Tuesday, 30 August 2011

Okay, you have their password. Now what?

Okay, so somehow, you have managed to find a password belonging to a domain user (maybe you used NetBIOS Spoofing - see July post); you may ask yourself, "What now? What can I do with just a regular user account?".

So, obviously we have to find a way to leverage this account to escalate our privileges up to domain admin level if possible. Most times, this can be really simple - it's just a matter of taking your time, being thorough, and knowing where to look. First off, it's usually a good idea to find out exactly what level of access you have on the network: what groups are you a member of?  Do you have local admin access on any - or all - of the desktops? These sort of things... Group memberships can be found by using an nmap nse script:-

nmap -p445 <IP> --script smb-enum-groups --script-args=smbuser=<username>,smbpass=<password>,smbdomain=<domain>

Results can vary with this, so you may find using a tool like dumpsec better, which is excellent. You have to remember to first create a session token with Dumpsec, though, else it won't work. This can be done be first browsing to the target and entering the credentials you have, or creating a null session to the IPC$ share.

Once you know what groups your credential has membership of, it's time to find out if you have admin access on anything in the network (this can be desktops or servers). There are a few ways to find admin access, but I like to use nmap's smb-server-stats script, as follows:-

nmap -p445 <iprange> --script smb-server-stats.nse --script-args=smbuser=<username>,smbpass=<password>,smbdomain=<domain> >/tmp/results.txt

Any host you get script results back from, will indicate that you have admin level privs on this machine.

If you happen to find any machines you have admin access to, you're in luck! Especially if they are servers (terminal servers are usual candidates).

Make a list of these machines and start using incognito to dig out high level admin accounts. Whenever a domain user logs on to a PC, or accesses it in any way across the network, a token is stored containing those credentials that lets you continue to log-on to that PC without re-authenticating again. This token is stored for around 10hrs from what I can remember, and can be impersonated by an attacker with Incognito. A good write-up on token stealing is available here:- http://www.argeniss.com/research/TokenKidnapping.pdf

Run this against the machines you have full access to; you need to be looking for high-level domain account tokens. If you can find a domain admin token, then impersonate it and add yourself to the domain admins group.

You also have the option at this stage to use other tools that will all help you escalate towards domain admin:-
  • psexec / meterpreter
  • Incognito here
  • pwdumpX1.4 here
  • gsecdump here
  • Windows Credential Editor here
  • ophcrack here
  • able (cain & able) here
  • sysinternals - lsasecretsdump.exe here
Using these tools will reveal local hashes, cached creds, tokens, hashes for tokens, and service account passwords, usually resulting in a successful route to full domain pwnership.

If you don't have any admin privs, the next thing I find useful to do is to search the SYSVOL shares on the DC's for log-in scripts containing run-as creds, as often they can contain high-level accounts. Browsing under win7 is better as you can also easily search file contents.

Look around the network and try to find servers with names indicating that they may contain IT dept information. Refer back to the previous NMAP scan to locate interesting shares.

Access the shares with the domain user's creds and again, search file contents for words like passw or administrator, etc.

Taking your time is the key to success here, as so many potential routes in can pass by unnoticed.
Take time to learn the tools listed above, and know what each is capable of and which get picked up by which AV.

I hope this highlights a little of what can be done from that "un-important password" you have captured. If anyone else has any good tips and ideas of this nature, please use the comments below.