On a recent penetration exam I made heavy utilisation of Sec-1 Ltd’s tool sharecheck inwards a agency to gain Domain Administrator privileges that had previously been missed. Effectively at that topographic point was a lot of dry reason function inwards horizontal propagation which I automated through Meterpreter as well as Sharecheck.
I’ve mentioned Sharecheck earlier on my Internal Penetration Testing post, but I don’t believe I’ve e'er ran through the features of this tool which I brand utilisation of on almost every test. Effectively this tool allows yous to create 4 principal things:
There are a brace of things to dot out hither – this tool volition non solely exhibit yous machines on the network which receive got no local job concern human relationship lockout (seen hither on the mo column) .It volition also highlight machines out at that topographic point which don’t follow the measure policies for your network, which tin dot issues alongside deployed Group Policy. Generally it’s worth scanning a hit as well as playing spot the difference.
If the user yous scan the hit alongside is a local administrator of whatever machines that machine volition hold out highlighted every bit having the shares C$/Admin$ nether the read/write column. This is a actually uncomplicated agency of taking credentials you’ve gained through phishing, spoofing LLMNR, or proficient one-time fashioned bruteforce attacks to run into if those accounts receive got increased credentials. It’s sure enough non uncommon to run into users who are admins of their ain machine as well as this is a uncomplicated agency to honour them (this is oft truthful of executives! Since yous know, they boot the bucket what they want). You tin run into this on the commencement row, the “holly” job concern human relationship which I used to scan the hit is an Administrator of the Laptop1 machine.
The correct paw column shows which users are currently logged inwards to that machine – this is useful every bit it gives an indication of accounts which may hold out targeted alongside Incognito or Mimikatz.
Now the higher upward screenshot is a cleaned-up, simplified gear upward to highlight a recent agency that I used Sharecheck to gain a domain administrator marking compromise on a customer network – which could receive got been a impact awkward without this tool. In the higher upward network the job concern human relationship “Admin.Service” is a domain administrator. There are 2 ways that I could confirm this during the Penetration Test, the commencement was to hitting the domain controller alongside enum4linux (which I described inwards my Internal PenTesting post), alternatively I could log inwards to whatever domain joined workstation as well as execute the command:
Quick FYI, the grouping alongside *** adjacent to its shout out is highlighted because it has to a greater extent than than 10 members inwards it; it’s proficient that it does that every bit sometimes you’ll run into large groups such every bit “Domain Users” who receive got been given Local Administrative access as well as it’s proficient that it’s highlighted for yous every bit a potential target. Also the user job concern human relationship alongside !!! adjacent to its shout out is highlighted because it has been disabled, as well as inwards this illustration supersede alongside the “admin” account. This is a proficient affair to know well-nigh since this job concern human relationship is non-standard for this network, inwards this illustration the Administrator job concern human relationship came nether the protection of LAPS even so this “admin” job concern human relationship did not!
Now the machine that I tin access alongside my administrative permissions has the job concern human relationship corp.local\paul logged inwards to it, which I could compromise alongside a tool such every bit Mimikatz; the paul job concern human relationship is highlighted on the mo row 6th column’ every bit beingness an administrator of Laptop 2. Therefore past times compromising Laptop1, gaining access to paul’s job concern human relationship I inwards term gain access to Laptop 2. Continue that blueprint on as well as you’ll run into that past times compromising Laptop2 I tin gain access to the job concern human relationship Corp.local\emily, who is an administrator of Laptop3. On as well as on, eventually this leads to compromising Laptop5 through rick’s job concern human relationship which gives us access to the Admin.Service job concern human relationship – which is a domain administrator as well as thus a sum network compromise.
On the existent earth engagement, this wasn’t every bit construct clean every bit this uncomplicated as well as non bad ordered list. In actual fact I managed to gain access to a handful of accounts through diverse attacks which gave me access to a modest number of machines that I compromised through PSExec. I propagated through the network inwards precisely the agency described higher upward but the machines were a lilliputian to a greater extent than organically set out throughout the network but eventually afterward around 5 propagation movements I institute myself logged-in domain administrator!
So the vulnerability is effectively Domain Users beingness given Local Administrative permissions to machines on the network, hold out it their ain machines to install software or the strange server or 2 for users such every bit spider web developers. You tin utilisation these modest increases inwards permissions to widen the search for potential domain administrator job concern human relationship which tin hold out compromised past times extracting passwords, hashes, tokens or fifty-fifty simply primal logging. The cook for this inwards role is reducing user permissions to the absolute minimum as well as deploying protection mechanisms such every bit Microsoft Local Administrator Password Solution!
I’ve mentioned Sharecheck earlier on my Internal Penetration Testing post, but I don’t believe I’ve e'er ran through the features of this tool which I brand utilisation of on almost every test. Effectively this tool allows yous to create 4 principal things:
- Determine if a Domain User job concern human relationship to which yous receive got access is also a Local Administrator of a machine somewhere on the network
- Determine who else has Local Administrator privileges on each machine
- Determine the Local Account Lockout policy of each machine on the network
- Determine who is currently logged inwards as well as thus potential targets for job concern human relationship takeover
sharecheck.exe -r 192.168.0.0/16 -u corp.local\holly -p passwordThe output is a HTML report, which looks like:
There are a brace of things to dot out hither – this tool volition non solely exhibit yous machines on the network which receive got no local job concern human relationship lockout (seen hither on the mo column) .It volition also highlight machines out at that topographic point which don’t follow the measure policies for your network, which tin dot issues alongside deployed Group Policy. Generally it’s worth scanning a hit as well as playing spot the difference.
If the user yous scan the hit alongside is a local administrator of whatever machines that machine volition hold out highlighted every bit having the shares C$/Admin$ nether the read/write column. This is a actually uncomplicated agency of taking credentials you’ve gained through phishing, spoofing LLMNR, or proficient one-time fashioned bruteforce attacks to run into if those accounts receive got increased credentials. It’s sure enough non uncommon to run into users who are admins of their ain machine as well as this is a uncomplicated agency to honour them (this is oft truthful of executives! Since yous know, they boot the bucket what they want). You tin run into this on the commencement row, the “holly” job concern human relationship which I used to scan the hit is an Administrator of the Laptop1 machine.
The correct paw column shows which users are currently logged inwards to that machine – this is useful every bit it gives an indication of accounts which may hold out targeted alongside Incognito or Mimikatz.
Now the higher upward screenshot is a cleaned-up, simplified gear upward to highlight a recent agency that I used Sharecheck to gain a domain administrator marking compromise on a customer network – which could receive got been a impact awkward without this tool. In the higher upward network the job concern human relationship “Admin.Service” is a domain administrator. There are 2 ways that I could confirm this during the Penetration Test, the commencement was to hitting the domain controller alongside enum4linux (which I described inwards my Internal PenTesting post), alternatively I could log inwards to whatever domain joined workstation as well as execute the command:
net groups "Domain Administrators"The higher upward screenshot informs me that that Domain User account, corp.local\holly, which I compromised using a bruteforce set on is a local administrator of the machine Laptop1. Now the lesson of this post service is shown inwards the higher upward screenshot – there’s a path to compromising the domain admin job concern human relationship as well as it’s shown inwards the furthest correct 2 columns: Local Administrator Group as well as Local Authenticated Users.
Quick FYI, the grouping alongside *** adjacent to its shout out is highlighted because it has to a greater extent than than 10 members inwards it; it’s proficient that it does that every bit sometimes you’ll run into large groups such every bit “Domain Users” who receive got been given Local Administrative access as well as it’s proficient that it’s highlighted for yous every bit a potential target. Also the user job concern human relationship alongside !!! adjacent to its shout out is highlighted because it has been disabled, as well as inwards this illustration supersede alongside the “admin” account. This is a proficient affair to know well-nigh since this job concern human relationship is non-standard for this network, inwards this illustration the Administrator job concern human relationship came nether the protection of LAPS even so this “admin” job concern human relationship did not!
Now the machine that I tin access alongside my administrative permissions has the job concern human relationship corp.local\paul logged inwards to it, which I could compromise alongside a tool such every bit Mimikatz; the paul job concern human relationship is highlighted on the mo row 6th column’ every bit beingness an administrator of Laptop 2. Therefore past times compromising Laptop1, gaining access to paul’s job concern human relationship I inwards term gain access to Laptop 2. Continue that blueprint on as well as you’ll run into that past times compromising Laptop2 I tin gain access to the job concern human relationship Corp.local\emily, who is an administrator of Laptop3. On as well as on, eventually this leads to compromising Laptop5 through rick’s job concern human relationship which gives us access to the Admin.Service job concern human relationship – which is a domain administrator as well as thus a sum network compromise.
On the existent earth engagement, this wasn’t every bit construct clean every bit this uncomplicated as well as non bad ordered list. In actual fact I managed to gain access to a handful of accounts through diverse attacks which gave me access to a modest number of machines that I compromised through PSExec. I propagated through the network inwards precisely the agency described higher upward but the machines were a lilliputian to a greater extent than organically set out throughout the network but eventually afterward around 5 propagation movements I institute myself logged-in domain administrator!
So the vulnerability is effectively Domain Users beingness given Local Administrative permissions to machines on the network, hold out it their ain machines to install software or the strange server or 2 for users such every bit spider web developers. You tin utilisation these modest increases inwards permissions to widen the search for potential domain administrator job concern human relationship which tin hold out compromised past times extracting passwords, hashes, tokens or fifty-fifty simply primal logging. The cook for this inwards role is reducing user permissions to the absolute minimum as well as deploying protection mechanisms such every bit Microsoft Local Administrator Password Solution!
