RE: [ActiveDir] Elevating privileges from DA to EA

[joe]

Again simple is relative. Also don't mistake your knowledge for that of anyone else. You may know more than others, others may know more than you. Me, I tend to expect others know more than I do so I error on the side of caution because I know what I know and it sometimes scares me. :o)   Hopefully no one here will feel the need to give any more detail, hints, or speculations on methods that can be used to compromise Active Directory. It is not a good open forum discussion item. If someones comes to you and gives you detailed hacking instructions (for free or with a charge), start to wonder what other bad habits they have as well. :)  Just trust that such things are possible, people do do this both for good[1] and bad reasons, you aren't blocking them so don't be giving out hefty rights on DCs in your forest that you don't trust 100%.     joe   p.s. A basic security premise is that you can't prove systems secure, only insecure.     [1] Consider a company that is insourcing their environment from a vendor who doesn't want to give up the forest... I think someone posted to this very list this year about a vendor who found out that was going to happen and they chopped off access to the forest root from the customer network leaving the customer high and dry. The customer should have had a root DC in their possession before making that announcement.     -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Friday, September 15, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Elevating privileges from DA to EA http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx discusses some elevation of privilege attacks.  It also links to another article that is supposed to have more details on SID filtering, which doesn’t seem to exist anymore.  All references I have found point only at NT4 and 2000 as susceptible to this kind of attack, and they have a patch to fix it.  So I guess 2003 is secure at least when it comes to the SIDHistory method.  There must be other ways of doing it, though.  I don’t know that they could possibly be “simple” if MS put out a patch to fix this particular hole way back in 02.  The referenced article (for those who don’t read it) calls for “a binary edit of the data structures that hold the SIDHistory information”.  Not exactly “candy from a baby” level, unless you happen to be a 3rd level black-belt in babies-canditsu.  But I’m sure someone with extreme skills could take on an unpatched 2000 domain without much trouble.  Either way, it looks like sidfiltering mitigates most of the risk.  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, September 15, 2006 2:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Elevating privileges from DA to EA   >>>Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model].   What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted!   >>>I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above   When you know HOW, it is as easy as taking candy from a baby   jorge   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 15, 2006 09:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all.   Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model].   I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above.   Make sense?   neil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 14 September 2006 20:59 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword?  I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group.  DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer?  Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [ [EMAIL PROTECTED]] I can think of the following basic methods:  - Remove DC disks and edit offline  - Introduce key logger on admin workstation / DC  - Inject code into lsass As you can see, I don't want specific steps to 'hack' the DC, just basic ideas / methods. Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.   PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.   This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.