[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] RCE by abusing NAC to gain Domain Persistence.

To: Alexander Korznikov <nopernik@xxxxxxxxx>
Subject: Re: [FD] RCE by abusing NAC to gain Domain Persistence.
From: Joey Maresca <jmaresca@xxxxxxxxx>
Date: Wed, 13 Jul 2016 09:20:57 -0500

Congratulations...2013 called and they want their attack back:
https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python/



On Sat, Jul 9, 2016 at 7:45 AM, Alexander Korznikov <nopernik@xxxxxxxxx>
wrote:

> link:
> http://www.korznikov.com/2016/07/rce-by-abusing-nac-to-gain-domain.html
>
> Hi there!
> I want to share how to compromise whole enterprise network in less than ONE
> minute :)
>
> Let's begin... As security consultants, we often advice to our clients to
> implement Network Access Control systems to prevent some nasty people to do
> their nasty things...
>
> This article is not about how to bypass Network Access Control systems, but
> if you're interested, read this:
> http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Arkin.pdf
> In two words, NAT can bypass almost everything and stay undetectable in
> enterprise network.
>
> So when somebody (huge organisations) implementing NAC in their network
> environment, they are implementing a huge backdoor -  called NAC.
>
> Let me explain some NAC logic:
> 1. Check for trusted MAC address.
> 2. Check installed components/registry keys in workstation via WMI
> interface.
> 3. Check another stuff in workstation's NAC agent.
>
> Wait for a second. How NAC will connect to a workstation to check (2)
> Registry Keys via WMI?
> Right. SMB Authentication with highly privileged account, in Domain Admin
> group.
>
> Let's assume these:
> 1. We have a list of workstation's IPs gathered in passive reconnaissance
> (wireshark for example)
> 2. We know which IP belongs to Domain Contoller.
>
> Is something or someone can prevent me from performing SMB-Relay attack?
> NO!
> On servers this will not work, because of SMB Signing option is required.
>
> We take some workstation IP address, and while NAC is performing it's host
> validation, we will relay SMB authentication to legitimate workstation.
>
> It is trivial, but as result we are able to:
> 1. Reuse this authentication token and create a new Domain Admin account.
> 2. In case if this fails, we can create a local administrator account on
> ANY workstation.
> 3. Extract credentials of ALL local users including local admins.
> 4. Gain full control of the corporate network, including Domain Admin
> accounts.
>
> All this is done in less than ONE minute, before the port will be closed
> (by NAC).
>
> This issue was tested on several Network Access Control systems.
>
> Alexander Korznikov & Viktor Minin
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] RCE by abusing NAC to gain Domain Persistence.
  - From: Alexander Korznikov

Prev by Date: [FD] missing input validation in pmount: arbitrary mount as non-root
Next by Date: [FD] Blind SQL Injection PivotX <= v2.3.11
Previous by thread: Re: [FD] RCE by abusing NAC to gain Domain Persistence.
Next by thread: [FD] WSO2 SOA Enablement Server - Server Side Request Forgery
Index(es):
- Date
- Thread