During Penetration Testing engagements one of my favourite issues to exploit is a Domain User with Local Administrator permissions. It’s a pretty common issue to see and when speaking to IT Departments about the issue it seems that the risk is often under-estimated. So a user has been given administrative permission over one workstation – what’s the worst that can happen?
Well first of all, users are really good at choosing bad passwords. The most common password was the word password, so we fixed that by enforcing password complexity. This means that users had to choose three of the four options: uppercase letters, lowercase letters, numbers and symbols. At this the most common password because Password1.
So given that it’s very likely that an attacker will gain at least a small number of users accounts, if any of these have been given local administrative access to their machines it gives an attacker three potential options to leverage this to gain Domain Administrative access.
A old but effective tool to determine which users have local administrator privileges is NBTEnum, it’s a simple one available here launched like this:
nbtenum.exe -q TARGET-IP DOMAINusername password
This will output a HTML report that includes usernames and group memberships!
It’s very common for Windows Domain’s to be configured so that all machines on the network have the same local administrator password for the default administrator account. If this is the case then an attacker can leverage the compromised domain user account to dump the local hashes of the default administrator account and either crack them using John the Ripper or can “pass-the-hash” using Metasploit.
Alternatively, an attacker can sit in wait until a Domain Administrator remotely logs into the compromised workstation and then simply pull the plaintext credentials out of memory! Armed with the local administrator level privileges an attacker can run remote commands against the effected workstation and the load in Mimikatz and dump plain text credentials.
If an attacker isn’t lucky enough to get plaintext credentials they may be able to pull a valid authentication token out of memory which will effectively allow them to impersonate a Domain Administrator account. It’s available here.