Once you have control of a machine, it’s a good idea to add persistence so you can come back to it later. If you have exploited a vulnerability specific to the machine, security teams could potentially have detected your intrusion and updated the machine. It would be a good idea to secure your access to avoid having to go through everything again!
Create a Privileged Account
A simple and effective technique is to add a new local user to the compromised machine. Once you’ve created this user, you then add them to the administration group. With this method, you can connect to this machine from this account using legitimate tools, like RDP or WinRM.
net user evil p4ssw0rd /add
net localgroup Administrateurs evil /addThis technique allows you to maintain control of a compromised machine. However, if you’ve compromised the domain, you can go a step further and add a user to a privileged group. You learned about these groups in the domain mapping section of this course. If you recall, we searched for members of the Domain Admins or Enterprise Administrator groups. Adding an account to one of these groups will ensure that you maintain your domain privileges.
net user evil p4ssw0rd /add /domain
net group "Domain Admins" evil /addAdopt Classic Persistence Techniques
There are a few classic persistence techniques that allow you to regain control of a machine without relying on a vulnerability or a compromised account.
You can configure the machine to regularly execute code (e.g., create a local admin account).
Scheduled Tasks
To regularly execute code, you can create a scheduled task.
schtasks /create /tn EvilTask /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'net user evil p4ssw0rd /add; net localgroup Administrators evil /add'" /sc onlogon /ru System
RUN Keys
Another way of regularly executing code is to use certain registry keys to execute a program as soon as a user logs in. These keys are commonly referred to as RUN keys. They can be found in the following registry locations:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
The contents of Run keys will be executed every time a user logs in. By contrast, the contents of RunOnce keys will only be executed once, after which the key’s contents will be automatically deleted.
You can create these keys from the command line using the Windows reg command.
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v OpenClassroomsEvil /t REG_SZ /d "C:\Windows\Temp\OC.exe"Changing Services
Services are another feature you can use for persistence. They are programs that run in the background and can be automatically executed on machine startup. You can then create a service, or even better, change an existing one, so that your malicious code is automatically executed when the machine starts.
sc config AxInstSV binPath= "C:\Windows\Temp\OC.exe" start= autoChange the Permissions of Sensitive Objects
You may have noticed that managing Windows permissions can quickly become complicated. There are hundreds of objects, thousands of permissions, and only a few people to monitor everything at all times.
Therefore, changing permissions is a relatively inconspicuous persistence technique. With so many permissions and objects, it would be impossible to describe every technique here, but here is one idea to consider.
The Domain Admins group is a privileged group. You’ve already seen that you can add an account to this group for persistence. But what happens if one day this group is cleaned up by the administrators, and they only keep the accounts they recognize?
Well, another option is to edit the list of permissions applied to the group in question. Instead of adding your user to the group, you can instead give your user permission to add any members to the group. This way, you can either add yourself or add another account you own at a later date.
To do this, go to the group’s Security tab and add the Write permission to any user.
Forge Kerberos Tickets
Finally, there are two persistence techniques have been mentioned a lot. These are the Silver Ticket and Golden Ticket techniques.
You’re familiar with the Kerberos protocol—or at least the basic principle behind it, right? In this section, you’ve learned about a number of attacks linked to this protocol.
Uh, well to be honest, I understood when I read it, but I don’t remember much.
It’s true, the protocol isn’t that easy to understand. To remind you, it uses tickets (TGTs and service tickets) to authenticate users wanting to access services. These tickets contain all the user’s information. For example, they contain their name, along with the groups they belong to. This is why it’s important that a user cannot change their tickets at random. Otherwise, they could claim to be part of the “Domain Admins” group or to be the “Administrator” account. Tickets are therefore protected. What happens if the passwords that protect these tickets are stolen? That’s what we’re going to find out!
Silver Ticket
The Silver Ticket technique focuses on service tickets. When you log on, you create your first TGT request, which is like your passport. Each time you want to access a service, you’ll submit your TGT to the domain controller, which will copy your information into a service ticket. The ticket is protected by the service account password to prevent it from being changed.
However, if you’ve compromised the domain and want to maintain access, you can steal service account passwords, including machine account passwords. You can steal them using secretsdump.py from a domain controller. As you saw at the beginning of the section, this tool was going to carry out a DCSync attack to steal all the password hashes for all accounts in the domain. Once these passwords have been stolen, you can then forge service tickets from scratch.
These forged tickets are known as Silver Tickets. In the ticket, you can indicate that you belong to all privileged groups and then protect it with the password of the stolen service account. When you submit these tickets to the services, it’s party time!
You can use ticketer.py from Impacket to create a Silver Ticket, but you’ll need the domain login credentials. The tool requires this information in order to forge the ticket. The credentials can be retrieved with lookupsid.py.
$ lookupsid.py medic.ex/pixis:P4ssw0rd@dc01.medic.ex
[...]
[*] Domain SID is: S-1-5-21-3526105896-714836913-1342931244
[...]
$ ticketer.py -nthash <service account hash> -domain-sid S-1-5-21-3526105896-714836913-1342931244 -domain medic.ex -spn CIFS/SRV01.medic.ex administratorGolden Ticket
Silver Tickets are useful, but it can be tedious to create a ticket for each service. In addition, service account passwords frequently change, which would result in you losing access.
Why not go a step further, and forge a TGT? This is the idea behind the Golden Ticket. Instead of stealing the secrets of service accounts, you can simply steal the ultimate secret: the one that protects the TGT. This secret is the krbtgt account password. This account appears in all Active Directory environments, and its sole purpose is to allow the domain controller to sign and encrypt TGTs with its password. That’s it. Also, its password is not changed automatically. These are the ideal conditions for maintaining access.
I often find that the date of the last password change for the krbtgt account is the date when the company installed Active Directory. This means that if this account has previously been compromised, the Golden Tickets are still valid today.
You can create a Golden Ticket with the same tools you used to create a Silver Ticket. The only different is that, this time, you have to provide the krbtgt account secret, but you don’t need to provide a service name.
$ lookupsid.py medic.ex/pixis:P4ssw0rd@dc01.medic.ex
[...]
[*] Domain SID is: S-1-5-21-3526105896-714836913-1342931244
[...]
$ ticketer.py -nthash <krbtgt account hash> -domain-sid S-1-5-21-3526105896-714836913-1342931244 -domain medic.ex administratorBefore we end this chapter, Lionel would like to tell us about his pentest philosophy:
Let’s Recap!
There are a number of simple persistence techniques for maintaining access, such as adding a user to a privileged group.
Access can also be maintained with automatic code execution through the use of scheduled tasks, services, or registry keys.
Changing object access or editing permissions can lead to more discreet persistence.
Silver and Golden Tickets can be used to access the information system after stealing passwords to domain accounts.
You’ve reached the end of this section! You now have all the tools and knowledge to discover and compromise an Active Directory environment. This knowledge is essential for the next section, where you’ll learn how to protect and monitor your Windows environment.
