I have a question for pentesters/hackers/etc
If you are sitting on a compromised Windows endpoint waiting for any privileged user to log in, basically sitting around causing minor glitches in the hopes that I.T. logs in to check it out, what would you do with this:
- User just logged in, they are a local admin. They were made a local admin by a group policy applied to all end-user workstations
- So you are ready to take over the network, except...
- The same group policy also gives them "Deny access to this computer from the network" everywhere.
- So you can't move laterally with just this account, but maybe you're going to harvest their password to at least elevate on other workstations you have a non-elevated foothold on?
- No password was used; smart card is required for interactive logon.
- But maybe you can do something with their NTLM secret at least?
- They are in the "Protected Users" group and cannot authenticate with NTLM.
The best I can think of is you might be able to steal their PIN out of the LSA if credential guard is not enabled, and maybe whip up some custom method of proxying the smart card to another host, but that might be tough to implement given that the account's only value is local admin and if you can install a tampered smartcard driver on the destination machine, you were already local admin.
Am I missing something? I only ask because many people have said the only fully safe way for a technician to be able to elevate to local admin on an end-user device is by looking up and typing a complex LAPS password, and if that's true, this alternative (a smart card with a dedicated in-person-only admin account) must be broken somehow.
[link] [comments]
from hacking: security in practice https://ift.tt/LkcdVOp
Comments
Post a Comment