Често Задавани Въпроси

Абонаменти

Warning: gzinflate() [function.gzinflate]: data error in /home/singu/chzv.net/wp-content/plugins/xhanch-my-twitter/inc/common.php on line 187

Warning: gzinflate() [function.gzinflate]: data error in /home/singu/chzv.net/wp-content/plugins/xhanch-my-twitter/inc/common.php on line 187

Последни туитове

RT @dave_rel1k: SET v1.5 interactive shell running on OSX. No sir your machine isn't infected, mac's don't have viruses. http://yfrog.co ... - на 16/06/2011 в 09:17:09
RT @PrivacyCamp: PayPal vulnerability allows access to any account within 30 seconds http://ow.ly/5iZcK - на 16/06/2011 в 09:07:16
Хроника на сагата около Сони - кога и какво е хакнато - http://t.co/sxejfv4 - на 11/06/2011 в 11:56:21
RT @mikkohypponen: Malware gang's $14.8 million bank account frozen: http://bit.ly/jrcTuf from F-Secure Weblog - на 11/06/2011 в 01:54:21
RT @mikkohypponen: Citibank says they too were hacked. They lost card information of one percent of their customers: http://t.co/5sFxWOz ... - на 09/06/2011 в 08:33:22
RT @dave_rel1k: Another Social-Engineer Toolkit (SET) update, added multi-threading to spear phishing mass mails. #sweet - на 09/06/2011 в 07:38:55
RT @taviso: Should you trust a root CA that couldn't keep track of it's own keys? Trick question, you already do. http://i.imgur.com/oTS ... - на 09/06/2011 в 07:37:36
RT @DarkReading: Meeet the 'ad hijacking' attack: http://tinyurl.com/44rfnhk - на 07/06/2011 в 17:39:03
RT @rapid7: New Metasploit modules designed specifically for testing firewalls, IDS, IPS, and DLP solutions - http://r-7.co/jZlksz - на 07/06/2011 в 03:49:34
RT @lennyzeltser: TDL rootkit implements its own file system to store files on the hard drive: http://bit.ly/jNriDd by @ESETLLC - на 07/06/2011 в 03:34:08
RT @dave_rel1k: SET v1.4.1 has been updated in the Back|Track repositories. Lot's of bug fixes and updates around relative paths and fea ... - на 07/06/2011 в 03:32:12
RT @mikkohypponen: Fun trick of the day: Try 'ping 2130706433' from the command line and figure out why it works. - на 23/05/2011 в 23:09:33
RT @dave_rel1k: The Social-Engineer Toolkit (SET) v1.4.1 has been released. Adds statistics for harvester, bug fixes, and more. - на 20/05/2011 в 22:54:02
RT @Reuters: Sony hacked again http://t.co/RI14jsL - на 20/05/2011 в 17:53:37
RT @lordparody: My new security slogan. "Better Safe Than Sony" - на 20/05/2011 в 17:51:57

My Twitter, by Xhanch

Как се превзема Windows домейн

October 20th, 2009 от singu

И то според създателя на видеото – без използване на zero-day или пачнати уязвимости, без социално инженерство и подслушване на пароли.

Видеото е ускорено доста, поне на мен ми се наложи да го спирам на един-два пъти, за да разбера какво става. Ето и текста в началото:

I had to cut this video to a short one, so please use the pause button if something is too quick The mission is to create a new Windows domain administrator – in case we do not have any user in the domain or any local user at the workstation. Prerequisites:

1. Physical access to one of the domain member workstations for ~20 minutes.
2. Every local administrator user on the workstations have the same password. Strong or weak, it does not matter. NO social engineering, NO password stealer, NO password cracker, NO malicious code, NO exploiting zero-day or already patched vulnerabilities.

Tools used for the attack:

1. ophcrack (to get the local admin LM&NTLM hashes)
2. Offline NT Password & Registry Editor, Bootdisk / CD from Petter Nordahl-Hagen (to login as local admin)
3. pass-the-hash toolkit from Hernan Ochoa – Core Security (to authenticate with the hashes, so we do not have to crack them)
4. psexec from Mark Russinovich (to run remote commands)

Demo architecture: We have at least 3 computers: the workstation (WKS) for which we have physical access, the domain controller, and a workstation (ADMIN-WKS) with a logged in domain administrator (DomainAdmin).

Steps:

1. Boot the workstation with ophcrack. Stop the cracking process, and save the hashes. View the hashes, and write the local administrator hashes down with pencil&paper (or copy it on a USB stick, etc.).
2. Boot in with the Offline NT Password & Registry Editor. Reset the local administrator password to blank, and reboot. 3. Login with administrator to the workstation with blank password.
4. Use iam.exe or iam-alt.exe to change the LM&NTLM hashes in the memory.
5. Copy the pass-the-hash toolkit to the admin-wks via an administrator share.
6. Run the whosthere.exe or whosthere-alt.exe to get the DomainAdmin LM&NTLM hashes.
7. Create a local user called DomainAdmin, and login into that profile.
8. Use iam.exe or iam-alt.exe with the DomainAdmin hashes to change the LM & NTLM hashes in the memory.
9. Right now we have the same privileges as the DomainAdmin, so we can create a domain admin for ourself. Or anything else we want in the domain (reset anyone elses password, read someone elses e-mail, etc.).

Known limitations:

1. Some Windows versions / service packs are not compatible with the pass-the-hash toolkit, feel free to modify the source or debug the libraries to get the correct memory addresses.
2. Some AV engines detect pass-the-hash toolkit as malicious code, use AV evasion techniques against them.

What is cool?

1. It does not matter how complex the local admin and domain admin passwords are.
2. It works even if the domain admins are forced to use smart cards for interactive login.
3. We have not used any of the attacks mentioned above, so it works on fully patched networks with security paranoid admins.