Selasa, 25 Agustus 2020

Thousand Ways To Backdoor A Windows Domain (Forest)

When the Kerberos elevation of privilege (CVE-2014-6324 / MS14-068) vulnerability has been made public, the remediation paragraph of the following blog post made some waves:
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain."

Personally, I agree with this, but .... But whether this is the real solution, I'm not sure. And the same applies to compromised computers. When it has been identified that malware was able to run on the computer (e.g. scheduled scan found the malware), there is no easy way to determine with 100% certainty that there is no rootkit on the computer. Thus rebuilding the computer might be a good thing to consider. For paranoids, use new hardware ;)

But rebuilding a single workstation and rebuilding a whole domain is not on the same complexity level. Rebuilding a domain can take weeks or months (or years, which will never happen, as the business will close before that).

There are countless documented methods to backdoor a computer, but I have never seen a post where someone collects all the methods to backdoor a domain. In the following, I will refer to domain admin, but in reality, I mean Domain Admins, Enterprise Admins, and Schema Admins.


Ways to backdoor a domain

So here you go, an incomplete list to backdoor a domain:

  • Create a new domain admin user. Easy to do, easy to detect, easy to remediate
  • Dump password hashes. The attacker can either crack those or just pass-the-hash. Since KB2871997, pass-the-hash might be trickier (https://technet.microsoft.com/library/security/2871997), but not impossible. Easy to do, hard to detect, hard to remediate - just think about service user passwords. And during remediation, consider all passwords compromised, even strong ones.
  • Logon scripts - modify the logon scripts and add something malicious in it. Almost anything detailed in this post can be added :D
  • Use an already available account, and add domain admin privileges to that. Reset its password. Mess with current group memberships - e.g. http://www.exploit-db.com/papers/17167/
  • Backdoor any workstation where domain admins login. While remediating workstations, don't forget to clean the roaming profile. The type of backdoor can use different forms: malware, local admin, password (hidden admin with 500 RID), sticky keys, etc.
  • Backdoor any domain controller server. For advanced attacks, see Skeleton keys 
  • Backdoor files on network shares which are commonly used by domain admins by adding malware to commonly used executables - Backdoor factory
  • Change ownership/permissions on AD partitions - if you have particular details on how to do this specifically, please comment
  • Create a new domain user. Hide admin privileges with SID history. Easy to do, hard to detect, easy to remediate - check Mimikatz experimental for addsid
  • Golden tickets - easy to do, hard to detect, medium remediation
  • Silver tickets - easy to do, hard to detect, medium/hard remediation
  • Backdoor workstations/servers via group policy
    • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce,
    • scheduled tasks (run task 2 years later),
    • sticky-keys with debug
  • Backdoor patch management tool, see slides here
[Update 2017.01.10]


Other tricks

The following list does not fit in the previous "instant admin" tips, but still, it can make the attackers life easier if their primary foothold has been disabled:

  • Backdoor recent backups - and when the backdoor is needed, destroy the files, so the files will be restored from the backdoored backup
  • Backdoor the Exchange server - get a copy of emails
  • Backdoor workstation/server golden image
  • Change permission of logon scripts to allow modification later
  • Place malicious symlinks to file shares, collect hashes via SMB auth tries on specified IP address, grab password hashes later
  • Backdoor remote admin management e.g. HP iLO - e.g. create new user or steal current password
  • Backdoor files e.g. on shares to use in SMB relay
  • Backdoor source code of in-house-developed software
  • Use any type of sniffed or reused passwords in new attacks, e.g. network admin, firewall admin, VPN admin, AV admin, etc.
  • Change the content of the proxy pac file (change browser configuration if necessary), including special exception(s) for a chosen domain(s)  to use proxy on malicious IP. Redirect the traffic, enforce authentication, grab password hashes, ???, profit.
  • Create high privileged users in applications running with high privileges, e.g. MSSQL, Tomcat, and own the machine, impersonate users, grab their credentials, etc. The typical pentest path made easy.
  • Remove patches from servers, change patch policy not to install those patches.
  • Steal Windows root/intermediate CA keys
  • Weaken AD security by changing group policy (e.g. re-enabling LM-hashes)
Update [2015-09-27]: I found this great presentation from Jakob Heidelberg. It mentions (at least) the following techniques, it is worth to check these:
  • Microsoft Local Administrator Password Solution
  • Enroll virtual smart card certificates for domain admins

Forensics

If you have been chosen to remediate a network where attackers gained domain admin privileges, well, you have a lot of things to look for :)

I can recommend two tools which can help you during your investigation:

Lessons learned

But guess what, not all of these problems are solved by rebuilding the AD. One has to rebuild all the computers from scratch as well. Which seems quite impossible. When someone is creating a new AD, it is impossible not to migrate some configuration/data/files from the old domain. And whenever this happens, there is a risk that the new AD will be backdoored as well.

Ok, we are doomed, but what can we do? I recommend proper log analysis, analyze trends, and detect strange patterns in your network. Better spend money on these, than on the domain rebuild. And when you find something, do a proper incident response. And good luck!

Ps: Thanks to Andrew, EQ, and Tileo for adding new ideas to this post.

Check out the host backdooring post as well! :)
Related articles
  1. Hacking Tools Kit
  2. Hacker Tools Github
  3. Hack Tools For Pc
  4. Hack Apps
  5. Hack Tools Download
  6. Hack Tools For Mac
  7. Ethical Hacker Tools
  8. Hacking Tools Name
  9. How To Install Pentest Tools In Ubuntu
  10. Github Hacking Tools
  11. Hacker Tools Free
  12. Computer Hacker
  13. How To Make Hacking Tools
  14. Hacking Tools For Windows
  15. Hacking Tools Online
  16. Hacking Tools 2020
  17. Hack Tools For Windows
  18. Hacking Tools For Beginners
  19. Hack Tools Download
  20. Hacking Apps
  21. Hacker Tools
  22. Pentest Tools For Mac
  23. Pentest Tools Port Scanner
  24. Hacking Tools Hardware
  25. Hacking Tools Usb
  26. Hacks And Tools
  27. What Is Hacking Tools
  28. Pentest Tools For Mac
  29. Hak5 Tools
  30. Pentest Tools Find Subdomains
  31. Hacking Tools Online
  32. Pentest Tools Windows
  33. Hacking Tools For Windows 7
  34. Hacker Tools For Mac
  35. Pentest Tools Find Subdomains
  36. Hacking Tools
  37. Blackhat Hacker Tools
  38. Hacking Tools 2020
  39. Hack Tools Github
  40. Pentest Tools Alternative
  41. Termux Hacking Tools 2019
  42. Hacking Tools
  43. Pentest Tools Open Source
  44. Hack Tool Apk No Root
  45. Pentest Recon Tools
  46. Nsa Hacker Tools
  47. Hacker Tools Windows
  48. Hacker Tools Linux
  49. Computer Hacker
  50. Tools For Hacker
  51. Hackrf Tools
  52. Hacker Tools List
  53. Beginner Hacker Tools
  54. Hack Tools Mac
  55. Hack Tools For Windows
  56. Hacking Tools Windows
  57. Hacking Tools Mac
  58. Tools For Hacker
  59. Best Hacking Tools 2019
  60. Hack And Tools
  61. Hacking App
  62. Hack Tools Pc
  63. Pentest Tools For Android
  64. Hacker Search Tools
  65. Pentest Tools Website Vulnerability
  66. Blackhat Hacker Tools
  67. Hacker Tools For Windows
  68. Hack Rom Tools
  69. Tools Used For Hacking
  70. Hack Tools For Games
  71. Pentest Recon Tools
  72. Pentest Tools Free
  73. How To Hack
  74. Best Pentesting Tools 2018
  75. Best Hacking Tools 2020
  76. Black Hat Hacker Tools
  77. Best Hacking Tools 2020
  78. Hacking Tools Free Download
  79. Usb Pentest Tools
  80. Pentest Tools Bluekeep
  81. Pentest Tools Tcp Port Scanner
  82. Black Hat Hacker Tools
  83. Hacking App
  84. Hacking Tools And Software
  85. Termux Hacking Tools 2019
  86. Ethical Hacker Tools
  87. Hacking Tools For Pc
  88. Best Hacking Tools 2020
  89. Hacking Tools Windows 10
  90. Hacking Tools Windows
  91. Android Hack Tools Github
  92. Hack Tools For Pc
  93. Android Hack Tools Github
  94. Hacker Tools For Windows
  95. Growth Hacker Tools
  96. Hacking Tools Mac
  97. Hack Tools Download
  98. Hacker Tools For Mac
  99. Hacker Tools Hardware
  100. Hack Tools Download
  101. Physical Pentest Tools
  102. Hacker Tools Mac
  103. Best Hacking Tools 2019
  104. Black Hat Hacker Tools
  105. Nsa Hack Tools Download
  106. Hacking Tools Software
  107. Pentest Tools Apk
  108. Hacking Tools Windows
  109. Hacking Tools For Pc
  110. Hack Tools Online
  111. Underground Hacker Sites
  112. Nsa Hack Tools Download
  113. Black Hat Hacker Tools
  114. Hack Tools For Windows
  115. Pentest Tools Android
  116. Hack And Tools
  117. Nsa Hack Tools Download
  118. How To Make Hacking Tools
  119. Hacker Tools List
  120. Growth Hacker Tools
  121. Pentest Tools Linux
  122. Best Hacking Tools 2020
  123. Hacker Security Tools
  124. How To Install Pentest Tools In Ubuntu
  125. Pentest Tools Url Fuzzer
  126. Hacking Tools Hardware
  127. Underground Hacker Sites
  128. Hackrf Tools
  129. Hacker Tools Windows
  130. Hacker Search Tools
  131. Hacker Hardware Tools
  132. Hacking Tools Usb
  133. Hacker Tools Online
  134. Pentest Tools Download
  135. Github Hacking Tools
  136. Black Hat Hacker Tools
  137. Hacker Tools Hardware
  138. Pentest Automation Tools
  139. Hacker Tools For Mac
  140. Beginner Hacker Tools
  141. Hacker Techniques Tools And Incident Handling
  142. Hacker Tools For Pc
  143. Physical Pentest Tools
  144. Hack Tools
  145. Hacker Tool Kit
  146. Hak5 Tools
  147. Hackrf Tools
  148. Pentest Tools Website
  149. Hack And Tools
  150. New Hack Tools
  151. Hacker Tool Kit
  152. Hacking Tools For Beginners
  153. Blackhat Hacker Tools
  154. Pentest Tools Website
  155. World No 1 Hacker Software
  156. Install Pentest Tools Ubuntu
  157. Hacker Search Tools
  158. Hacker Tools 2020
  159. Pentest Tools Nmap
  160. Wifi Hacker Tools For Windows
  161. Hacking Tools For Kali Linux
  162. Hacker Tools Windows
  163. Pentest Automation Tools
  164. Best Hacking Tools 2020
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)