[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAOOpvAoZYzMw1WZ4efBZ3MpsVfOk101M3Nnakphf74Aoe12ddg@mail.gmail.com>
Date: Wed, 13 Jul 2016 09:20:57 -0500
From: Joey Maresca <jmaresca@...il.com>
To: Alexander Korznikov <nopernik@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] RCE by abusing NAC to gain Domain Persistence.
Congratulations...2013 called and they want their attack back:
https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python/
On Sat, Jul 9, 2016 at 7:45 AM, Alexander Korznikov <nopernik@...il.com>
wrote:
> link:
> http://www.korznikov.com/2016/07/rce-by-abusing-nac-to-gain-domain.html
>
> Hi there!
> I want to share how to compromise whole enterprise network in less than ONE
> minute :)
>
> Let's begin... As security consultants, we often advice to our clients to
> implement Network Access Control systems to prevent some nasty people to do
> their nasty things...
>
> This article is not about how to bypass Network Access Control systems, but
> if you're interested, read this:
> http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Arkin.pdf
> In two words, NAT can bypass almost everything and stay undetectable in
> enterprise network.
>
> So when somebody (huge organisations) implementing NAC in their network
> environment, they are implementing a huge backdoor - called NAC.
>
> Let me explain some NAC logic:
> 1. Check for trusted MAC address.
> 2. Check installed components/registry keys in workstation via WMI
> interface.
> 3. Check another stuff in workstation's NAC agent.
>
> Wait for a second. How NAC will connect to a workstation to check (2)
> Registry Keys via WMI?
> Right. SMB Authentication with highly privileged account, in Domain Admin
> group.
>
> Let's assume these:
> 1. We have a list of workstation's IPs gathered in passive reconnaissance
> (wireshark for example)
> 2. We know which IP belongs to Domain Contoller.
>
> Is something or someone can prevent me from performing SMB-Relay attack?
> NO!
> On servers this will not work, because of SMB Signing option is required.
>
> We take some workstation IP address, and while NAC is performing it's host
> validation, we will relay SMB authentication to legitimate workstation.
>
> It is trivial, but as result we are able to:
> 1. Reuse this authentication token and create a new Domain Admin account.
> 2. In case if this fails, we can create a local administrator account on
> ANY workstation.
> 3. Extract credentials of ALL local users including local admins.
> 4. Gain full control of the corporate network, including Domain Admin
> accounts.
>
> All this is done in less than ONE minute, before the port will be closed
> (by NAC).
>
> This issue was tested on several Network Access Control systems.
>
> Alexander Korznikov & Viktor Minin
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists