In this post, we will look at 3 primary ways to escalate privilege in the Active Directory. (In posts to follow, I will cover each of these in detail.)
Before you begin to escalate privilege, you identify the target of your Active Directory security privilege escalation attack i.e. identify the Active Directory (domain) user account whose identity you wish to compromise.
The objective of the security privilege escalation attack is to elevate your privilege from that of your account to that of another account, and one that usually has more powers (elevated powers) than yours. This domain user account can be that of a colleague, a delegated Active Directory administrator (e.g. a Help Desk Analyst) or a Domain/Enterprise Administrator.
To accomplish this, the primary method of attack is to steal the identity of the target domain user account. In other words, the 3 primary ways to escalate privilege in the Active Directory involving stealing a corporate user’s identity, as their domain user account is basically their identity.
So, the 3 ways to escalate privilege in Active Directory are –
- Guessing the target user’s password, then logging in using the password
- Obtaining and then passing the user’s hash to impersonate the user
- Resetting the user’s password, then logging in with new password
The 3 ways mentioned above are in the decreasing order of effort required.
So the hardest way is to guess a target user’s password, and the easiest way is to reset the target user’s password, even though tools (l0phtcrack) make the actually guessing effort easy.
The second way, falls in between, because it requires less time than the guessing passwords, but requires access to a machine on which the target user may have logged on, but once you have access to such a machine there are now tools available (lslsass64.exe) that can help you find user’s hashes and then use them (runhash64.exe).
The ability to reset a user’s password is the easiest but also the least known / least used method, because the hardest part in this approach is not actually resetting the password, but trying to find out who can reset the target user’s account’s password.
Trying to find out who can reset the password of a domain user account is generally a very difficult task, and it is this level of difficulty that has been a deterrent in the use of this attack vector, but these days, just like there is at least one tool to help brute-force passwords (l0phtcrack), there is also a tool to easily find out who can reset whose passwords in an Active Directory environment. The availability of such a tool now makes it very easy for anyone to try and find out who can reset whose passwords, and use this information to reset a target user’s password, then log in as the target user, in effect successfully escalating privilege in Active Directory.
In the next 3 posts, we will see in detail how to use each of these three methods to escalate privilege in Active Directory, with analysis on how much effort each approach involves, what tools are required and other helpful details.
Спасибо
No comments:
Post a Comment