EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-09-2017, 21:56
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 274
Rept. Given: 1
Rept. Rcvd 12 Times in 6 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
TmC Reputation: 12
Login into Network Workstation as Local Administrator

Since I saw that there are some discussions on hacking tools and network related issues, I'd like to post a question on something that might be a problem.

The scenario is the following:

We have a network with many workstations and multiple domains. Each Single Workstation checks for username and password, on Windows Logon, against an Active Directory Domain Controller.

Each machine itself, does not have local accounts configured, exept for the Administrator one that, to avoid easy password guessing attempts, has been called differently (so you would need to guess the username too).

All the machines on the network share the same "disguised Administrator" account credentials (let's suppose these are Adm1n1str4t0r/P4ssw0rd).

To login onto a specific domain, on Windows, you type the following, onto the login screen "DOMAIN\username", but if you want to log locally, you just type "username" or, like stated by Windows "COMPUTERNAME\username"

Recently we discovered that someone have been able to get the administration username/password combination, mostly to install a program that was not provided with the machine.

This is not a trouble, but what I am asking is: Is it possibile, using the Windows suggestions, to log as an Administrator on remote machines? Said in other words: Do REMOTECOMPUTERNAME\username allow someone to remotely log as a local user onto the remote machine? If so, what would the user be able to do? Would he be able to access the files in a network folder onto the remote computer bypassing the Domain Controller Authentication since he is seen as local user?

I am asking this because there might be people whose account does not allow access to some network folders that might gain access to these once logged onto the remote machine with local credentials and so I'm trying to figure out if this is possible.
Reply With Quote
  #2  
Old 05-10-2017, 02:18
Cryo Cryo is offline
Friend
 
Join Date: Sep 2016
Posts: 7
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 7 Times in 3 Posts
Cryo Reputation: 0
Quote:
Originally Posted by TmC View Post
Is it possibile, using the Windows suggestions, to log as an Administrator on remote machines? Said in other words: Do REMOTECOMPUTERNAME\username allow someone to remotely log as a local user onto the remote machine? If so, what would the user be able to do? Would he be able to access the files in a network folder onto the remote computer bypassing the Domain Controller Authentication since he is seen as local user?
Let's say we have a system that's set up like so:

Code:
Workstation 1:
    Domain:    ACME
    Hostname:  LOCALWIN
    Users:     Administrator, Bob, Alice
And that the system allows for members of the Domain Users group to login to it.

If the domain policies (GPO, etc.) didn't forbid logging in via RDP, then I would be able to login to the remote system from my own system using the accounts LOCALWIN\Administrator, LOCALWIN\Bob, and LOCALWIN\Alice, as well as with accounts such as ACME\Steve. The account that I login as would have the same level of access as it would if I had logged in while physically sitting at that system, for the most part.
Reply With Quote
The Following User Says Thank You to Cryo For This Useful Post:
tonyweb (05-10-2017)
  #3  
Old 05-10-2017, 16:49
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 251
Rept. Given: 0
Rept. Rcvd 253 Times in 90 Posts
Thanks Given: 0
Thanks Rcvd at 73 Times in 32 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Renaming the local admin account is only useful if somebody has no possibility to bypass the "enter username/password" dialog and would need to guess both. If a user can log in with a local or domain account, he can list all local accounts of the computer he's working on. There is no way to prevent that.

If two computers have a local account with the same username/password combination and one of them accesses the other over the network Windows will test the current login credentials before even asking username/password for the remote computer. There are some small annoyances like losing your elevation status when you access remote network shares from an admin account, but since you have admin rights you can just elevate again.

So if all computers share the same admin username/password, of course anybody who knows that information can log in on those computers.

Accessing "network folders" is of course something else. A local admin has only local rights. Unless you have important data stored on workstations or use the same username/password for the domain admin, accessing server data will only work with a valid domain account.

A bad person could use the local admin to install some spyware which waits until a user with valid domain credentials logs in and access server data that way.

I really hope you are just a concerned employee and not the person responsible for the security of the network. ;-)
Reply With Quote
The Following User Says Thank You to Kerlingen For This Useful Post:
tonyweb (05-11-2017)
  #4  
Old 05-11-2017, 02:38
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 479
Rept. Given: 365
Rept. Rcvd 179 Times in 80 Posts
Thanks Given: 499
Thanks Rcvd at 929 Times in 244 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Nowadays the keyword is exploits, exploits, exploits for any such tasks

Its considered way too time-consuming to try to actually attempt a login by knowing the actual passwords, especially on networked machines.

That too on WINDOWS networked machines

So in other words, the short answer to your question is YES, they can basically "logon" to the machines but not necessarily by using the password and other usual logon credentials...
Reply With Quote
  #5  
Old 05-11-2017, 03:39
surferxyz surferxyz is offline
Friend
 
Join Date: Jan 2005
Location: Planet Earth
Posts: 46
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 1
Thanks Rcvd at 7 Times in 4 Posts
surferxyz Reputation: 2
With the default configuration on windows it is possible to login and execute commands as the local administrator user remotely. This can be done a few ways, and in fact you dont even need the password, only the hash.

There are tools to make it easy to exploit this situation such as:
https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html

This article explains how it is possible to use WMI when you know admin credentials to execute commands and references other techniques:
https://www.trustedsec.com/june-2015/no_psexec_needed/

The techniques listed in that article all provide a way with a local administrator account to get code execution on a remote box with the windows default settings (at least up to windows 7 (I am not completely sure about 8/10)).

Last edited by surferxyz; 05-11-2017 at 03:44.
Reply With Quote
The Following User Says Thank You to surferxyz For This Useful Post:
niculaita (05-11-2017)
  #6  
Old 05-11-2017, 13:16
cybercoder cybercoder is offline
Friend
 
Join Date: Aug 2005
Posts: 83
Rept. Given: 2
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 14
Thanks Rcvd at 20 Times in 9 Posts
cybercoder Reputation: 11
pass the hash I though MS fixed this? Obviously not.. :P
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 14:52.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX