Network defenders are often not armed with the right information to fix critical permission issues and general misconfigurations within Active Directory (AD). Many of these flaws lay dormant in the network for 10+ years until either an attacker or pentester takes advantage of the flaw. The reason for this is that these flaws don’t show up in security checklists, or vulnerability scanners, which alone can be a daunting task to handle for a large enterprise. We often get in this mindset of “need to fix what the tool tells me” and if it’s not a critical or high impact flaw coming out of a vulnerability scanner it just isn’t addressed. When I take over an entire network I don’t use a vulnerability scanner, or the data it provides. This talk is aimed at providing defenders with an attacker perspective into their Active Directory (AD) environment. As part of the talk a tool will be released that automates numerous complex queries going through BloodHound data via Neo4j cypher queries. Ad-recon is a tool designed to quickly triage BloodHound data (~2-4 seconds to run without pathing queries enabled) and will identify numerous security issues within the AD environment. The talk will walk through each query the tool covers, why the data is interesting, discuss what could an attacker do, and what can a defender do to secure it. Ad-recon also supports printing out all these queries and descriptions to allow the user to modify them and make use in their own code, Neo4j interface, Cypher-Shell query, or BloodHound GUI.
Presenter: Andrew McNicol
Andrew McNicol has over 13 years of experience performing offensive security assessments (red teaming and penetration testing). He currently serves as BreakPoint Labs (BPL) Chief Technology Officer (CTO). He holds dozens of industry recognized certifications (OSCP, OSCE, etc.), a B.S. from Towson University, M.S. degree from Capital Technology University. He’s worked in DoD, Federal, Law Enforcement, and commercial sectors performing red teaming and penetration testing.