Tuesday, September 11, 2012

Active Directory Security Privilege Escalation Using Impersonation with Password Hashes

Здравствуйте!

In this post we will look at the second way to escalate privilege in Active Directory, which is easier than guessing a password to escalate privilege but more difficult than resetting a user's password to escalate privilege. (Resetting a domain/delegated admin's password to escalate privilege in Active Directory is the easiest way; more on that in the next post.)


Active Directory Security Privilege Escalation Using Hash Impersonation  - Overview & Pre-Conditions

This method involves obtaining the password hash of a target user and then passing the hash to Active Directory to impersonate that user, thus, in effect escalating your privilege to that user.

Although this method sounds easy to carry out, and is not difficult to carry out, it relies on two pre-conditions being met -
  1. You have to be a Local Admin on the machine from which you wish to carry out the attack
  2. The user whom you wish to impersonate must perform a logon on this machine.

If either of the two conditions are not met, you cannot carry out this attack.

The first condition is necessary because you need certain privileges to obtain password hashes from the machines' Security Accounts Manager (SAM) database, and the second condition is necessary because unless the user has logged on to your machine, his/her hash won't exist on your machine, so there will be no hash to obtain!

This is a very important point, because in contrast to the method of resetting a user's password to escalate privilege (which does not require either of these pre-conditions), unless these two pre-conditions are met, no matter how easy this may be to carry out, you will not be able to carry it out.



Active Directory Security Privilege Escalation Using Hash Impersonation - Tools Needed

To escalate your privilege in Active Directory using this method, you will need a pair of tools - one to obtain hashes, and one to pass the hash to Active Directory.

One of the most commonly used tools to obtain hashes is called lslsass.exe which is developed by a company called TrueSec. Other alternatives include pwdump, gsecdump etc.

The second tool you will need is the one that will be used to pass the hash to Active Directory is called RunhAsh.exe, which is also developed by TrueSec.
  • WARNING: I should mention that TrueSec provides NO assurance as to the security of these tools, so they could very well be used to compromise your own security.


Active Directory Security Privilege Escalation Using Hash Impersonation - The Setup

To see how this method works, we will at a minimum need one Domain Controller (DC) and one domain-joined machine. We will also need to use at least two administrative accounts, one being a Domain Admin / Enterprise Admin / Delegated Admin domain user account and the second being a local administrative account on the domain-joined machine.

So here is my setup -

Active Directory Privilege Escalation - Impersonating with Password Hashes - Setup

Active Directory Privilege Escalation - Impersonating with Password Hashes - Setup

Note that the second account could also be a domain user account, but it need not be. The only thing is that it does need to be a Local Admin on the machine, which it could be based on membership in the Local Admins group on that domain-joined machine

As you can see, the domain is khrushchev.local, within one domain controller (DC) nevsky.khrushchev.local and one domain-joined machine nikolai.khrushchev.local.
 
There are also two user accounts in play here. The first one is a local administrator account on the domain-joined machine nikolai, so it is nikolai\administrator, and the second account is the target of the privilege escalation attack, and it is thus a domain admin account, named, well domain admin for illustrative purposes, so it is khrushchev\domainadmin.
 
We will be escalating privilege on the domain-joined machine, and escalating privilege from the local administrator account on that machine to the domain administrator account.
 
  • NOTE: Again, the assumption here is that the domain admin has logged on to the domain joined machine. Without this pre-condition in place, this attack CANNOT be carried out. (Unlike this attack vector, the attack vector involving the use of password resets does not have any pre-conditions.)
  

Active Directory Security Privilege Escalation Using Hash Impersonation - Step-by-Step
 
1. The first step is to logon to the domain-joined machine as an administrator on the machine.
 
Local Administrator on Domain-Joined Machine

Local Administrator on Domain-Joined Machine
 
 Before proceeding, it is helpful to ensure that we do not have access to the DC, and we can do a simple net use to the default administrative hidden-share c$ on the DC, Nevsky, to see that the local administrator account does not have the required access on the DC.
 
net use to c$ on DC fails
net use to c$ on DC fails
 
This way we know that we do not have admin access on the DC to begin with.
 
To doubly ensure that we do not have access, let us use LDP to connect to the domain (an LDAP connect operation does not require credentials) and then bind using the Bind as currently logged on user option (since LDAP binds do require credentials).
 
LDAP connect to domain succeeded

LDAP connect to domain succeeded
 
LDP - Using Bind as currently logged on user opton

LDP - Using Bind as currently logged on user opton
 
LDP - LDAP Bind as Currently Logged on User Fails

LDP - LDAP Bind as Currently Logged on User Fails
 
As we can see, we were unable to get authenticated to the AD using the local administrator account.
 
nikolai. We do not have any domain admin privileges just yet.
 
 
 
2. Next, we proceed to obtain the hashes from the SAM on the machine, by using lslsass.exe
 
Using lslsass32.exe to obtain password hashes from SAM

Using lslsass32.exe to obtain password hashes from SAM
 
Aha, notice that we were able to locate and dump the hashes stored in memory, including that of the Domain Admin, as he has logged in to this machine in the recent past. So now we have a hash of the Domain Admin's password!
 
 
3. So, we then proceed to pass the has to the AD by using runhAsh.exe.
 
Using runhAsh32.exe to pass/impersonate the hash to Active Directory

Using runhAsh32.exe to pass/impersonate the hash to Active Directory
 
 Aha, as you can see, runhAsh seems to have succeeded in impersonating the Domain Admin!
 
Let us test this by trying to connect to C$ again.
 
net use to c$ on DC nevsky successful

net use to c$ on DC nevsky successful
 
We see that this time around we net use does succeed and we do have access to the c$ on the DC!
 
To ensure that this passed, let us perform a simple directory listing of the c$ share on the domain controller nevsky.
 
Directory Listing on C$ on Domain Controller nevsky succeeds

Directory Listing on C$ on Domain Controller nevsky succeeds
 
That succeeded too. Now, to doubly ensure that we do have access, let us use LDP again to connect to the domain and then bind again using the Bind as currently logged on user option.
 
Connecting to Active Directory using LDP

Connecting to Active Directory using LDP
 
  
 
LDAP Bind from LDP Using Bind as Currently Logged in User Succeeds Verifying Elevated Domain Admin Creds

LDAP Bind from LDP Using Bind as Currently Logged in User Succeeds Verifying Elevated Domain Admin Creds

Viewing the Active Directory Domain Admin's Account using LDP

Viewing the Active Directory Domain Admin's Account using LDP

As we can see, we were able to get authenticated to the AD so we have certainly elevated our privilege to that of a Domain Admin! Once you're a Domain Admin, you can do whatever you wish, for you are the master of the domain now!
 
 
 
Active Directory Security Privilege Escalation Using Hash Impersonation - Risk Mitigation
 
This specific risk can be mitigated by employing the use of a new feature in Microsoft Windows Server 2008 R2, called Authentication Mechanism Assurance. I will not go into the details, as they are described in sufficient detail on Microsoft's website and other sources on the net. In addition, as a Domain Admin, one can also minimize the risk of being victimized by avoiding the use of Domain Admin credentials on machines you do not own/manage/trust.

 
lslsass, runhash and ldp Download, Trial and Additional Info
 
For more info and download points, checkout - lslsass32.exe,  runhash32.exe.

  • WARNING: I should mention AGAIN that TrueSec provides NO assurance as to the security of these tools, so they could very well be used to compromise your own security. The use of such tools is not authorized in most organizations, so you could also lose your job if your employer has policies in place to prevent the use of such tools in their environment.
 
In the next post, we will see how to use the easiest way to escalate privilege in Active Directory, which is via the use of Active Directory Password Resets.

Спасибо
  

No comments:

Post a Comment