3. Dumping hashes and assigning admin privileges for unprivileged users
This is the 3rd part of the persistence series, and I will walk through from the beginning. Let’s scenarize the attack. As we’ve detected a logon screen of a domain (can be found hundreds from engines such as Shodan), we can conduct a brute force attack, yet the list is needed for creds. At this stage, I will use Psudohash by Panagiotis Chartas, that I’ve recently came across, as a very impressive pass-generator tool listing thousands of potential complex password.
time to hit the list generated by Psudohash using Hydra.
Previously we had gained an Admin access, and we could connect the target via xfreerdp (xfreerdp /u:"target_user" /v:target_IP:3389). We could assigned admin privileges to our one of unprivileged user “test” on target’s command prompt adding it to the Administrator group with the following commands:
C:\> net localgroup administrators test /add
Now we can also add it to the Remote Desktop Users (RDP) or Remote Management Users (WinRM) groups that enables us remote connection via RDP or WinRM:
C:\> net localgroup "Remote Management Users" test /add
After all, we have to add it to the Backup Operator group which does not obtain administrative privilege but allows to read/write any file on the system. It also allows to get SAM and SYSTEM registry files that contain password hashes. In addition to this, we may not achieve this due to User Account Control (UAC) since WinRM users have limited access. After adding it to the Backup Operators group, we shold disable the LocalAccountTokenFilterPolicy by changing the registry key to 1:
C:\> net localgroup "Backup Operators" test /add
C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
Now we can continue on attacker's machine, connecting target via evil-winrm and check whether our user has gain administrator privileges:
Next step is the save and download the System and Sam hives (backup copy of a file).
After download the password hashes on Local, we can dump the NT-Hashes with impacket-secretsdump tool. From now on, at any time, we can get access using gained hashes as a password:
Comments