Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.

1. Finding Your Way to Domain Admin
Access and Even So, the Game Isn't
Over Yet
Keith Lee

2. #whoami
• Keith Lee
• Singapore
• Senior Consultant at SpiderLabs APAC
• Loves to write tools
• Twitter: @keith55
• Github: https://github.com/milo2012
• Blog: https://milo2012.wordpress.com

4. Overview
• We do a number of internal network penetration tests as part of our
day to day
• There are a bunch of awesome tools and techniques for capturing
and cracking credentials but we wanted to fill the gap from after
cracking a low privilege password hash from
NetBIOS/LLMNR/WPAD attacks etc. to compromising the entire
Domain as well as help with a few tricky issues that we as
penetration testers face
• Developed a tool, Portia to help with this.

5. Portia
• Portia aims to automate a number of techniques commonly performed
on internal network penetration tests after a low privileged account has
been compromised
• Functionalities of Portia
• Privilege escalation
• Lateral movement
• Convenience modules

6. How does the name ‘Portia’ comes about ?
• Portia is a genus of jumping spider that feeds on other spiders -
known for their intelligent hunting behaviour and problem solving
capabilities usually only found in larger animals

7. Portia

8. Typical Network Environment

9. Basic Idea of How Portia Works
• Scans the network for NetBIOS hosts and Domain Controllers
• Checks if the credentials provided is valid or not
• Enumerates users in Domain Admin group
• Checks the SYSVOL/Group Policy Preferences (GPP) items for passwords
• Is the DC vulnerable to MS14-068 ?
• Checks which hosts the account have ‘admin’ access on
• Dumps plaintext credentials, hashes and checks ‘Impersonation’ tokens
• Collects the hashes/credentials and move on to next target in network.
• Auto-elevate the permissions if an ‘Impersonation’ token belong to Domain Admin is found
• Comprising the Domain Controller and run other convenient modules

10. Portia Basic Workflow

11. Starts with the “low-hanging
fruit”

12. Storing passwords in SYSVOL or Group Policy Preference
(GPP)
• Any authenticated domain user account is able to access it
• Passwords are encrypted using known AES 32-byte key.
• Locations in Group Policy Preferences where passwords were saved
• Drive Maps
• Local Users and Groups
• Scheduled Tasks
• Services
• Data Sources

13. Group Policy Preference Items

14. Storing passwords in SYSVOL or Group Policy Preference
(GPP)
• MS Patch - MS14-025 (KB2962486)
• Unable to create new GPO preferences that rely on saved
passwords
• Doesn’t remove the old insecure passwords
• Have they disabled or removed the old account that was used in
GPO previously?

15. Portia - Attacking SYSVOL

16. MS14-068 (KB3011780) Vulnerability in Microsoft Windows
Kerberos KDC
• An attacker will be able to use an unprivileged domain user account
and elevate the privileges to that of a domain administrator account.
• A Privilege Attribute Certificate (PAC) can be forged that would be
accepted by the KDC as legitimate. Can create a fake PAC claiming
the regular user is a member of the domain administrators group.
• Thus, if a domain controller is vulnerable to MS14-068, an attacker
having normal domain user privileges, he/she would be able to have
domain admin privileges

17. MS14-068 - Current Tools
• Responder - FindSMB2UPTime.py
• Impacket - goldenPac.py

18. Portia - Attacking MS14-068

19. Portia - Attacking MS14-068

20. Assuming no passwords in SYSVOL and
MS14-068 is not exploitable - what’s
next?

21. Impersonate Token
• What is Impersonate Token?
• When a user logs into a system a delegation token is created which is converted to
an impersonation token once the user logs out.
• The impersonation token has the same rights and properties as the delegation
token.
• The delegation and impersonation tokens, once created remains on the system until
it is rebooted.
• If a Domain Administrator impersonate token is found can use Mimikatz or add to
the Domain Admin group to dump credentials on DC

22. Portia - Impersonate Tokens

23. Token Impersonation

24. Portia - Impersonate Tokens

25. Portia - Impersonate Tokens
• If no impersonate token is found, the Portia runs Mimikatz as well as
dumps local password hashes
• If there are any new passwords/hashes they are added to the
database and and the process starts again
• The new passwords will be tested against every host until there are
no new passwords

26. Shared Local Administrator Passwords
• IT administrators uses a default Operating System (OS) image (with the software
installed) and roll out to new users. The OS is configured with a default password.
• In order for the IT staff to support the workstations/servers, it’s easy to use a single
default local administrator password.
• From an offensive perspective you can exploit this to move from compromising one
host in the network to compromising 100 hosts in the network
• Portia detects if multiple machines are using the same local administrator password
• Does not matter if the machines are connected to the domain

27. No Admin Access?
• Various local privilege escalation techniques
• Hot Potato
• Windows Update
• Automatic updater of untrusted certificates
• Unquoted Service Paths
• https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341
• wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v
"""'
• Weak file permissions for windows services, unprotected exe / registries
• https://github.com/pentestmonkey/windows-privesc-check

28. No Admin Access
• If the option ‘Allow users to connect remotely by using Remote
Desktop Services’ is enabled in Group Policy, you will be able to
login remotely into the host

29. No Admin Access?
• UAC Bypass
• https://github.com/hfiref0x/UACME
• Using Eventvwr.exe and registry Hijacking
• https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
• Using App Path
• https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
• Using SDCLT.exe
• https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/

30. Portia - Hunting for Correct Credentials to access SMB
Shares/Folders
• $ python portia.py -d CORP -u milo -p Password1 -M shares

31. Portia - Current Modules
• Bitlocker Keys
• KeePass Databases
• KeePass Passwords
• TrueCrypt Master Keys
• Wireless Passwords
• WinvNC, Ultravnc
• Putty
• WinSCP
• Browser Credentials (Firefox/Chrome)
• Filezilla sitemanager.xml
• Apache HTTPd.conf
• Unattend.xml, Sysprep.xml, Sysprep.inf
• Passwords stored in documents labelled
*password*
• IIS Credentials (ApplicationHost.config)
• PAN numbers in files/memory

32. Portia - Find Interesting Files

33. Portia - Find Interesting Files

34. Portia - Dumping Browser Credentials
• Uses various Powershell scripts
• First checks for Firefox or Chrome
• Checks the current logged in user and checks whether we have
the hash or password belonging to the user
• Powershell script that runs in the user session that dumps the
credentials to a file

35. Portia - Dumping Browser Credentials

36. Portia - Searching for PAN on Disk and In-Memory
• Useful tools for searching for disks and memory for PAN numbers
• https://github.com/jksdua/credit-card-finder (Disk)
• https://github.com/Shellntel/scripts/blob/master/mem_scraper.ps1 (Memory)
• Portia uses modified versions of these tools
• Portia enumerates the list of installed applications on the hosts where we have admin access on
• Portia enumerates the processes running on the hosts where we have admin access on
• Portia produces a table mapping which processes/programs are running on which hosts and what
processes are common. This will allow an attacker to find interesting ‘processes’ to dump and find
PAN numbers.

37. Portia - Searching for PAN on Disk and In-Memory

38. Other Modules - Keepass

39. Other Modules - Truecrypt

40. Portia - Analysing Hashes
• Currently has some basic analysis of hashes
• Blank hash
• Accounts using the same hash
• Future improvements
• Checking for password reuse between local admin account and
domain admin

41. Portia - Analysing Hashes

42. Future Enhancements
• Microsoft SQL Support
• Finds passwords/hashes that grant access to the database
• Dump a sample of each table (i.e. first five or so records)
• Sensitive info (e.g. PAN)
• Docker Image
• Easy setup
• Add MS08-067 and MS17-010

43. Demo Time

44. Remediations
• Shared Local Administrator Account
• Local Administrator Password Solution (LAPS)
• Randomly generate passwords that are automatically changed on managed machines.
• Effectively mitigate PtH attacks that rely on identical local account passwords.
• Enforced password protection during transport via encryption using the Kerberos
version 5 protocol.
• Use access control lists (ACLs) to protect passwords in Active Directory and easily
implement a detailed security model.

45. Remediations
• Impersonation Token
• For high privilege accounts (accounts in Domain
Admin group), tick the box “Account is sensitive
and cannot be delegated”

46. Remediations
• Mimikatz
• Install Hotfix KB 2871997
• Disable Windows Digest
• reg add
HKLMSYSTEMCurrentControlSetControlSecurityProvidersW
Digest /v UseLogonCredential /t REG_DWORD /d 0

47. github.com/milo2012/portia/