Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Заполучили права администратора домена? Игра еще не окончена


Published on

Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Заполучили права администратора домена? Игра еще не окончена

  1. 1. Finding Your Way to Domain Admin Access and Even So, the Game Isn't Over Yet Keith Lee
  2. 2. #whoami • Keith Lee • Singapore • Senior Consultant at SpiderLabs APAC • Loves to write tools • Twitter: @keith55 • Github: • Blog:
  3. 3. Overview • We do a number of internal network penetration tests as part of our day to day • There are a bunch of awesome tools and techniques for capturing and cracking credentials but we wanted to fill the gap from after cracking a low privilege password hash from NetBIOS/LLMNR/WPAD attacks etc. to compromising the entire Domain as well as help with a few tricky issues that we as penetration testers face • Developed a tool, Portia to help with this.
  4. 4. Portia • Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised • Functionalities of Portia • Privilege escalation • Lateral movement • Convenience modules
  5. 5. How does the name ‘Portia’ comes about ? • Portia is a genus of jumping spider that feeds on other spiders - known for their intelligent hunting behaviour and problem solving capabilities usually only found in larger animals
  6. 6. Portia
  7. 7. Typical Network Environment
  8. 8. Basic Idea of How Portia Works • Scans the network for NetBIOS hosts and Domain Controllers • Checks if the credentials provided is valid or not • Enumerates users in Domain Admin group • Checks the SYSVOL/Group Policy Preferences (GPP) items for passwords • Is the DC vulnerable to MS14-068 ? • Checks which hosts the account have ‘admin’ access on • Dumps plaintext credentials, hashes and checks ‘Impersonation’ tokens • Collects the hashes/credentials and move on to next target in network. • Auto-elevate the permissions if an ‘Impersonation’ token belong to Domain Admin is found • Comprising the Domain Controller and run other convenient modules
  9. 9. Portia Basic Workflow
  10. 10. Starts with the “low-hanging fruit”
  11. 11. Storing passwords in SYSVOL or Group Policy Preference (GPP) • Any authenticated domain user account is able to access it • Passwords are encrypted using known AES 32-byte key. • Locations in Group Policy Preferences where passwords were saved • Drive Maps • Local Users and Groups • Scheduled Tasks • Services • Data Sources
  12. 12. Group Policy Preference Items
  13. 13. Storing passwords in SYSVOL or Group Policy Preference (GPP) • MS Patch - MS14-025 (KB2962486) • Unable to create new GPO preferences that rely on saved passwords • Doesn’t remove the old insecure passwords • Have they disabled or removed the old account that was used in GPO previously?
  14. 14. Portia - Attacking SYSVOL
  15. 15. MS14-068 (KB3011780) Vulnerability in Microsoft Windows Kerberos KDC • An attacker will be able to use an unprivileged domain user account and elevate the privileges to that of a domain administrator account. • A Privilege Attribute Certificate (PAC) can be forged that would be accepted by the KDC as legitimate. Can create a fake PAC claiming the regular user is a member of the domain administrators group. • Thus, if a domain controller is vulnerable to MS14-068, an attacker having normal domain user privileges, he/she would be able to have domain admin privileges
  16. 16. MS14-068 - Current Tools • Responder - • Impacket -
  17. 17. Portia - Attacking MS14-068
  18. 18. Portia - Attacking MS14-068
  19. 19. Assuming no passwords in SYSVOL and MS14-068 is not exploitable - what’s next?
  20. 20. Impersonate Token • What is Impersonate Token? • When a user logs into a system a delegation token is created which is converted to an impersonation token once the user logs out. • The impersonation token has the same rights and properties as the delegation token. • The delegation and impersonation tokens, once created remains on the system until it is rebooted. • If a Domain Administrator impersonate token is found can use Mimikatz or add to the Domain Admin group to dump credentials on DC
  21. 21. Portia - Impersonate Tokens
  22. 22. Token Impersonation
  23. 23. Portia - Impersonate Tokens
  24. 24. Portia - Impersonate Tokens • If no impersonate token is found, the Portia runs Mimikatz as well as dumps local password hashes • If there are any new passwords/hashes they are added to the database and and the process starts again • The new passwords will be tested against every host until there are no new passwords
  25. 25. Shared Local Administrator Passwords • IT administrators uses a default Operating System (OS) image (with the software installed) and roll out to new users. The OS is configured with a default password. • In order for the IT staff to support the workstations/servers, it’s easy to use a single default local administrator password. • From an offensive perspective you can exploit this to move from compromising one host in the network to compromising 100 hosts in the network • Portia detects if multiple machines are using the same local administrator password • Does not matter if the machines are connected to the domain
  26. 26. No Admin Access? • Various local privilege escalation techniques • Hot Potato • Windows Update • Automatic updater of untrusted certificates • Unquoted Service Paths • • wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v """' • Weak file permissions for windows services, unprotected exe / registries •
  27. 27. No Admin Access • If the option ‘Allow users to connect remotely by using Remote Desktop Services’ is enabled in Group Policy, you will be able to login remotely into the host
  28. 28. No Admin Access? • UAC Bypass • • Using Eventvwr.exe and registry Hijacking • • Using App Path • • Using SDCLT.exe •
  29. 29. Portia - Hunting for Correct Credentials to access SMB Shares/Folders • $ python -d CORP -u milo -p Password1 -M shares
  30. 30. Portia - Current Modules • Bitlocker Keys • KeePass Databases • KeePass Passwords • TrueCrypt Master Keys • Wireless Passwords • WinvNC, Ultravnc • Putty • WinSCP • Browser Credentials (Firefox/Chrome) • Filezilla sitemanager.xml • Apache HTTPd.conf • Unattend.xml, Sysprep.xml, Sysprep.inf • Passwords stored in documents labelled *password* • IIS Credentials (ApplicationHost.config) • PAN numbers in files/memory
  31. 31. Portia - Find Interesting Files
  32. 32. Portia - Find Interesting Files
  33. 33. Portia - Dumping Browser Credentials • Uses various Powershell scripts • First checks for Firefox or Chrome • Checks the current logged in user and checks whether we have the hash or password belonging to the user • Powershell script that runs in the user session that dumps the credentials to a file
  34. 34. Portia - Dumping Browser Credentials
  35. 35. Portia - Searching for PAN on Disk and In-Memory • Useful tools for searching for disks and memory for PAN numbers • (Disk) • (Memory) • Portia uses modified versions of these tools • Portia enumerates the list of installed applications on the hosts where we have admin access on • Portia enumerates the processes running on the hosts where we have admin access on • Portia produces a table mapping which processes/programs are running on which hosts and what processes are common. This will allow an attacker to find interesting ‘processes’ to dump and find PAN numbers.
  36. 36. Portia - Searching for PAN on Disk and In-Memory
  37. 37. Other Modules - Keepass
  38. 38. Other Modules - Truecrypt
  39. 39. Portia - Analysing Hashes • Currently has some basic analysis of hashes • Blank hash • Accounts using the same hash • Future improvements • Checking for password reuse between local admin account and domain admin
  40. 40. Portia - Analysing Hashes
  41. 41. Future Enhancements • Microsoft SQL Support • Finds passwords/hashes that grant access to the database • Dump a sample of each table (i.e. first five or so records) • Sensitive info (e.g. PAN) • Docker Image • Easy setup • Add MS08-067 and MS17-010
  42. 42. Demo Time
  43. 43. Remediations • Shared Local Administrator Account • Local Administrator Password Solution (LAPS) • Randomly generate passwords that are automatically changed on managed machines. • Effectively mitigate PtH attacks that rely on identical local account passwords. • Enforced password protection during transport via encryption using the Kerberos version 5 protocol. • Use access control lists (ACLs) to protect passwords in Active Directory and easily implement a detailed security model.
  44. 44. Remediations • Impersonation Token • For high privilege accounts (accounts in Domain Admin group), tick the box “Account is sensitive and cannot be delegated”
  45. 45. Remediations • Mimikatz • Install Hotfix KB 2871997 • Disable Windows Digest • reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersW Digest /v UseLogonCredential /t REG_DWORD /d 0
  46. 46.