighted.
-Indicates the local administrator permission from a user to a computer.
-A directed edge from a computer to a user indicates a logged-on user.
You can first think of a very basic network composed of two computers and two user groups. The "Administrator" account has administrator permissions on both systems. One of the systems has a user named "mnelson" who has logged on. Using the above design scheme, the visual representation of the system should be as follows:
Every user and computer is a vertex. The orange side tells us that the Administrator account has administrator permissions on both systems. The blue side tells us that the user mnelson has logged on to the host HR-WS-002. In this design, edges always mean that the Source Vertex may compromise the security of the target vertex-the administrator can compromise the host HR-WS-002, and the host HR-WS-002 (such as the SYSTEM account on the local machine) the user's "mnelson" Logon credential may be compromised.
0 × 04 build a graph
It's easy to find the object that fits the vertices in the theory. Because we use each user and computer as a node, it is very simple to use the PowerView cmdlet-Get-NetUser and Get-NetComputer:
In this case, the preceding graph theory can be visualized as follows:
To run the Dijkstra algorithm, we need to set the following attributes for each vertex:
-Name-vertex name. Example: "mnelson" or "HR-WS-002"
-Edge-vertex array. The vertex has an edge and the initial value is $ Null.
-Distance-the number of hops required from the Source Vertex to the vertex. The initial value is infinite. Note that this is an unweighted graph.
-Access-whether the shortest path to the node has reached the end point. The initial value is $ False.
-Predecessor vertex-the name of the previous Vertex on the path from the Source Vertex to the vertex. The initial value is $ Null.
Determining the edge of each vertex is a little complicated. This time, we can use another PowerView cmdlet -- Get-NetSession. This cmdlet returns the session information that we run on a computer. We can see which users have the session and the source of the session, this effectively enables us to determine where the user has logged on-all permissions without elevation. With this information, we can use edges to fill the computer vertex to the point of the logged-on user. Next, recursively enumerate the local administrator user on each computer on which the user logon information is obtained. This information allows us to fill the corresponding user vertex with edges, which indicates the edges authorized to the local administrator of the computer.
In my test lab, a graph completed with all the edges can be intuitively displayed as follows:
In retrospect, the edges of a user-> Computer represent administrator permissions, and the edges of a computer-> User represent logged-on users.
Obviously, the "Administrator" account is the Administrator of the three computers. Mnelson users are administrators of host OPS-WS-002. The jwarner user is the administrator of the host IT-SRV-002.
There is a logged-on user mnelson on the host HR-WS-002. OPS-WS-002 has a logged-on user: jwarner. Finally, the host IT-SRV-002 has three logged-on users: rwinchester, jfrank, and Administrator. The "jdimmock" user is neither an administrator nor logged on anywhere (he may be in PTO ).
Now we have everything we need to find the shortest path from any vertex to any other vertex.
Recall the situation I mentioned earlier. Starting from "Steve-Admin", we have dozens of computers and users that can serve as targets. None of them allow us to quickly access the domain administrator account. Instead of spending hours, days, or even weeks analyzing every possibility (or worse: we choose between attempts and incorrect methods ), it is better to use an algorithm to find the "shortcut" we need in a few minutes ".
0 × 05 Dijkstra Algorithm
The more time I spend learning Dijkstra algorithms, the more I admit and appreciate the talents who have created this elegant and efficient method.
-1. Determine a Source Vertex. Set the distance to 0. Set the distance from each vertex to infinity.
-2. Use the smallest distance value to identify unaccessed vertices and mark them as the current vertex.
-3. Consider the edges of the current vertex. Compare the distance from each adjacent vertex of the current vertex to the current Vertex plus the value after 1-if the calculated distance is smaller than the current value, the distance between the adjacent vertex is updated, then, the predecessor value of the adjacent vertex is updated to the name of the current vertex.
-4. Jump to step 2 until all vertices are accessed.
Once the algorithm is completed, the distance value of each vertex will tell us whether the Source Vertex can reach this vertex and how many hops are there. In addition, we have an access path record that can return to our Source Vertex because each vertex contains a predecessor attribute:
-1. Retrieve the target vertex name and add it to our path array.
-2. Retrieve the last vertex added to the path array and find its predecessor. Add its predecessor to the path array.
-3. Repeat the preceding steps until there is no predecessor. At this point, we have reached our source vertex.
0 × 06 conclusion and Verification
We only touched on some "skins" here ". There are also a lot of exciting possibilities of applying Graph Theory (and knowledge in mathematics and other fields) to Active Directory attack and defense (see this wonderful article by Brandon Helms, also known as cr0n1c. For example, by reversing the direction of each edge of the graph and using management permissions to obtain more logged-on user data, we can specify the "Administrator" user as the source and end points, the Dijkstra algorithm is used for iterative computation. All accounts in AD may compromise the "Administrator" account.