lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 13 Jul 2016 09:20:57 -0500
From: Joey Maresca <>
To: Alexander Korznikov <>
Subject: Re: [FD] RCE by abusing NAC to gain Domain Persistence.

Congratulations...2013 called and they want their attack back:

On Sat, Jul 9, 2016 at 7:45 AM, Alexander Korznikov <>

> link:
> Hi there!
> I want to share how to compromise whole enterprise network in less than ONE
> minute :)
> Let's begin... As security consultants, we often advice to our clients to
> implement Network Access Control systems to prevent some nasty people to do
> their nasty things...
> This article is not about how to bypass Network Access Control systems, but
> if you're interested, read this:
> In two words, NAT can bypass almost everything and stay undetectable in
> enterprise network.
> So when somebody (huge organisations) implementing NAC in their network
> environment, they are implementing a huge backdoor -  called NAC.
> Let me explain some NAC logic:
> 1. Check for trusted MAC address.
> 2. Check installed components/registry keys in workstation via WMI
> interface.
> 3. Check another stuff in workstation's NAC agent.
> Wait for a second. How NAC will connect to a workstation to check (2)
> Registry Keys via WMI?
> Right. SMB Authentication with highly privileged account, in Domain Admin
> group.
> Let's assume these:
> 1. We have a list of workstation's IPs gathered in passive reconnaissance
> (wireshark for example)
> 2. We know which IP belongs to Domain Contoller.
> Is something or someone can prevent me from performing SMB-Relay attack?
> NO!
> On servers this will not work, because of SMB Signing option is required.
> We take some workstation IP address, and while NAC is performing it's host
> validation, we will relay SMB authentication to legitimate workstation.
> It is trivial, but as result we are able to:
> 1. Reuse this authentication token and create a new Domain Admin account.
> 2. In case if this fails, we can create a local administrator account on
> ANY workstation.
> 3. Extract credentials of ALL local users including local admins.
> 4. Gain full control of the corporate network, including Domain Admin
> accounts.
> All this is done in less than ONE minute, before the port will be closed
> (by NAC).
> This issue was tested on several Network Access Control systems.
> Alexander Korznikov & Viktor Minin
> _______________________________________________
> Sent through the Full Disclosure mailing list
> Web Archives & RSS:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists