LSA Secrets, Service Account Password Extraction, NT/SYSTEM Privilege Account, gMSAs

In this article we talk about one of the most common vulnerability exist in modern  enterprise windows network infrastructure. We demonstrate how an attacker elevate privilege from administrator account to NT/ SYSTEM Authority privilege which is highest privilege in local windows system. The idea is to use NT authority system privilege to interact with LSA secrets and extract passwords from services account. Often these services accounts misconfigured in modern windows enterprise, which likely enable low privilege user to gain higher privileges.

Technical assumptions:

  • Attacker has an elevated privilege (Local Admin)
  • Attacker identified a service account AwesomeService.exe installed locally and runs under the local administrator privilege

 

Regedit Registry editor permission with SAM hive file requires NT/Authority SYSTEM Privilege, we  can not access the SAM File hive with windows local administrative permission.

SYSTEMPerm

Figure 1 SAM Hive set to full control permission

 

We Launch registry editor under the local administrative privilege – we are not able to read/write and modify SAM files.

4

Figure 2 Regedit under the windows administrator privilege account.

 

We elevate the local administrator privilege to NT/Authority SYSTEM privilege using the SysInternals PsExec Mark Russinovich copy of the PsExec Here   with the -i interactive, -s run remote process in the system account and -d  dot wait for process to terminate.

1

Figure 3 PsExec elevated privilege from local admin to NT/Authority SYSTEM

 

NT Authority\SYSTEM has access to SAM hive files

NT-Authority-Sam-file-5

Figure 4 Corroborates the SAM hive access via SYSTEM privilege

 

We not really interested in SAM/SYSTEM contents – We are after LSA Secrets and Service Account password extraction, however we need to create and compile a windows 10 compatible service and install it locally on our windows 10.

2

Figure 5 –  We created AwesomeService.exe with DisplayName “Windows Update” using SC Service Control to install and set the run time to auto start.

 

Display Name set as Windows Update

3

Figure 6 AwesomeService.exe runs as service under the local administrator privilege.

 

AwesomeService current value is in binary mode

currentValue

Figure 7  AwesomeService in binary value

 

lsasecret.exe /service AwesomeService command to dump clear text password from the registry.

AwesomeService-OpenSSHd

Figure 8   extracted openSSHd and AwesomeService accounts from registry.

Link to github lsasecre.exe the original source code from “Timothy D.Morgan”

 

Mitigation:

There are couple of solutions to mitigate against this particular vulnerability – the easiest and Microsoft recommended approach is the use of native windows feature,  Managed Service Account (MSA) and Group Managed Service Account (gMSA) .

Switch to your Server 2012 domain controller generate KDS root key for use with managed MSA and Group Managed Service Accounts (gMSA)   New-KdsRootKey Powershell cmdlet to initialize the key. The reason that we need to generate this once because this will be used in generating passwords for the Group Managed Service Accounts.

Add-KdsRootKey –EffectiveImmediately

Run this under the windows administrator Powershell console; The  -EffectiveImmeditely takes 10 hours from the time of creation to allow all domain controllers to replicate before allowing the creation of a gMSA. The idea behind 10 hours delay is a safety measure to prevent password generation from occurring before all domain controller are capable of responding to gMSA requests.

Perhaps yo may want to run this over the weekend over the night in production environment?

 

Service Account Creation

It’s straightforward to create gMSAs (Group Managed Service Account) Switch to the server you want to add service account, you need active directory Powershell module part of the RSAT for this to work.

New-ADServiceAccount -Name svc_Secure -DNSHostName cryptoambient.local -PrincipalsAllowedToRetriveManagedPassword  WIN-12-AV$

Command Breakdown :

-Name    service name of your choice

-DNSHostName   –  FQDN for our domain controller that holds KDS root key in my case ambientcrypto.local

PrincipalsAllowedToRetriveManagedPassword     –  This parameter allows you to specify the server(s) that you are going to be running particular (gMSA) on.

 

That’s it, simple and extremely reliable to manage service accounts. Good luck 🙂

 

 

 

 

 

Windows Task Scheduler Privilege Escalation ALPC exploit

Quick Description:

Hacker goes by name SandboxEscaper decide to upload 0day exploit in the windows 10 32-64 bit & Server 2016 x64 task scheduler, SchRpcSetSecurity API contains a privilege escalation vulnerability which can allow authenticated low privilege user to overwrite content of certain files protected by ACLs in filesystem. This is big, a local user authenticated can elevate their privilege to NT Authority /SYSTEM, which is highest privilege in windows operating system.

Maybe this new trend to release 0days ?

Hey I link to the code here,hopefully SanboxEscaper doesn’t mind me doing that.

Exploit prerequisite:

-Windows 10 32/64 or server 2016 system
-Exploit code link here
-CFF PE resource editor link here
-Your own malicious dll e.g msfvenom or empire powershell post exploitation framework etc

Process explore tool to see existing/new running process.Cmd.exe then launched notepad.exe to create a new process id PID  so that we can use PID to call hijack DDL as system privilege.

lpp1

Figure 1  notepad process associated with PID 1356 run under the cmd.exe.

Windows CFF explore  to edit ALPC_Tasksched-LPE.dll  then  RCData 101, Click right to Replace Resource Raw  then poc.dll which we used empire C2 for dll generation . CFF

Figure 2 CFF explore edit the ALPC_Tasksched-LPE.dll and replaced the existing dll with our empire C2 for reverse during execution.

 

InjectDll.exe 3508 notepad PID and our modified ALP-TaskSched-LPE.PoC.dll

F

Figure 3  we execute InjectDll.exe with modified empire dll

Local copy of empire agent call back “whoami” command shows session runs under the NT Authority\SYTEM

NT-Authority-lpe-access

Figure 4  Agent runs under the NT AUTHORITY\SYSTEM privilege context

 

Quick Video session here to demonstrate steps taken to corroborate the  ALPC privilege escalation  https://youtu.be/t50v8zGIwWE

Remediation

Wait for Microsoft to release security patch next few weeks…

 

 

 

 

Playing and Hacking Active Directory Certificate Authority

Brief Active Directory Certificate Authority

Microsoft Active Directory Certificate Services provide a platform for generating and issuing and managing PKI Public Key Infrastructure certificates. In short AD CS provides certificates for securing HTTP traffic and also supports other authentication mechanism such as computer, user or device accounts on a network.
No point for me to describe what the certificate authority is used for as Microsoft has covered this here in details  here and here.

The objective with this brief technical article is to demonstrate common mis-configuration with the certificate generation and issuing keys to domain joined end users. The idea is to show an attacker can enumerate certificate authority using built-in windows MMC managed certificate Snap-in in windows 10 and export private keys to our attacking machine for offline PKCS12 PFX password recovery.
You probably ask why do you want to extract private key and recover the password? Well that depends on the type o certificate but generally speaking certificate used for encrypting traffic or perhaps use machine authentication to a domain controller or can be used as internal code signing certificate.
In my personal opinion I think CA Certificate Authority is significant attack vector and often overlooked by system administrators and security professionals, for years’ bad actors utilized and abused certificate authority to circumvent external/internal technical controls and security operations, often these attacks go undetected by third part and built-in signature based anti-virus products.

So let’s assume breach scenario here and an attacker managed to gain foothold on your end user windows 10 workstation and we also assume the workstation is domain joined, and there is a single tier domain joined active directory certificate authority installed on server that issues automated client machine/user certificates to the workstations once  joined the domain controller (AutoEnrollment Group Policy Configured)

LAB Setup and Break down:

Cryotoambient.com SEC-PRI-DC-1 (Primary Lab Domain Controller)

SEC-PRI-DC-02 (Secondary Domain Controller – Certificate Authority installed

Windows10 Domain Joined with active directory low privilege user ambient10

Let’s assume the attacker is on post exploitation phase and enumerating the workstation for vulnerabilities weakness to elevate higher privilege access from zero to hero domain administrator privilege. There are different methodology and techniques to elevate privilege from windows environment, unpatched vulnerabilities, powershell, vulnerable services, pass the hash,  credential theft and the list goes on.

Let’s focus on how an attacker abuse exportable certificates and reuse the certificate for other malicious use cases.

Certificate authority  we replicated an exiting template and named it User_V2.

1

Figure 1  Notice Private Key is to be exported ticked.

 

Enabled Certificate Templates we created.

2

Figure 2 Published User/Workstation authentication template.

 

Group Policy change to enable automatic enrollment.

comes just after 2 with commens

Figure 3  PKI Group Policy created to allow AutoEnrollement to end user workstations.

Joined our target windows10 to the domain controller.

comes before 2

Figure 4 DESKTOP-BOB1 Windows 10 Joined to the domain controller and waiting for the certificate to be pushed to the user workstation upon first login.

 

Issued Certificates to workstations.

3

Figure 5 User/Machine certificate issued to newly joined window10 with the user ambient10 as low privileged user.

 

Next we check newly joined Windows 10 MMC console under the Personal  Certificate we see ambient10 user been issued a certificate.

4

Figure 6 We use export wizard to export the private key in PKCS12 PFX format.

 

Certificate Export Wizard.

5

Figure 7 we select the export private key from abmient10 user personal certificate

 

ExportPrivateKey certificate saved on the ambient10 user desktop.

6

Figure 8  private key saved on to the ambient user workstation desktop

 

Next we move the file to the c:\cert folder on the target workstation 192.168.1.73 for quick certificate transfer to our attacking machine.

7

Figure 9 from our lab kali machine we use mount -t cifs to mount the remote folder to our /mnt folder on our attacking machine with the user ambient10 credential.

 

Now that we have copy of the private key in pfx format we github crackpkcs12 source code here and compile it on our kali machine.  Crackpkcs12 -b  certificatefile.pfx or pkc12 format.

8

Figure 10  Successful Brute force attack and recovered the Password “123”

 

When was the last time did you review/audit your internal Certificate Authority published certificates ? Do you know if the keys are exportable?

 

 

ETERNALROMANCE/SYNERGY EXPLOITATION ON WINDOWS 2012R2

MS10-010 vulnerability patched by Microsoft affecting from windows 7 to a windows server 2016 (Eternalromance/synergy published by shadow brokers the exploits are very unstable if tried against the windows 2012, 2016 server causing 100% of the target machine BSOD

This is not a comprehensive article but we will demonstrate how we can leverage and make necessary changes to the Sleepys code and make minimal code change in order to obtain a privileged windows meterepreter reverse on the target system

Virtual Environment & prerequisites

Kali Ubuntu Machine  IP address 192.168.1.14

Python v.2.7

Ps1Encode   – Used to generate PowerShell metasploit types revershell

https://github.com/CroweCybersecurity/ps1encode

Windows Server 2012 R2 target IP   192.168.1.30 ( Not patched with MS17_010 )

Ok so without further ado let’s compromise windows 2012R2 server

The exploit has been published by sleepya https://www.exploit-db.com/exploits/42315/  the exploit is working properly without doing any modification if we execute the exploit against the windows 2012r2 server it will create a file  in C:\pawned.txt  on the target disk .

But you might already think hm but that doesn’t give me meterpreter shell on the target box , that’s very much true but we make couple of modification to get the desired shell

We now enabled guest account on our windows server R2 windows machine

guest-account

Figure 1  we set the authentication to “guest”  with minimal privilege

Parameters

The exploit code requires two parameters  the actual Target IP address windows server 2012R2 in our case and the PIPE name  – windows named pipe is not in the scope of this article. SMB protocol supports three different types of shares  File share which is a directory tree, Print: print share  which is access to print shares on the server,   PIPE inter communication between the process that uses FIFO model essentially first in first out  a.k.a  named pipes .

What other pipe types you can potentially exploits on a windows server box ?

  • Netlogon, samr, lsarpc,spoolss,browser

Ok it’s very straightforward to identify which named pipe are available on a target server – I wrote a python scrip which compares the UID to identify if the named pipe exist is so then just check access if allowed or denied

Script identify named pipes on the target windows server 2012 R2

named-pipes

Figure 2 allows identify named pipe Browser, Spools, Netlogon, LSARPC, SAMR

If we decide to execute the exploit it will create c:\\namlook.txt on the target .

2

Figure 3  executed code without reverse shell created c:\namlook.txt

Code snippet creates namlook.txt on the target server

1Figure 4 CreateFile function adds pwned.txt on the target server but no reverse shell code.

Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component

This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode  that allows us to generate encoded metasploit codes in different/several format

Exploit Modification/Reverse shell

Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component. This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode  that allows us to generate encoded metasploit codes in different/several format

We can download the ps1encode here  from github   https://github.com/CroweCybersecurity/ps1encode

SCT Reverse Shell code

3Figure 5 reverse shell code windows/meterepreter/reverse_tcp

Armed with .SCT reverse shell file we simply move the to our python web server on kali machine  /var/www/html  or any machine that can be reach from the target server. The idea is that when we execute the exploit against the target server to use regsvr32 (Microsoft Register Server) command line utility for registering and  DLLs in the windows registry

Reverse shell code

regsrc32-http-connection

Figure 6  – We modified code to execute our malicious revershell code .SCT  on our target machine

Meterpreter session

We now configrured the metasplot’s exploit/multi/handler to receive reverse shell

pingping

Figure 7 handler configured with windows/meterpreter/reverse_tcp

After executing modified MS17_010 exploit get clean meterpreter reverse shell

sysinfo

Figure 8 sysinfo with  NT/Authority priv ….

 

Go and patch please … https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Eternalblue, DoublePulsar NSA Exploit

This is going to be series of articles about building NSA/ShadowBrokers exploit kit . We will cover the followings  (Eternalblue, EternalRomance, DoublePulsar ) exploits against windows server 2003,2008,2012 and of course why not with 2016 J

 

I’m not going to cover the background history lessons here for more information, please read  here

Ok so eternalblue & externalromance are 2 fantastic bufferoverflow exploits that exploits SMBv1  in memmove operation Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt with simple mathematical mists where a DWORD is substracted into a WORD . The kernel pool is groomed that overwrites an SMbv1 buffer. The actual Return address pointer (RIP) hijack is later completed in srvnet!SrvNetWskReveComplete.

We will not use NSA backdoor dll instead we generate our own DLL with MSFvenom  and execute against our target machine

 

Attacker IP 192.168.1.14 (Kali Linux)

Target IP   192.168.1.28 ( Lab domain joined Windows server 2008 r2 with Smbv1 unpatched)

Ok so i decided to port the NSA exploit kit on to my kali system

1

Figure  1 NSA exploit kit widows based to linux

2

Figure 2 exploit kit python fb.py  nice graphical NSA interface 🙂

3

Figure  3 Set target IP address 192.168.1.26 and Callback IP address 192.168.1.14

5

Figure 4 we use doublepulsar exploit to check if the system is already infected 🙂

6

Figure  5 we choice function backdoor and set path /tmp/win2008.bin shellcode to binary on the target system

7

Figure 6 final validation and we execute the exploit against 192.168.1.26

8

Figure 7 successful execution and shellcode is written to the output file

9

Figure 8 we use eternalblue SMBv1 exploit code and msfvenom reverse shell DLL to execute code on the target system

10

Figure 9 we select 1 tradtional exploit deploymenet using FUZZBUNCH NSA framework

12

Figure 10 we execute the eternalblue with our custom DLL

13

Figure 11 Recerse shell from 192.168.1.26 to our kali machine 192.168.1.26

 

So let’s  summarize

  • Smbv1 is bad and easy to exploit
  • The externalblue exploit runs with SYSTEM priv

ShadowBrokers Exploit Network Analysis

So I decided to spend some time investigate shadowBrokers EternalBlue exploit attack against windows on my favourite port TCP 445  and so I analysed 2 particular unique awesome remote execution exploits EternalRomance and DoublePulsar .

I personally find the NSA exploit naming convention absolutely/incredibly amazing

A bit of background history lesson

NSA has tons of money and best hackers out there ,yeah people hack for money and NSA willing to pay a lot for zero day exploits and hacking techniques but hey that’s how security industry work

EternalBlue is the a weaponised exploit kit with number of zero day exploit codes for windows/linux operating systems, one of the exploits EternalRomance is exactly the same as MS08-067 SMB exploit but the only difference is the year 2017 O.0

So we created wireshark PCAP(s)  and run EternalRomance exploit against unpatched windows system (successful compromise with NT/Authority System Level Privilege)  and second objective was to reconnect to the compromised system using (DoublePulsar) which is a very impressive backdoor listens on TCP 445 and RDP 3389 to connect back to the target machine ( EternalBlue installs DoublePulsar)

 

Eternal blue exploit documented here the exploit is against windows 7 unpatched windows system

One of the interesting observation we made is that when run the eternalblue exploit against unpatched windows 7 it sent a Trans2  stands for Transaction 2 Subcommand Extension (highlited in yellow)  This particular request is send just before the exploit is sent the intent/idea is to check if the target windows system already exploited or not .  The response from the system returns with  SESSION_SETUP, ERROR: STATUS_NOT_IMPLEMENTED however when we look at the packet we see the Multiplex ID is returned with 65 (0x41) for not compromised system and  Multiplex ID 81 for compromised infected system  .

Trans2 Request, SESSION_SETUP  Initial request
TCP-1
Figure 1 Transe Response SESSION_SETUP, Error: Status_NOT_IMPLEMNTED

BufferOverflow payload sent to target system

tcp-02
Figure 2 packet contains large number of buffer sent to  target windows server
smb.mid==65 (0x41) confirms Trans2 as initial check request

tcp-02-02

Figure 3  Trans2 request is sent to check if system infected or not
EternalBlue PCAP exploit network analysis
https://www.dropbox.com/s/dp64m5ay5xo75li/EternalBlue-Unpatched-Windows7-Exploit.pcap?dl=0
DoublePulsar PCAP exploit network analysis
https://www.dropbox.com/s/kujlk8p0oi7ych6/DoublePulsar-Exploit-mid-81.pcap?dl=0
  Wireshark filters

EternalBlue exploit  smb.mid == 65   ( Initial exploit)

DoublePulsar back door exploit smb.mid==81  ( Stealthy backdoor)

So we can conclude that the EternalBlue exploit used for initial bufferoveflow attack and foot hold on the network with NT/Authority SYSTEM privilege – highest privilege one can have and the DoublePulsar used for connecting back to the infected system

Mitigation

Go check your entire network and find all smbv1 and turn it off ( Smbv1 is bad)

DKIM Office 365 & DNS change GoDaddy :

Configuring DKIM  on Office 365 and GoDaddy

What is DKIM

DomainKeys Identified Mail is an email authentication method designed implemented to detect email spoofing . It enable the receiver to check that an email claamied to have cam e from a specific “domain “ for example how do you know if you received an email and it’s not spoofed?

It is intended to prevent forged sender address in emails, a very common and affective technique to harvest credentials or drop a malicious attached file to the target system

Read on phishing and email spam here

 

Ok so you bored by now and like to jump to configuration with Office 365 and your DNS provider?  Ok in my case I will be configuring Office 365 demo tenant I created for 30 day trail and my Go phishing service provider sorry I meant GoDaddy

Please note you should always use SPF/DMARC in addition to DKIM to prevent spoofers from sending you malicious emails looks like they are coming from your domain .

Does this sound complicated at all ? DKIM is simple especially with office 365 its almost no technical skill required but I still see people struggle with this concept

Step one 

Go to office 365 and exchange online protection and click DKIM ( By default the first DKIM and SPF already enabled for you but any other site you add you need to configure and enable dkim.

DKIM

1

Figure  1 DKIM configuration

If you decide to add new site In my example securesystem.co.uk is my domain and registered for office 365 domain demo tenant and now I want to enable  DKIM for www.securesystem.co.uk

Add your domain if and click on enable button  and you will get an error like this?

CNAME record does not exist for this config. Please publish the following two CNAME records first.

selector1-securesystem-co-uk._domainkey.securesystem1.onmicrosoft.com

selector2-securesystem-co-uk._domainkey.securesystem1.onmicrosoft.com

 

2

Figure 2 CNAME selectors for DKIM –

You need these selectors to be added to your external DNS service e.g Go Daddy or any other provider, it could be your own DNS service so that you can prove own the domain – I use Go Daddy because it’s cheap and easy to make dns changes

GoDaddy DNS portal

3-godaddy

Figure 3 add your selector1 to GoDaddy

 

Now we have configured the DNS and point CNAME to office 365 DKIM we test it by sending myself an email and capture the header

spf-signature

Figure 4 DLKIM header is pass and SPF already generated

Nslookup for testing ?

nslookup

Figure 4 nslookup with type=txt to check if DKIM work

Final word Remember Microsoft has the private key and you no longer have control of your own keys? Maybe secure maybe not but hey it’s easy to enable DKIM  J

NTDS.DIT Active Directory Passwords & Decryption

Windows Server 2008 Active Directory

We know local user accounts are stored in SAM file and we have previously demonstrated on PASS THE HASH article how to dump/extract use abuse these password equivalent hashes.

In this article we demonstrate/describe some of the attack techniques to gain access to a windows domain controller the techniques to copy NTDS.dit database using built-in tools “living off the land “ the use of WMI, VSSADMIN , PowerShell. A.KA Microsoft post exploitation framework  J

Active directory data is stored in the Ntds.dit ESE database file.  Two copies of Ntds.dit present in separate location on a given domain controller  %SystmRoot%\NTDS\ Ntds.dit  &  %SystemRoot%\System32\Ntds.dit .

These are exclusive locked file meaning they cannot be copied simply using click right and copy to the destination will not work as these files have in use with set of permissions  attribute on.

This of course doesn’t mean we can’t using Build-in tools VSSADMIN or PowerShell to make a copy of the Ntds.dit file locally and infiltrate to our attacking machine for closer offline analysis and password extraction. But of course we need to gain access to the domain controller with local administrative privilege or domain admin in order be able to copy the AD server crown jewels .

Without further ado let’s get to hacking into breaking windows 2008 active directory

Our attacker IP address is set to 192.168.1.12   

Our target is windows 2008 active directory installed 192.168.1.26

We already have an administrative account (Credential theft or MS14-068 Kerberos prive escalation

Windows Built-in tools – Welcome to VSSADMIN  .

VSSADMIN is essentially shadow volume copy feature since windows Vista that allows an administrator or “hackers” to take friendly snapshot backups files even when the files are currently in use J  J J  that’s how I feel when I login to a Domain controller…

You already figured out my next move – Yes I will use VSSADMIN built-in tool to copy NTDS.dit and SYSYEM file from the domain controller save it to the disk for remote exfiltration.  You may ask why we need SYSTEM file. Great question, SYSTEM file contains what knows as Boot secret key which used at the windows boot startup for decryption

Quick Scan against domain controller identified port SMB on 445 and Port 88 kerberos authentication protocl .

server_2008_nmapFigure 1 Port scan identified number of open ports from our attacking machine

Credential theft – We use Rdesktop to login to the remote server 2008 AD.

rdesktop_02Figure 2 with administrative access we login to the remote Target windows 2008 server

vssadmin create shadow /for=c:  to creaate a light snapshot

vssadmin-create-copy-03Figure 2 vssadmin built-in windows tool to create a fast snapshot

Next we  use copy command and copy the ntds.dit file to our \windows\ntds\ntds.dit location

copy-ntds-dit-04Figure 3 snapshot of ntds.dit now successfully copied to the c:\ drive

We also need a copy of SYSTEM File to decrypt the NTDS.dit objects

copy-system-dir-04Figure 3 SYSTEM file is copied to c:\ location we need that file to decrypt the ntds file

Now that we have a copy of NTDS.dit and SYSTEM file waiting for final exfiltration to our attacking machine for offline decryption

We use Mount -t cifs to connect the target remote machine specefying the username and password and associate /mnt/

mnt-copiedFigure 4 C$ is mounted to /mnt drive to copy ntds.dit and SYSTEM file for extraction

We use esetUtil.py to look at certain table and grep particular hashes from the NTDS.dit file

bFigure 5 we use esentuil to grep datatable contains hash objects

Next we we use extract datatable from the ntds.dit and pipe it to the output.txt file

ntds-dirFigure 6 Impdump.py we point SYSTEM file and output extract and pipe it to the hashes.txt file

Password equivalent hash extracted from windows active directory server

hashes-textFigure 7 Windows NTLM password hashes

So there we are , NTLM password hashes for PTH & offline decryption