lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jul 2016 09:20:57 -0500 From: Joey Maresca <jmaresca@...il.com> To: Alexander Korznikov <nopernik@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] RCE by abusing NAC to gain Domain Persistence. Congratulations...2013 called and they want their attack back: https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python/ On Sat, Jul 9, 2016 at 7:45 AM, Alexander Korznikov <nopernik@...il.com> wrote: > link: > http://www.korznikov.com/2016/07/rce-by-abusing-nac-to-gain-domain.html > > Hi there! > I want to share how to compromise whole enterprise network in less than ONE > minute :) > > Let's begin... As security consultants, we often advice to our clients to > implement Network Access Control systems to prevent some nasty people to do > their nasty things... > > This article is not about how to bypass Network Access Control systems, but > if you're interested, read this: > http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Arkin.pdf > In two words, NAT can bypass almost everything and stay undetectable in > enterprise network. > > So when somebody (huge organisations) implementing NAC in their network > environment, they are implementing a huge backdoor - called NAC. > > Let me explain some NAC logic: > 1. Check for trusted MAC address. > 2. Check installed components/registry keys in workstation via WMI > interface. > 3. Check another stuff in workstation's NAC agent. > > Wait for a second. How NAC will connect to a workstation to check (2) > Registry Keys via WMI? > Right. SMB Authentication with highly privileged account, in Domain Admin > group. > > Let's assume these: > 1. We have a list of workstation's IPs gathered in passive reconnaissance > (wireshark for example) > 2. We know which IP belongs to Domain Contoller. > > Is something or someone can prevent me from performing SMB-Relay attack? > NO! > On servers this will not work, because of SMB Signing option is required. > > We take some workstation IP address, and while NAC is performing it's host > validation, we will relay SMB authentication to legitimate workstation. > > It is trivial, but as result we are able to: > 1. Reuse this authentication token and create a new Domain Admin account. > 2. In case if this fails, we can create a local administrator account on > ANY workstation. > 3. Extract credentials of ALL local users including local admins. > 4. Gain full control of the corporate network, including Domain Admin > accounts. > > All this is done in less than ONE minute, before the port will be closed > (by NAC). > > This issue was tested on several Network Access Control systems. > > Alexander Korznikov & Viktor Minin > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists