github-actions[bot]
commented
1 year ago CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅
Closed ShutdownRepo closed 1 year ago
github-actions[bot]
commented
1 year ago CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅
ShutdownRepo
commented
1 year ago I have read the CLA Document and I hereby sign the CLA
rvazarkar
commented
1 year ago This is an insane PR. We'll need to review this, but thanks for doing all this work
ShutdownRepo
commented
1 year ago This is an insane PR. We'll need to review this, but thanks for doing all this work
Sure, feel free to ping if there's anything I can do BloodHound is an awesome tool, and given the time I spend using it, it's only normal I contribute to it whoever I can
andyrobbins
commented
1 year ago This is stunning work, Charlie, thank you so much for this PR.
eladshamir
commented
1 year ago Nice work @ShutdownRepo! I started reviewing the code and suggested some minor changes (see above).
ShutdownRepo
commented
1 year ago Fixed https://github.com/BloodHoundAD/BloodHound/pull/625#pullrequestreview-1263673308, https://github.com/BloodHoundAD/BloodHound/pull/625#pullrequestreview-1263684665, https://github.com/BloodHoundAD/BloodHound/pull/625#pullrequestreview-1263701978, https://github.com/BloodHoundAD/BloodHound/pull/625#pullrequestreview-1263752105
Regarding the issue below:
Opening the help modal for the following edges results in a blank screen:
* AddAllowedToAct * AllExtendedRights to a Group node * AllExtendedRights to an OU node * GenericWrite to an OU node * WriteSPN
Do you know what's causing it? I could try to fix it right away if you do. If not, I should be able to take a look this weekend or next week.
eladshamir
commented
1 year ago Fixed #625 (review), #625 (review), #625 (review), #625 (review)
Regarding the issue below:
Opening the help modal for the following edges results in a blank screen:
* AddAllowedToAct * AllExtendedRights to a Group node * AllExtendedRights to an OU node * GenericWrite to an OU node * WriteSPNDo you know what's causing it? I could try to fix it right away if you do. If not, I should be able to take a look this weekend or next week.
I'm not sure why that happens. @rvazarkar @andyrobbins Do you have any idea?
andyrobbins
commented
1 year ago Yup, I believe I know how to fix this. I'm going to try to fix this within the PR this week.
andyrobbins
commented
1 year ago Part of the issue is that when we click an edge and create the help text modal, the abuse text is dynamically created based on the target node type. We don't want to show you the "GenericWrite" info for a group if the edge is against a user. for example.
If you look at https://github.com/BloodHoundAD/BloodHound/blob/master/src/components/Modals/HelpTexts/AllExtendedRights/Abuse.jsx you'll see that there is no logic in the case statement for when the target node type is a Group or OU. This is why the application crashes, there's no graceful way we handle when the target node isn't part of the case statement.
The fix will be to modify the relevant Abuse.jsx (LinuxAbuse.jsx and WindowsAbuse.jsx) files to include these target node label types, with information about how the edge is abusable against those particular objects.
AllExtendedRights I'm 99% sure grants you the ability to add members to groups, but I want to validate that.
@ShutdownRepo @eladshamir questions for y'all: AllExtendedRights against an OU -- what is the abuse there? How do you take control of a child object (User or Computer) under such an OU when you have AllExtendedRights against the OU and NOT against the child objects? If the answer is to modify the gplink attribute to have a new evil GPO apply to those objects, is there practical tooling out there for this abuse that doesn't break group policy in such a way that the legit group policies no longer apply to these objects?
Same question for GenericWrite against an OU.
I'm not quite sure what's causing the crash with WriteSPN and AddAllowedToAct, will build from this PR and try to investigate that as soon as possible.
ShutdownRepo
commented
1 year ago AllExtendedRights I'm 99% sure grants you the ability to add members to groups, but I want to validate that.
As far as I know, yes it does
@ShutdownRepo @eladshamir questions for y'all: AllExtendedRights against an OU -- what is the abuse there? How do you take control of a child object (User or Computer) under such an OU when you have AllExtendedRights against the OU and NOT against the child objects? If the answer is to modify the gplink attribute to have a new evil GPO apply to those objects, is there practical tooling out there for this abuse that doesn't break group policy in such a way that the legit group policies no longer apply to these objects?
Same question for GenericWrite against an OU.
The only attacks I know abusing ACEs targeting OUs and Containers are limited to WriteDACL allowing to edit the child objects' DACL when inheritance is set. I didn't test the scenarios you're mentioning.
JonasBK
commented
1 year ago Hey y’all,
I have tested AllExtendedRights against a Group node. When you assign the privilege in Users and Computers, the add member privilege is NOT added, unlike when you grant full control, etc.. I verified by testing that I could not add members.
SharpHound will not create the AllExtendedRights edge to Groups - only to Users, Computers, and Domains: https://github.com/BloodHoundAD/SharpHoundCommon/blob/main/src/CommonLib/Processors/ACLProcessor.cs#L256. However, the docs for AllExtendedRights do include Group but not Domain: https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#allextendedrights. I will fix that in a separate commit.
We should not have AllExtendedRights and GenericWrite against OUs, as the GPO attack primitive requires that the principal also have the privilege to create GPOs or modify existing ones. So AllExtendedRights and GenericWrite against OUs will create false positives unless there is another attack primitive. SharpHound and the docs are correct regarding these two. Someday, we should find a way to show if a principal has all the privileges required to perform the GPO attack.
The AddAllowedToAct issue is not related to this PR. I have fixed that in a new 4.3.1 branch: https://github.com/BloodHoundAD/BloodHound/commit/5f1452aac463fda0e9636561d28cfd4a6927a59e
I have changed the PR to be merged into the new 4.3.1 branch and accepted the PR.
The WriteSPN issue was a simple bug now fixed with this commit: https://github.com/BloodHoundAD/BloodHound/commit/6aefe2c384c604b165db07efda974cb7c38e9c59.
Thanks again for your contribution @ShutdownRepo!
JonasBK
commented
1 year ago I just learned that it is also possible to abuse AllExtendedRights and GenericWrite against an OU if you can edit DNS records and create computer accounts: https://labs.withsecure.com/publications/ou-having-a-laugh.
That makes it a bit more likely that the privilege is abusable, but I still believe the right approach is to collect the information we need and create a new edge type with post-processing logic
Adding abuse guidance from UNIX-like systems for many edges referring to the progress that has been made these last few years to support AD attacks from linux (e.g. mindmap at https://www.thehacker.recipes/ad/movement/dacl for the DACL abuse).