Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


precise location of privileged users in domain attack

Posted by bax at 2020-03-17

0x01 intention of locating privileged users

In the scene of domain network attack, if the attacker gains a fulcrum in the domain, in order to obtain the domain administrator's authority and realize the overall control of the domain network, the next goal of the attacker is often to collect the information in the domain, track the historical login location and current login location of the privileged users and domain management group users in the domain, so as to prepare for the accurate attack to obtain the domain management authority 。

For example, if an attacker obtains the password hash value of a local administrator account from the current fulcrum, it is likely that the account is the one reserved when the system is preinstalled. At this time, the attacker can use PTH (pass the hash) method to log in to the same type of system in the domain and search one by one to find the login trace of the privileged user, so as to obtain the password hash value of the privileged user, and the role of accurately locating the privileged user is obvious. In 2014, Microsoft released two patches kb2871997 and kb2928120 to prevent the network login of local users in the domain. The PTH mode of local users has died.

0x02 filter domain users in local Administrators group

The local user's PTH mode is dead, but the domain user's PTH mode is still valid. In many cases, in order to facilitate the use of users, many enterprise networks add some ordinary domain users as the local administrator group of the login host through group policy. If there are login traces of privileged users or administrator group users in those hosts, there is a high probability to obtain the password hash value of these users, which is a big step forward to obtain the final domain management authority.

In this scenario, the path from the current fulcrum to obtaining the hash value of the privileged user's password includes three steps:

1. Which domain users are set to be members of the local Administrators group for hosts within the domain. The probability of obtaining password or hash value of common domain users is much higher than that of high authority users, such as social workers;

2. Which hosts in the domain are set to add users in the domain to the local Administrators group;

3. Obtain the login history and session information of the host in the result of step 2, and whether it contains privileged users or members of the management group;

4. Use the user login in step 1 and step 3 to filter out the hosts with high permission login records or sessions, and obtain the password hash value of high permission users.

The first and second steps mainly depend on reading and analyzing domain policy. All group policies within the domain open read rights to all domain users. Therefore, we only need to enumerate these domain policies and filter rules, find the domain objects applied by these group policies, and associate the group policies with the group information and the member information of the domain objects, then we can draw a conclusion.

Group policies are stored in the $gpopath \ machine \ Microsoft \ Windows NT \ secedit \ gpttmpl.inf file and the $gpopath \ machine \ preferences \ groups \ groups.xml file. In the experimental environment, we added a group policy named localadmin to add the REDUSER user user to the local administrator group of the login host.

Above is a screenshot of the contents of groups.xml. The following figure is a more friendly screenshot of group policy in the setting options of group policy. Two graphs represent the same group policy.

The grouppolicy module of the system provides get gporeport command, which can convert the group policy of guid parameter into XML or HTML report of friendly interface. The screenshot is as follows. Therefore, we can easily batch process XML reports offline and quickly get the results we want. The GroupPolicy module is default in the domain server. If you want to call the module in Windows 7 and other client systems, you need to install GPMC.

In the actual network attack, it is still difficult to install GPMC in the network fulcrum. Powerview provides similar and more powerful functions. Get domaingpolocalgroup command enumerates and analyzes all group policies, which can easily get results.

The principle of get domaingpolocalgroup is only to analyze whether there is a change of privilege group in gpttmpl.inf file, which will have some defects.

In the group policy example tested in this article, there are two ways to make the current login user the local administrator group of the login host. The group policy editing locations are host configuration \ preferences \ control panel settings \ local users and groups, and user configuration \ preferences \ control panel settings \ local users and groups. The gpttmpl.inf file does not exist when setting in the second way, so running get domaingpolocalgroup has no result. When setting in the first way, gpttmpl.inf exists, so there are running results, as shown in the following figure. In the future, I will improve on this basis.

Get domaingpocomputerlocalgroup enumerates and analyzes all group policies to find out which hosts are set to add the specified domain users to the local Administrators group, which will not be shown here.

0x03 get login record, session and grouping information of the specified host

The third step in the previous section is to obtain the login user record, current session, group, member and other information remotely under the common permission for the specified host or server in the domain. At present, there are many methods and tools for you to refer to. These tools are based on C, python, ruby and other languages, which are easy to use, small and simple. Powerview provides multiple PowerShell commands, which can easily obtain login user records, session information, group information, etc. in the host within the domain. The following figure is a screenshot of the result of get netlocalgroup command to get group members remotely. In the figure, you can see that when net use is empty, you can directly obtain the local management group members of the remote host win7x86cn (win7sp1x8602 is the local host) in the domain through the get netlocalgroup command. In general enterprise network, there are many hosts, and the efficiency of query one by one is relatively low. You can use script to call get netlocalgroup command to query. The invoke enumeratelocaladmin command implements similar functions. It can read the list of hosts from the file, scan and detect in parallel with the specified number of threads, which is more efficient. It will not be shown here.

Summary of 0x04

This paper introduces the method of remote host login record, session, grouping and other information, as well as the method of finding domain users who can join the local administrator group of the host through domain policy, which is very practical in many attack scenarios. It is also helpful to analyze the protection strategy of domain network.

0x05 references