ORKOS: Preventing the 9 Steps to Domain Collapse
In a large organization, no matter how thorough the network security team, attackers will be able to compromise at least one server or workstation or user account. The greatest weakness of organizational networks remains internal weaknesses that allow an attacker who has compromised a single system or user to expand their reach and take over more systems and accounts, snowballing into complete network compromise.
Most administrators and defenders either are unaware of the depth of the problem, assume they will not be affected, or believe that vulnerability and port scanners will find and fix internal risks. But in a recent post (https://myexploit.wordpress.com/hunt-for-the-domain-admin-da/) Neil Lines explained from an attacker’s perspective, he has been able to quickly obtain complete Domain Admin (DA) rights on over 85% of his tests by following a straightforward 9-step process.
- Collection of standard user domain credentials. (Password hashes)
- Cracking standard user domain credentials. (Password hashes)
- Using standard user domain credentials to identify misconfigured local network services.
- Access to local admin account.
- Enumeration of users with DA rights.
- Access to machines with authenticated DA right users.
- Post exploitation to reveal authenticated users passwords.
- Access to local domain controller (DC) using collected DA account.
- Clone all hashes off the DC.
Notably, as the article states, “Nessus and Nmap are not used at any point. Nothing against any tool but vuln and port scans will not aid you in getting DA for around 99% of the time.” Instead, credentials and documented features are the primary target and tool at every stage.
In our credential assessments, we use the root9B Orkos software as well as evaluating organizational structures and policies and manual scripting or investigation where required.
An Orkos scan will detect weak domain passwords that will be vulnerable to cracking (#2, #9). It will also detect when overly high privileges have been given to standard users on misconfigured systems, granting them access to those machines (#3), Orkos will detect weak local passwords and remote access risks for local accounts, as well as re-used passwords with more privileged accounts (#4). It will enumerate users with DA rights (#5) and will graph privilege escalation paths attackers could use to get them, showing when a less privileged account can remotely log into and control a system that a DA has logged into (#6), or into a system with a service account or local account with a shared password that could be used to log into a system with a DA logged in and so on. It will detect which boxes have DA credentials and other authenticated users’ credentials in memory and on disk of nearly every kind (#7, #8) so they can get access to the domain controller.
Orkos showing paths between systems, accounts, and credentials
The results from the attacker’s perspective match what we find from our assessments; in most organizations, Orkos finds a path to complete network control from 75-99% of systems scanned.
Yet remediation is usually difficult; in most organizations configuration changes across the entire network or password changes for service accounts or privilege re-assignments may not be easy. Not only that, but it is common to have tens of thousands of high risk findings. Orkos provides analytic capabilities to automatically identify the most significant links and nodes to prioritize remediation which helps, but at the end of the day, there’s no doubt some brainpower will be required to strengthen your security policies.
For example, one of the biggest blind spots is in local accounts and service accounts. It is not uncommon to find out that since such accounts are not tied to any specific person in the organization like normal user accounts, they can be forgotten and pose significant risks. Most organizations do not appear to be testing the strength or uniqueness of their passwords (or using technologies like smart cards that eliminate the risk of weak passwords), especially of local accounts.
Another blind spot is in passwords saved in various applications such as browsers or SSH keys; most organizations have no good ways of detecting those and finding the risks they pose.
For more reading, see our other posts on network credential management.
The Orkos analysis engine making recommendations, with simulated changes pending