First off, quick warning this chaining vulnerabilities blog is a little technical. But, it needs to be.
Introduction
Chaining vulnerabilities, or vulnerability chaining, is an attack method used by hackers to gain domain admin access to a network without the need for cracking passwords – making an attack swift and difficult to detect.
How are they able to do this?
The scene
The CISO receives the call around 2am, that dreaded call that ransomware has been deployed on the network. Once all of the curse words have been exhausted and the panic starts to settle, the questions start to circle and they all start with, how?
Having been involved in incident response, numerous pentests and having read up on various threat actor TTP’s (Tactics, Techniques, and Procedures), I will share what I’ve experienced and explore the attack chain below.
Often the method for enterprise compromise is standard. The scary part is, it’s also easy.
How do hackers chain vulnerabilities?
There is nothing more frustrating to a penetration tester when you go to re-test a client and the list of vulnerabilities and technical misconfigurations are the same as when you first tested.
By chaining vulnerabilities and technical misconfigurations together it is possible for an attacker to gain Domain Admin rights (or even Enterprise Admin rights) in under two hours.
The jewel in the crown for the attacker is that by doing this, they do not need to crack a single password, your super complex password that takes 9000 years to crack is not keeping your account safe here.
Therefore, it is not sufficient, simply to get an annual penetration test; you must remediate the vulnerabilities and technical misconfigurations discovered in a penetration test to keep your organisation safe.
Nagging aside, let us pull back the curtain on the attack chain and the requirements for it to succeed (in this example anyway).
As with most attacks our example starts with an attacker sending phishing attempts to staff at the target organisation. The malicious file has been downloaded and executed on a low-level users account. This gives the attacker a foothold but no credentials or privileged access, all they can do is see the network at this point.
Once they can see the network the first point of call for the attacker is to check that the Link-Local Multicast Name Resolution (LLMNR) is running and, if it is, the first requirement is met. From here, the attacker wants to find hosts on the network with SMB signing set to false, this medium-rated vulnerability (probably listed in this organisation’s last pen test report) is key to this chain and often overlooked. With both requirements now met the attack can start. The idea is simple, local DNS poisoning takes place in order to force LLMNR authentication with the attacker’s machine. Now instead of capturing hashes for password cracking, an SMB server is running to relay the authentication to all hosts that meet the SMB signing criteria.
This means that the authenticity of the SMB message is not checked, so the authentication can be relayed with additional commands to execute on the hosts (in a simplified manner). Not every relay is of any value, however, should a high privileged account’s authentication get relayed, then the (go to) command will execute on a host and compromise the SAM file. Giving the attacker any cached usernames, RIDs and NT:LM hashes.
How do attackers gain Domain Admin rights?
Although the attacker hasn’t gained Domain Admin rights yet, everything described above has probably taken minutes so far (under an hour anyway). The attacker now has multiple SAM files from multiple hosts printing to their screen with any usernames with a RID of 1000+ getting put to one side. These are all domain accounts instead of local.
Eventually, usernames will be printing with 1000+ RID as well as usernames containing keywords like ‘admin’ for example. In fact, given enough time, the attacker will soon have the LinkedIn usernames of discovered senior employees.
Example
IT-Manager:1023 :aad3b435b51404eeaad3b435b51404ee:e9999e708333ad13agf421b9601d0c3a:::
Something like the above example is instantly of interest to the attacker as it means they do not need to crack this user’s password to authenticate and use the account. With an NT:LM hash the NT part can be used in a method called Pass-the-hash to authenticate, bypassing any need for cracking.
By using the above credentials against a DC and having Domain Admin rights then the attacker now has the keys to the kingdom and can now either, compromise the ntds.dit, create a new admin account for persistence, exfiltrate data and or deploy ransomware.
Mediums
As explained, the above is a simple attack chain that only requires a few medium-rated vulnerabilities and technical misconfigurations. In short, do not underestimate those medium-rated issues or that legacy protocol still running (for more on LLMNR and Active Directory weaknesses take a look at my blog post). An attacker’s ability to go from unauthenticated to Domain Admin in under 2 hours is a scary situation and shouldn’t be possible, but it regularly is. My advice would be to keep on top of the internal network security and remediate the vulnerabilities and technical misconfigurations discovered within your network during penetration tests to avoid hackers chaining vulnerabilities.
Yes, it’s internal, but when an attacker gets in, don’t make it easy for them.
Written by Gyles Saunders
Gyles is an experienced security professional and pen tester, having worked across multiple areas of the physical security and information security industries. He has a proven track record in the corporate intelligence and cyber security market and is integral to the Red Team’s service delivery at NormCyber. As well as implementing new processes and enhancements to the service itself, he also takes an active interest in onboarding and mentoring new team members.