Most of my useful thoughts come out of being really stuck or challenged; it happens often. I was recently inspired to dip back into my analytical background to apply some very basic techniques for the purpose of efficiently targeting an organization’s domains after gaining internal access. Nothing like staring at thousands of lines of tool output after 12 hours of working. Instead of doing the typical grep/sed/awk magic to get useful data, I decided to try some nodal analysis to efficiently abuse the Active Directory trust relationships I was facing. I feel it is important to say; I am not a data scientist. This is a very introductory level explanation of the use of analytical tradecraft on Domain Trust data. It worked for me though…
How Red Teams Abuse Trusts
Active Directory is now commonplace in large organizations. Domain/Forest Trusts are a specific topic in Active Directory and Windows Networks that I have always found interesting but failed to understand many times. Microsoft describes this feature across several different articles and in many books but the concepts seem cryptic the way they are presented. @harmj0y summarized it all very well here. Basically, Trusts allow two domains or directories to form a relationship. That relationship might include things like authentication, access, or file sharing across domains.
It should be obvious why I love to find a large spaghetti mess of interconnected domains when on an engagement… they can be easily abused. The techniques are rather dated but still very useful. @davidpmcguire and @harmj0y did a talk at Derbycon that summarized the “old” techniques as well as some new Powershell ones. The basic strategy begins with querying all possible domains using the trust relationship. Next, the hacker uses this data to hop around different domains looking for file shares to pilfer while also trying to exploit users logged in from trust domains (admin if you are lucky). By exploiting this linked user, and repeating the cycle on the new domain, you can slowly crawl toward your target.
Veil PowerView – Invoke-MapDomainTrusts
Old school methods relied on the hacker to script or manually enumerate domain trusts with nltest combined with all the net commands. Recently, there have been some features added to PowerView to greatly aid in the infiltration of very large organizations. Invoke-MapDomainTrusts is a capability built to crawl and enumerate the trust relationships from your current Domain. Essentially, this builds you a map of all the places you have a knowledge about from your current location. It recursively queries all the domains that it finds for this information. The command will dump out a CSV of all domain trusts that it was able to enumerate. For two fictitious companies, Bob’s Auto and Alice’s Tire Shop where Alice’s shop must access resources from Bob’s, the output might look something like:
"bob.com","finance.bob.com","ParentChild","BiDirectional" "bob.com","corp.bob.com","ParentChild","BiDirectional" "corp.bob.com","corp.alice.com","External","Inbound"
With an engagement against a large corporation, this output would be massive and incomprehensible. You could spend day’s searching it trying to piece together something useful.
Node and Link Analysis
Link analysis, sometimes known as nodal analysis, is an extension of basic graph theory that seeks to analyze and make sense of objects and their relationships. A node is an object, and the edge or link is the relationship between them. A graph is made up of Nodes and Edges. A directed graph is a graph whose edges can be represented with a one-way relationship. Many forms of data can be ingested into a graph and then analyzed. Among other things, analyzing paths and centrality will provide you good information:
- A path is the connection of nodes to form a route between two points. Many algorithms and methods exist to calculate the shortest path between points. In an unweighted graph, the shortest path will be the one that hops the least number of times. In a weighted graph, the shortest path might be the “cheapest” or the “quickest” depending on the units of measure and the algorithm.
- Centrality is the measure of importance that a node holds. A node that is more “central” is one that is more important in the set of data you are analyzing. In its’ simplest form, degree centrality is the number of relationships/edges a node has. The most popular node would be the most “central”. There are other measures of centrality for different purposes, but for our simple domain trust example, we will stick with degree centrality.
Nodal Analysis of Domain Trusts
While on a recent engagement where I had thousands of lines of trust relationships dumped from one Domain Controller, I developed a quick tool to parse the output from Veil PowerView and use the networkx library in python to analyze and plot it. This allowed me to quickly find a way to my target domain and helped me discover which systems would have access to the most shares for pillaging. It also forced me to look at the bigger picture and decide what major impacts this trust abuse could cause for my target organization.
The script is a shell based wrapper for the networkx library and is specifically built for the trust.csv generated by PowerView. It provides basic analysis and output techniques. With it, you can get the top 5 most central nodes, find the shortest path between two domains, find isolated domains (those with only one neighbor), and dump the CSV data into a couple of formats (GML, GraphML) for viewing in your favorite visualization tool.
The script can be found here. Note: I used yEd on my Mac for image visualization. In order to get the colors and the labels to show on GraphML formats, you have to map the properties. I learned it here.
Here are some screenshots from what I was able to do with a sample of data:
*This output comes from a previous version that mapped trust direction. The current tool maps access direction since it was more useful. Simple flip of the arrows!
This tool serves as a small example of using analytical skills during engagements. I love being able to use traditional analytic tradecraft to make the most use out of my enumeration efforts and to present the best data in raw or visualized form. Going forward, the tool could easily be extended to allow for the weighted definition of edges, which might represent areas that are monitored by network defenders or trusts that are known to be difficult that have an increased cost of exploitation.
Feel free to email with any questions! Happy Hacking…