Main » 2011 » Март » 16 » Backdoor in active directory with their own hands
11:38
Backdoor in active directory with their own hands
So, we all know about the nefarious users c UID = 0 in unix, which may be more than one.

Let's see how the same (and actually even more scary) is organized in the infrastructure of Windows. Of course, we will not talk about the local accounts of windows, and about Active Directory, ie, We talk about the domain administrator. Or, even worse, on enterprise administrator.

So, the truth number one: the objects in active directory has attributes and access rights.
Truth number two: these attributes can be changed.

It is easy to understand, we can make an account with the fantastic rights, which will have no access for anybody. However, he will be able to log in, lock, unlock, change their attributes and attributes of other people.

In the worst case, it will be a magic user SID-* 500, which can not remove itself already vinda. (To do this, rename, and in its place to put another user with the nickname and the Administrator with full rights).

Thus, we obtain formally neat little white pushistenky domain, within which lives a big, bold ... m ... do not even know who. Well, let it be known as the northern fur animals.

Steps to perform:
1) Create an account or rename administrator. Call it ... very strange. For example, ExchangeLegacyReciver. In normal ekscheynzhe is ExchangeLegacyInterop, so to understand what is there we will be very difficult.
2) give it an appropriate name. Type, Exchange Legacy Connection Reciver.
3) Ask her password, select "Password never expires", etc.
4) Include it in all the right groups. Realistically, to control the domain enough occurrence in Remote Desktop Users (or any other group specified in the properties of tcp-RDP), and Enterprise Administrator. Less than

Next begins the magic:

1) Login at this uchetki.
2) Run ads * (unless you know what's in place of stars, you do not need it. Those who know and understand what you mean, please do not respond to questions about school hekkerov missed part of it)
3 ) We look for yourself in the right OU. The first thing we go into the properties and change the owner to some other account with sufficient permissions (so that, if mistaken, can change or remove)
4) Remove daw inheritance, copy the attributes.
And ... well you have understood. Remove all unnecessary. Removing SYSTEM of those who have the right to lead to a strange situation: even the account would not change its attributes through the snap, however, can be edited through the ads *; add yourself full rights to themselves.
5) Create ou = Program data new container System
5) Move the object (right click, move) in, for example, Program Data. This is the place to anyone and never to be seen. Ie your object will exist "somewhere" where it will be seen only through the ads * or the like. Alternatively, simply move into the root domain.
6) Verify the right after the move (they love to build upon)
7) do the trick with the rights to the container. It does not let strangers not only to change the attributes or read them, but to see the mere existence.

Keep in mind, during all this - a mistake - and you are no longer the owner himself, without the right of recovery.

Actually, we can say almost anything. Can (making sure that the username and so good), change the owner user himself. Point, the chain is closed. Next only to restore from backup. Funny thing that, other users with full rights you will not even be seen in the active directory. Even in ads *.

Then there remains only securitize the main thing - it's group membership (one false move - and you're dead, restore from backup).

So:

1) Rename the group (through ads) into something of their own. For example, Builtin Security Principial.
2) Create an Enterprise Administrator. Include it in the Builtin Security Principial.
3) Move the Builtin Security Principial in the program data \ system
4) make him a similar "magic" with rights.
5) PROFIT???

SEE it would be. Alas. Hide until the end of the membership I could not (although you can create a chain ...) However, when trying to remove you from the members of the group, will appear an error there is no such object on server.

A:

1) enterprayznutye and domain admins still have the right to exist. The Group is, the right of its right, the domain is working as it should (have not tested the installation ekscheynzha, though).
2) Is there an account, you can not see. Nothing. None of the ads * from anything else (you can see a strange container but no more).
3) membership in the groups at this uchetki not noticeable.

A further level of stealth - to try to change the type of group and user to something else (such as a computer). Not sure if this is possible, and that it will be adequately perceived by computers on the network.

P.S. I beg your pardon, wrote messy as the search for solutions to problems. Tomorrow, if you have time, raise Dev in 2008, check it out there in full.
Views: 551 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: