From Leak to Domain Administrator
This article will be an in-depth dive into one of the most common vulnerabilities found in our previous article, namely CVE-2017-0143 (otherwise known as ETERNALBLUE). In April 2017 there was a leak of several vulnerabilities that made it onto the public Internet. These vulnerabilities were highly critical in that it affected almost all Windows versions to date. The bug was found in the network file sharing protocol (SMB) and this is enabled on many machines by default. It allows an attacker full administrative access to the affected machine over the network. It was rated so critical that Microsoft released emergency patches even for unsupported operating systems such as XP and 2003, urging everyone to install the security patch as quickly as possible.
WannaCry
Cybercriminals were quick to construct a Ransomware virus taking advantage of this vulnerability. It was called WannaCry and made headlines in news papers all over the world when around 150 countries were affected. System administrators had simply not had enough time to patch their systems before the virus hit them. To this day, when performing security audits of networks, we still encounter this vulnerability due to lack of patch management.
Machine Compromise
There are several databases online hosting exploits for known vulnerabilities, such as www.exploit-db.com. Anyone could go there, search for a specific software they want to target, and download some exploit script that will compromise the machine. This particular vulnerability is Remote Code Execution which means that a remote attacker over the network is able to compromise the target machine and run commands as if they were sitting behind the keyboard of the target. This vulnerability will instantly make the attacker an administrator of the machine, so in theory they could install ransomware, record video and audio from the webcam and more.
The typical thing that we do during a penetration test is to identify the purpose of the system. Is it a database or file server containing sensitive information? Is it an employee laptop or a server used by network administrators? This will give us an indication as to what to look for. Stored on the system are also passwords related to user accounts for system login and often also passwords saved in browsers. Since people often are the weakest link in security, we dump these passwords and crack them. The idea is that people will use the same password to access other systems and applications. The passwords are most likely not stored in clear text on the machine (though it can happen a bit too often). Ethical and malicious hackers will use password cracking tools such as Hashcat to guess the password and compare it to the dumped (hashed) version. This is however not as difficult as it sounds due to the processing power of today’s computers. It is possible to guess millions of passwords in mere seconds! The old recommendation of having a password of eight (8) characters is outdated and today it’s advisable to use at least twelve.
Privilege Escalation
Once we have obtained the passwords found on the system it is time to move further in the network and escalate our privileges. The goal of any penetration test is to become Domain Administrator. Once those access rights are achieved, we are able to access any machine connected to the domain and do anything we would like. This includes file servers, e-mail servers and much more.
We can use tools such as Bloodhound to test our newly found credentials over the network. A map will be built, showing us the relations between user accounts, groups and machines within the Windows domain.
This will give us some attack vectors and shortest paths to follow to reach our goal. It is important to first gain administrative access to the initial compromised machine, after that you need to compromise a domain connected machine (if it’s not already connected). Once you are part of the domain it is usually just a matter of time until we obtain domain admin access. This is easily done by impersonating a user that has already logged on to the system and using their privileges to move further. The malicious attacker would lay low for months and harvest user credentials until they are able to access the systems they are after.
Conclusion
These very critical vulnerabilities that are published online can be extremely dangerous. They happen quite often, and as seen many times before, cyber criminals are quick in writing new malware based on latest disclosures. It can be used to encrypt journals in hospitals as WannaCry has shown, and ethical hackers performing security audits also need to be aware of latest findings and quickly adopt new exploits in order to be successful.
One of the most important things you can do to protect against this is to make sure you have a solid patch management process. Your security is only as strong as the weakest system on the network. If only one machine is forgotten and unpatched it will after some time for sure be affected by critical vulnerabilities.
Another important thing is to perform security audits regularly. You need to be aware of all your security risks before you are able to address them. You cannot burrow your head in the sand and gamble on the fact that an attack might not happen to you.