By Raphael Rosa *
An organization's internal technology environment contains many types of assets, which we can organize between Servers and Workstations. Both types of computers should generally be members of Microsoft Active Directory Domain, which should be the focus of every attacker.
Will be covered in this article some exploration topics superficially and some aspects of post-exploration and lateral movement that can reduce the impacts of compromising a credential or workstation if addressed.
Scenario and attack
The risk scenario presented may be for both an attacker who has gained access to the organization's internal network, or for a malicious user who may have administrative access to their own machine or a valid network point and use credentials to do so.
The striker of the first scenario could use attacks of poisoning and Man-in-the-middle to capture hashes valid on the network, and by cracking passwords or hacking SMB relay have access to a workstation.
In the second scenario The malicious user may be considered to have administrative access to his machine, such as a Developer who has persuaded IT to provide administrative access to install applications and development software. Alternatively, he may have access to his computer or that of a colleague and through a dual boot With a Linux operating system copy the Windows internal password database file, the SAM file.
The file SAM (Security Account Manager), contains the hashes passwords of local users of the Windows system in the form of hash NTLM, which is used natively by Windows hosts as a direct password substitute, allowing logins to be performed without breaking the password. hash.
This issue is especially relevant in corporate environments that use Windows, either locally or through Active Directory, If an attacker has a valid NTLM hash of a user's password, he can authenticate to other computers.
This fact becomes especially complicated as it is still found in business environments and technology parks. (especially workstations) where IT uses a standard procedure and a default local administrator password to provision a machine to the domain.
Thus, by the logic of the attack Pass-the-hashif an attacker manages to break into a workstation, would have local administrative access to all of them.
With this type of access various types of post-exploit attacks, local file theft or malware execution can be performed.
How to prevent?
The following procedures are recommended for mitigating and addressing the vulnerabilities and risk scenarios described:
- Using LAPS for Local Administrator Password Randomization of Domain-Attached Machines Microsoft Active Directory.
- Use of separate credentials on IT workstations and IT users to minimize the risk of capturing hashes administrative workstations.
- Disable insecure protocols that allow initial access to credentials or hashes, such as using the “SMB Signing"
* Raphael Rosa is an Information Security Consultant from Safeway Consulting
Regarding the [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!