On internal engagements, poisoning name resolution requests on the local network (à la Responder) is one of the tried and true methods of obtaining that coveted set of initial Domain credentials. While this approach has worked on many clients, what if Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NTB-NS) protocols are configured securely or disabled? Or, what if Responder was so successful that you now want to prove other means of gaining that initial foothold?.
There are a multitude of attacks a penetration tester can leverage when conducting physical walkthroughs of client spaces. One of the more interesting, and giggle-inducing, involves exploiting wireless peripherals. This technique, known as “mousejacking”, involves exploiting vulnerable 2.4 GHz input devices by injecting malicious keystrokes (even if the target is only using a wireless mouse) into the receiving USB dongle. This is made possible because many wireless mice (and a handful of keyboards) either don’t use encryption between the device and its paired USB dongle, or will accept rogue keystrokes even if encryption is being utilized. WIRELESS WHOOPSIE! Let’s explore…
Lateral Movement: An Overview
Regardless of the method utilized for gaining the initial foothold, penetration testers are often looking for ways to move around the client’s network (referred to as lateral movement or lateral spread). Other machines may hold goodies that further the engagement, whether it is documents that contain the company’s “crown jewels” or stored credentials that give access to databases, Domain Controllers, or other important assets. While there is an art to gaining situational awareness and understanding the “lay of the land” once the initial foothold is established, this article will instead focus on a subset of tools and techniques for moving around the victim’s Windows environment.
Common Windows Privilege Escalation Vectors
Imagine this scenario: You’ve gotten a Meterpreter session on a machine (HIGH FIVE!), and you opt for running getsystem in an attempt to escalate your privileges… but what that proves unsuccessful? Should you throw in the towel? Only if you’re a quitter… but you’re not, are you? You’re a champion!!! 🙂
In this post I will walk us through common privilege escalation techniques on Windows, demonstrating how to “manually” accomplish each task as well as talk about any related Metasploit modules. While most techniques are easier to exploit when escalating from Local Administrator to SYSTEM, improperly configured machines can certainly allow escalation from unprivileged accounts in the right circumstances.
Anti-Virus Vendors vs. Penetration Testers
While Metasploit is a great framework for conducting penetration tests, it’s popularity hasn’t gone unnoticed by anti-virus (a/v) vendors. Standard Metasploit payload executables started getting flagged by a/v products in 2009 and now are picked up by a majority of a/v products out on the market. If you can’t get your payload past your clients’s a/v software, you just might find yourself dead in the water before you’ve even begun.
The problem is that professional malware writers, organized crime, and nation state actors have no problem breezing past a/v software, successfully bypassing these solutions for years. We, as penetration testers, are finding ourselves getting flagged because we are utilizing popular tools that are well-known to a/v vendors. In this post, we will explore the topic of a/v evasion.
Privilege Escalation Via Group Policy Preferences (GPP)
While this is not a new topic in the penetration testing world by any means [Chris Gates (@carnal0wnage) and others were speaking about this way back in 2012], it is still prevalent across many networks today. It’s important enough to talk about because it is “low-hanging fruit” for pentesters (and hackers) and often one of the first things checked for after an initial foothold into a network, as it can quickly allow for escalation to Local Administrator and lateral movement. At that point, it often is just a matter of time before complete Domain compromise.
In this post we will explore the Windows Active Directory feature, Group Policy Preferences (GPP), that was introduced with Server 2008 and how we can exploit this feature to obtain cleartext credentials for privileged accounts in the Domain.
The past couple days I’ve been building out the lab that will be utilized for a lot of my tool demonstrations and exploit walkthroughs presented on this blog. The setup is beautifully simple: a Windows Active Directory Domain environment with several connected workstations of various O/S versions and patch status. This lab will at least vaguely mimic some key aspects of a typical corporate Windows environment and will allow for lateral movement and privilege escalation scenarios across the Domain. As you’ll quickly notice upon reviewing the listing of lab machines below, there is a definite theme to this blog (got […]
Welcome to my new blog! The intent of this page is to post on security issues that I’m researching or witness during penetration testing engagements. I hope this page will serve as a reference for other penetration testers as well as system administrators (as I will often propose mitigation strategies for issues presented). Please feel free to leave any constructive feedback as I begin posting. About Me: I’m an penetration tester who got his start as a government employee working for the Department of Defense (DOD) in a five-sided building. During this time, I got hands-on experience building, growing and “selling” proactive security […]