Audit Gone Bad - I'm Now The Domain Admin.

Today I had the pleasure of auditing a branch organization. The guilty will remain nameless.

Anyhow, over the years I have put together a set of tests to perform in a Microsoft AD environment. Because I'm seeing this issue more and more, I figured I would report it here so perhaps you don't find yourself on the hook during a security audit.

Without going into extensive detail, Microsoft AD uses logon scripts to map your host to certain resources at logon time. These scripts can also be used to push software, change policy, etc..

When written properly, you don't have many issues. When deployed poorly, you can give away the domain admin account in seconds.

Because you have to be able to execute the login scripts, each host must be able to read and execute the batch file. This means that from *any* workstation you can peruse the logon script directory on the domain controller. There are secure ways to setup scripts, however in this example, the lazy admin took the easy way out and believed he was secure in doing so.

OK, so here is what he did:
1) Created a login script that utilized a third party "runas" tool made by lansweeper. Its called lsrunasE.
See: http://www.lansweeper.com/ls/lsrunas.aspx
It basically takes your password and runs it through a weak encryption process that uses (surprise, surprise) static salts.

2) He placed his domain admin credentials in the logon script.

Code:

---

lsrunase /user:ADMIN /password:5F44Dxkkjd1167aaa== /domain:DOMAIN.XXX various other switches.

---

3) Reported to us that the script is secure.

OK, when I first saw this I laughed. He didn't find humor in this. He said, "You have to break the encryption if you are going to do anything with that account.

I responded with, "Oh really?!" and the typical smirk of discontent.

To humor him I simply Googled lsrunase and DLed the tool which comes with the encryption engine. This is a free tool BTW. I already knew I could run this tool and pass the hash through on any app or server in the domain, but hey, he said I had to break the encryption so I had to prove him wrong.

The lsrunase app obviously has the decrytion mechanism in it or the hash wouldn't work. All I did was run this tool with the user and password as seen below in a shortcut to the lsrunase app which called the domain administration MMC.

Example:

Code:

---

"C:\temp\lsrunase\lsrunase.exe" /user:ADMIN /password:5F44Dxkkjd1167aaa== /domain:DOMAIN.XXX/command:"mmc dsa.msc"

---

PRESTO!
Without decrypting the hash, I am now the domain admin. Can you guess where I go from here? Yep, back to the hash. Needless to say, the encryption is extremely weak. In fact, I think that even skiddieleet could break it. After about 5 minutes I handed him his password and wrote up the failing grade on the audit before leaving the first test.

If you ever want to see someone lose their mind on the spot, this is a good way to provoke it.

Just so everyone knows, the info above (user:password, etc.) has been heavily doctored to leave no trace of the real credentials. The point here is that in a matter of 5 minutes I PWN3D a very sensitive agency and they didn't like it very much. I can't imagine that these poor fools are the only ones doing things like this. Please look at and understand how to securely manage your AD environment!

This has been a public service announcement

--TH13

W00T! So, do you get a raise, now that you are the domain admin? Or is that "I PWN J00 AND 4M N0W T3H L337 ADM1|\|!!!!"?!?!

Haha, nicely done.

I stamp "th3 PWN3D" board in my office and move on to the next victim. :)

There is no glory in the trenches, thus, I must make my own.

Nice job, TH13.. I liked this bit:

Quote:

---

The point here is that in a matter of 5 minutes I PWN3D a very sensitive agency and they didn't like it very much.

---

That's classic man, good horsey ;)

Nice.

Just curious thehorse13 what would you have done to prevent this from happening ????

Just a curious guy who would like to be educated a little bit more...

Thanks ...

Quote:

---

Originally posted here by thehorse13
He placed his domain admin credentials in the logon script.

---

Jesus H Christ, tell me this isn't a branch of homeland security doing this.

It seems that you have met an old friend for dinner.

Our admin wasn't born an uneducated admin, Sonny. He was made one through years of systematic ignorant self-guidance. Billy boy hates his own identity now, you see, and he thinks that makes him the foremost authority on security. -- Dr. Lector


On a serious note, if he still works there I'd be worried about an inside attack. Unless you all have TOS's that protect themselves from users. I'm sure you're on top of that already I suppose. You have to be feeling like top dog for sure.

I encounterd this once, or a similar process in any event, got me access to the //EXAM drive at school, was amusing though there was nothing there of value the admins went balistic, but since I told them about their giant boo-boo they didnt try to beat me to death.

Yay for static salts :P

- Noia

Quote:

---

Just curious thehorse13 what would you have done to prevent this from happening ????

---

I had them remove the stupidity and made them use SMS to push software which is why we spent 150K on the damn software to begin with.

In your audits... you just audit until you own their boxes?

You don't continue the audit and look for more major problems? If they are making mistakes like this, there is no doubt that there are more to be found. Seems like a waste of time to have to keep revisiting a site after they fix every failure.

Quote:

---

Originally posted here by thehorse13
I had them remove the stupidity and made them use SMS to push software which is why we spent 150K on the damn software to begin with.

---

TH13, its amazing how some admins can be so stupid. Use admin password on a logon script.... pifff..

TH13, just a thought: if you are pushing software to the computer (not to a specific user), you can use also startup script that runs under local system account instead of user account. We use to use those script to deploy some services to the users.

Quote:

---

you can use also startup script that runs under local system account instead of user account.

---

Yeah, we used to do it that way until we got the funding for an enterprise management package (SMS). I'm trying to convince these old Novell Netware jockies to use the damn tool. They are worse than the Mac zealots. ;)

Quote:

---

SMS to push software which is why we spent 150K on the damn software to begin with.

---

:eek:

Why the hell would they want the hassle of scripts compared to SMS. Not to mention it's already owned and licensed. If I was the IT Manager there, I am not sure I would fire the guy, but I would be ball stomping :mad:

I do have a federal job(organization to remain namless), and our security frightens me sometimes. All users run as local admins and the \\host\c$ is accessible on anyone's computer :( I usually try and save our IT guys some time by trying to fix my own problems(adware), but I decided to let them take care of it one time. After talking about my CCNA class, one of our IT people asked me why I had chosen Novell. I tried not to laugh in her face.

Quote:

---

In your audits... you just audit until you own their boxes?

You don't continue the audit and look for more major problems? If they are making mistakes like this, there is no doubt that there are more to be found. Seems like a waste of time to have to keep revisiting a site after they fix every failure.

---

Welcome to the magical world of Govt. logic. :)

Yes, I run through the battery of tests until I PWN. The good news is that many places do pass.