|
Login into Network Workstation as Local Administrator
Since I saw that there are some discussions on hacking tools and network related issues, I'd like to post a question on something that might be a problem.
The scenario is the following: We have a network with many workstations and multiple domains. Each Single Workstation checks for username and password, on Windows Logon, against an Active Directory Domain Controller. Each machine itself, does not have local accounts configured, exept for the Administrator one that, to avoid easy password guessing attempts, has been called differently (so you would need to guess the username too). All the machines on the network share the same "disguised Administrator" account credentials (let's suppose these are Adm1n1str4t0r/P4ssw0rd). To login onto a specific domain, on Windows, you type the following, onto the login screen "DOMAIN\username", but if you want to log locally, you just type "username" or, like stated by Windows "COMPUTERNAME\username" Recently we discovered that someone have been able to get the administration username/password combination, mostly to install a program that was not provided with the machine. This is not a trouble, but what I am asking is: Is it possibile, using the Windows suggestions, to log as an Administrator on remote machines? Said in other words: Do REMOTECOMPUTERNAME\username allow someone to remotely log as a local user onto the remote machine? If so, what would the user be able to do? Would he be able to access the files in a network folder onto the remote computer bypassing the Domain Controller Authentication since he is seen as local user? I am asking this because there might be people whose account does not allow access to some network folders that might gain access to these once logged onto the remote machine with local credentials and so I'm trying to figure out if this is possible. |
Quote:
Code:
Workstation 1:If the domain policies (GPO, etc.) didn't forbid logging in via RDP, then I would be able to login to the remote system from my own system using the accounts LOCALWIN\Administrator, LOCALWIN\Bob, and LOCALWIN\Alice, as well as with accounts such as ACME\Steve. The account that I login as would have the same level of access as it would if I had logged in while physically sitting at that system, for the most part. |
Renaming the local admin account is only useful if somebody has no possibility to bypass the "enter username/password" dialog and would need to guess both. If a user can log in with a local or domain account, he can list all local accounts of the computer he's working on. There is no way to prevent that.
If two computers have a local account with the same username/password combination and one of them accesses the other over the network Windows will test the current login credentials before even asking username/password for the remote computer. There are some small annoyances like losing your elevation status when you access remote network shares from an admin account, but since you have admin rights you can just elevate again. So if all computers share the same admin username/password, of course anybody who knows that information can log in on those computers. Accessing "network folders" is of course something else. A local admin has only local rights. Unless you have important data stored on workstations or use the same username/password for the domain admin, accessing server data will only work with a valid domain account. A bad person could use the local admin to install some spyware which waits until a user with valid domain credentials logs in and access server data that way. I really hope you are just a concerned employee and not the person responsible for the security of the network. ;-) |
Nowadays the keyword is exploits, exploits, exploits for any such tasks ;)
Its considered way too time-consuming to try to actually attempt a login by knowing the actual passwords, especially on networked machines. That too on WINDOWS networked machines :D So in other words, the short answer to your question is YES, they can basically "logon" to the machines but not necessarily by using the password and other usual logon credentials... |
With the default configuration on windows it is possible to login and execute commands as the local administrator user remotely. This can be done a few ways, and in fact you dont even need the password, only the hash.
There are tools to make it easy to exploit this situation such as: https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html This article explains how it is possible to use WMI when you know admin credentials to execute commands and references other techniques: https://www.trustedsec.com/june-2015/no_psexec_needed/ The techniques listed in that article all provide a way with a local administrator account to get code execution on a remote box with the windows default settings (at least up to windows 7 (I am not completely sure about 8/10)). |
pass the hash ;) I though MS fixed this? Obviously not.. :P
|
| All times are GMT +8. The time now is 08:12. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX