Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Заполучили права администратора домена? Игра еще не окончена
1. Finding Your Way to Domain Admin
Access and Even So, the Game Isn't
Over Yet
Keith Lee
2. #whoami
• Keith Lee
• Singapore
• Senior Consultant at SpiderLabs APAC
• Loves to write tools
• Twitter: @keith55
• Github: https://github.com/milo2012
• Blog: https://milo2012.wordpress.com
3.
4. Overview
• We do a number of internal network penetration tests as part of our
day to day
• There are a bunch of awesome tools and techniques for capturing
and cracking credentials but we wanted to fill the gap from after
cracking a low privilege password hash from
NetBIOS/LLMNR/WPAD attacks etc. to compromising the entire
Domain as well as help with a few tricky issues that we as
penetration testers face
• Developed a tool, Portia to help with this.
5. Portia
• Portia aims to automate a number of techniques commonly performed
on internal network penetration tests after a low privileged account has
been compromised
• Functionalities of Portia
• Privilege escalation
• Lateral movement
• Convenience modules
6. How does the name ‘Portia’ comes about ?
• Portia is a genus of jumping spider that feeds on other spiders -
known for their intelligent hunting behaviour and problem solving
capabilities usually only found in larger animals
9. Basic Idea of How Portia Works
• Scans the network for NetBIOS hosts and Domain Controllers
• Checks if the credentials provided is valid or not
• Enumerates users in Domain Admin group
• Checks the SYSVOL/Group Policy Preferences (GPP) items for passwords
• Is the DC vulnerable to MS14-068 ?
• Checks which hosts the account have ‘admin’ access on
• Dumps plaintext credentials, hashes and checks ‘Impersonation’ tokens
• Collects the hashes/credentials and move on to next target in network.
• Auto-elevate the permissions if an ‘Impersonation’ token belong to Domain Admin is found
• Comprising the Domain Controller and run other convenient modules
12. Storing passwords in SYSVOL or Group Policy Preference
(GPP)
• Any authenticated domain user account is able to access it
• Passwords are encrypted using known AES 32-byte key.
• Locations in Group Policy Preferences where passwords were saved
• Drive Maps
• Local Users and Groups
• Scheduled Tasks
• Services
• Data Sources
14. Storing passwords in SYSVOL or Group Policy Preference
(GPP)
• MS Patch - MS14-025 (KB2962486)
• Unable to create new GPO preferences that rely on saved
passwords
• Doesn’t remove the old insecure passwords
• Have they disabled or removed the old account that was used in
GPO previously?
16. MS14-068 (KB3011780) Vulnerability in Microsoft Windows
Kerberos KDC
• An attacker will be able to use an unprivileged domain user account
and elevate the privileges to that of a domain administrator account.
• A Privilege Attribute Certificate (PAC) can be forged that would be
accepted by the KDC as legitimate. Can create a fake PAC claiming
the regular user is a member of the domain administrators group.
• Thus, if a domain controller is vulnerable to MS14-068, an attacker
having normal domain user privileges, he/she would be able to have
domain admin privileges
21. Impersonate Token
• What is Impersonate Token?
• When a user logs into a system a delegation token is created which is converted to
an impersonation token once the user logs out.
• The impersonation token has the same rights and properties as the delegation
token.
• The delegation and impersonation tokens, once created remains on the system until
it is rebooted.
• If a Domain Administrator impersonate token is found can use Mimikatz or add to
the Domain Admin group to dump credentials on DC
25. Portia - Impersonate Tokens
• If no impersonate token is found, the Portia runs Mimikatz as well as
dumps local password hashes
• If there are any new passwords/hashes they are added to the
database and and the process starts again
• The new passwords will be tested against every host until there are
no new passwords
26. Shared Local Administrator Passwords
• IT administrators uses a default Operating System (OS) image (with the software
installed) and roll out to new users. The OS is configured with a default password.
• In order for the IT staff to support the workstations/servers, it’s easy to use a single
default local administrator password.
• From an offensive perspective you can exploit this to move from compromising one
host in the network to compromising 100 hosts in the network
• Portia detects if multiple machines are using the same local administrator password
• Does not matter if the machines are connected to the domain
27. No Admin Access?
• Various local privilege escalation techniques
• Hot Potato
• Windows Update
• Automatic updater of untrusted certificates
• Unquoted Service Paths
• https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341
• wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v
"""'
• Weak file permissions for windows services, unprotected exe / registries
• https://github.com/pentestmonkey/windows-privesc-check
28. No Admin Access
• If the option ‘Allow users to connect remotely by using Remote
Desktop Services’ is enabled in Group Policy, you will be able to
login remotely into the host
29. No Admin Access?
• UAC Bypass
• https://github.com/hfiref0x/UACME
• Using Eventvwr.exe and registry Hijacking
• https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
• Using App Path
• https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
• Using SDCLT.exe
• https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
34. Portia - Dumping Browser Credentials
• Uses various Powershell scripts
• First checks for Firefox or Chrome
• Checks the current logged in user and checks whether we have
the hash or password belonging to the user
• Powershell script that runs in the user session that dumps the
credentials to a file
36. Portia - Searching for PAN on Disk and In-Memory
• Useful tools for searching for disks and memory for PAN numbers
• https://github.com/jksdua/credit-card-finder (Disk)
• https://github.com/Shellntel/scripts/blob/master/mem_scraper.ps1 (Memory)
• Portia uses modified versions of these tools
• Portia enumerates the list of installed applications on the hosts where we have admin access on
• Portia enumerates the processes running on the hosts where we have admin access on
• Portia produces a table mapping which processes/programs are running on which hosts and what
processes are common. This will allow an attacker to find interesting ‘processes’ to dump and find
PAN numbers.
40. Portia - Analysing Hashes
• Currently has some basic analysis of hashes
• Blank hash
• Accounts using the same hash
• Future improvements
• Checking for password reuse between local admin account and
domain admin
42. Future Enhancements
• Microsoft SQL Support
• Finds passwords/hashes that grant access to the database
• Dump a sample of each table (i.e. first five or so records)
• Sensitive info (e.g. PAN)
• Docker Image
• Easy setup
• Add MS08-067 and MS17-010
44. Remediations
• Shared Local Administrator Account
• Local Administrator Password Solution (LAPS)
• Randomly generate passwords that are automatically changed on managed machines.
• Effectively mitigate PtH attacks that rely on identical local account passwords.
• Enforced password protection during transport via encryption using the Kerberos
version 5 protocol.
• Use access control lists (ACLs) to protect passwords in Active Directory and easily
implement a detailed security model.
45. Remediations
• Impersonation Token
• For high privilege accounts (accounts in Domain
Admin group), tick the box “Account is sensitive
and cannot be delegated”
Here are some photos taken in Singapore that I would like to share with you.
If you have never been to Singapore, I strongly welcome you to visit Singapore if you have the time
Privilege escalation means that you are just a normal domain user and you are trying to escalate the privilege to that of a Domain Admin
Lateral movements means that you have compromised one host in the network and you are trying to move to other targets and compromise them and finally compromising the Domain Controllers
If the domain controller is vulnerable to MS14-068, we can automatically elevate our privileges to that of a Domain Admin
Starts off with running a scan against the list of target IP address/subnet/file containing list of IPs
Checks if the
The left side shows screenshot of the places where GPP passwords are saved.
The right side shows whats the encrypted password in the SYSVOL folder looks like
Checks the SYSVOL folder for any credentials
Tests the account credentials if found
Checks if the account belong to the local administrator group of any hosts if it is a Domain Admin account
Follow by dumping passwords/hashes/impersonate tokens and then move to the next target is the host is compromised.
It is an old vulnerability but from time to time, you can still find this issue during penetration tests.
An attacker can forge a PAC that can be accepted by the KDC as legitimate
The attacker can create a fake PAC claiming that the regular user is a member of the DA group.