|
-
August 12th, 2005, 01:04 AM
#1
Audit Gone Bad - I'm Now The Domain Admin.
Today I had the pleasure of auditing a branch organization. The guilty will remain nameless.
Anyhow, over the years I have put together a set of tests to perform in a Microsoft AD environment. Because I'm seeing this issue more and more, I figured I would report it here so perhaps you don't find yourself on the hook during a security audit.
Without going into extensive detail, Microsoft AD uses logon scripts to map your host to certain resources at logon time. These scripts can also be used to push software, change policy, etc..
When written properly, you don't have many issues. When deployed poorly, you can give away the domain admin account in seconds.
Because you have to be able to execute the login scripts, each host must be able to read and execute the batch file. This means that from *any* workstation you can peruse the logon script directory on the domain controller. There are secure ways to setup scripts, however in this example, the lazy admin took the easy way out and believed he was secure in doing so.
OK, so here is what he did:
1) Created a login script that utilized a third party "runas" tool made by lansweeper. Its called lsrunasE.
See: http://www.lansweeper.com/ls/lsrunas.aspx
It basically takes your password and runs it through a weak encryption process that uses (surprise, surprise) static salts.
2) He placed his domain admin credentials in the logon script.
Code:
lsrunase /user:ADMIN /password:5F44Dxkkjd1167aaa== /domain:DOMAIN.XXX various other switches.
3) Reported to us that the script is secure.
OK, when I first saw this I laughed. He didn't find humor in this. He said, "You have to break the encryption if you are going to do anything with that account.
I responded with, "Oh really?!" and the typical smirk of discontent.
To humor him I simply Googled lsrunase and DLed the tool which comes with the encryption engine. This is a free tool BTW. I already knew I could run this tool and pass the hash through on any app or server in the domain, but hey, he said I had to break the encryption so I had to prove him wrong.
The lsrunase app obviously has the decrytion mechanism in it or the hash wouldn't work. All I did was run this tool with the user and password as seen below in a shortcut to the lsrunase app which called the domain administration MMC.
Example:
Code:
"C:\temp\lsrunase\lsrunase.exe" /user:ADMIN /password:5F44Dxkkjd1167aaa== /domain:DOMAIN.XXX/command:"mmc dsa.msc"
PRESTO!
Without decrypting the hash, I am now the domain admin. Can you guess where I go from here? Yep, back to the hash. Needless to say, the encryption is extremely weak. In fact, I think that even skiddieleet could break it. After about 5 minutes I handed him his password and wrote up the failing grade on the audit before leaving the first test.
If you ever want to see someone lose their mind on the spot, this is a good way to provoke it.
Just so everyone knows, the info above (user assword, etc.) has been heavily doctored to leave no trace of the real credentials. The point here is that in a matter of 5 minutes I PWN3D a very sensitive agency and they didn't like it very much. I can't imagine that these poor fools are the only ones doing things like this. Please look at and understand how to securely manage your AD environment!
This has been a public service announcement
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 12th, 2005, 01:14 AM
#2
W00T! So, do you get a raise, now that you are the domain admin? Or is that "I PWN J00 AND 4M N0W T3H L337 ADM1|\|!!!!"?!?!
Haha, nicely done.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
August 12th, 2005, 01:19 AM
#3
I stamp "th3 PWN3D" board in my office and move on to the next victim. 
There is no glory in the trenches, thus, I must make my own.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 12th, 2005, 01:21 AM
#4
Nice job, TH13.. I liked this bit:
The point here is that in a matter of 5 minutes I PWN3D a very sensitive agency and they didn't like it very much.
That's classic man, good horsey 
-
August 12th, 2005, 02:52 AM
#5
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
August 12th, 2005, 06:18 AM
#6
Just curious thehorse13 what would you have done to prevent this from happening ????
Just a curious guy who would like to be educated a little bit more...
Thanks ...
-
August 12th, 2005, 06:55 AM
#7
Originally posted here by thehorse13
He placed his domain admin credentials in the logon script.
Jesus H Christ, tell me this isn't a branch of homeland security doing this.
It seems that you have met an old friend for dinner.
Our admin wasn't born an uneducated admin, Sonny. He was made one through years of systematic ignorant self-guidance. Billy boy hates his own identity now, you see, and he thinks that makes him the foremost authority on security. -- Dr. Lector
On a serious note, if he still works there I'd be worried about an inside attack. Unless you all have TOS's that protect themselves from users. I'm sure you're on top of that already I suppose. You have to be feeling like top dog for sure.
-
August 12th, 2005, 07:10 AM
#8
I encounterd this once, or a similar process in any event, got me access to the //EXAM drive at school, was amusing though there was nothing there of value the admins went balistic, but since I told them about their giant boo-boo they didnt try to beat me to death.
Yay for static salts :P
- Noia
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .: Bring OS X to x86!:.
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
-
August 12th, 2005, 11:09 AM
#9
Just curious thehorse13 what would you have done to prevent this from happening ????
I had them remove the stupidity and made them use SMS to push software which is why we spent 150K on the damn software to begin with.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 12th, 2005, 01:04 PM
#10
In your audits... you just audit until you own their boxes?
You don't continue the audit and look for more major problems? If they are making mistakes like this, there is no doubt that there are more to be found. Seems like a waste of time to have to keep revisiting a site after they fix every failure.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
