隐蔽域后门

Hide user

Hidden program

Sticky bonds

常见后门方式

隐藏用户

1

2

net user yincang$ 123456qaq /add

net localgroup administrators yincang$ /add

隐蔽程序

NtGodMode

NtGodMode.exe Gate of God, no matter how the administrator changes the password, he can log in to the system with any password.

https://blog.csdn.net/oceanark/article/details/51902042

https://www.jb51.net/article/14702.htm

https://www.52pojie.cn/forum.php?mod=viewthreadtid=19817page=1

命名管道

Named Pipe, \Server\PipeName\Path

IP + Port is a commonly used remote connection method. Named pipes do not require specific ports, and are mixed in port 135.

Log in without opening the port

粘滞键

Press the shift key five times continuously, and the input method selector will pop up. You can replace cmd with input method to obtain shell

域内隐蔽后门

目录 ACL

A deep hidden backdoor based on the ACL (Access Control Link) access control chain based on the in-domain object.

In the domain network, the domain group policies and scripts are stored in the SYSVOL directory of the domain server. All domain users can freely access it, but only some high-privilege users have the permission to modify it. When an account within the domain logs into the domain, it will query and execute (if there is any change) its own domain policy and execution script.

To a certain extent, if you control the SYSVOL directory, you have a high probability of controlling the domain network.

If the login log audit software is deployed in the domain, the login and usage of high-authorized accounts in the domain will be strictly audited. Therefore, the method of using high-privileged users to control the domain network is not very concealed

Generally speaking, domain policies force periodically modify the password of high-privileged users, but this mandatory requirement may not be present for low-privileged users. Moreover, many users in the domain are often hard to log in and use.

If a user with low permissions has the SYSVOL directory modification permission, the audit software will not be discovered by the audit software when logging in to the domain because the permissions are not high. The protection and monitoring software has not paid much attention to the ACLs of the directory, so this method is a very practical hidden backdoor method.

Use regular user eviluser to log in to the domain client Windows 7. Connecting to the domain server through net use can view the directory shared by the access server, but there is no write permission.

The Policies directory has been added write permissions (or full control) through the resource management tool and inherits it to all subdirectories and files

The Security tab of the Policies directory, eviluser is individually used as the permission user. Under normal circumstances, ordinary users only have the Authenticated users user group permissions.

After the ACL permissions of the directory in the server are set successfully, in the original IPC connection, the ordinary domain user eviluser successfully wrote data to the Policies directory, proving that he has write permissions to the directory. This allows you to modify the policies and scripts inside, a hidden backdoor.

This backdoor method only demonstrates a specific form of ACL backdoor, because there are too many objects in the domain, and there are also many ACL objects that can be manipulated. You can flexibly select the target's ACL as the target to modify it according to your own needs and hide the back door.

Of course, regarding ACL detection, Microsoft has also launched a special tool, ACL Scanner. If this type of backdoor can be detected periodically, it can still be detected.

白银票据

In Windows systems, many services run with host accounts, that is, many ServiceAccount accounts are local host accounts, in the format ComputerName$.

The following table is a common service running with a host account. Some of the columns on the right have multiple services. For example, WMI services include HOST and RPCSS, which means that you need 2 TGS tickets to access WMI services at the same time.

Service name

Services required at the same time

WMI

HOST, RPCSS

PowerShell Remoting

HOST, HTTP

WinRM

HOST, HTTP

Scheduled Tasks

HOST

Windows File Share

CIFS

LDAP

LDAP

Windows Remote Server

RPCSS, LDAP, CIFS

The password hash value of the known domain server host account, uses Mimikatz's silver bill function to forge TGS to access the HOST service, run the domain server's SCHTASKS command with domain administrator privileges, and remotely create, view, and delete system tasks.

构造白银票据

1

kerberos:golden /admin:[email protected] /domain:testlab.com /sid:S-1-5-21-2390976136-1701108887-179272945 /target:TESTLABDC02.testlab.com /rc4:36788836f262b9409f102baa22b7a6f3 /service:host /ptt

创建计划任务

修改主机账号的口令策略制作后门

Modify the policy in the host's registry. The specific location is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters. The key value is DisablePasswordChange. Set to 1, which means that the account password is prohibited;

Modify the default 30 days in Group Policy, and the modification location is "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age'. When set to 0, it means infinite length;

Group policy directly prohibits the modification of the host account password, which is used to support VDI (virtual desktops Infrastructure) and other types of use. The specific location is "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes"

Solution 1 is relatively safe. Since there are snapshots in Group Policy, Scenarios 2 and 3 are more risky

修改主机账号的委派设置权限制作后门

In a domain delegation attack, if a host account is set with a binding delegation, you can use the password hash value and binding delegation of the host account to obtain domain administrator permissions. The prerequisites are: the password hash value and delegation of the host account (both binding and non-binding)

If we have multiple stable control points in the domain and obtain the SYSTEM permissions of the current system, we can obtain the password hash value of the current host's host account (the account in the demonstration is win7x86cn$ ) at any time, which meets the first condition;

If the SeEnableDelegationPrivilege permission of the win7x86cn$ account is given to the low-privileged login domain user (eviluser) of the local machine, the delegation settings of the win7x86cn$ account can be changed at any time through the eviluser user, so that the second condition can be met

It is not possible to modify the object's msDS-AllowedToDelegateTo property by having the object's GenericAll permission. Attackers can only modify the object's SeEnableDelegationPrivilege permission.

By default, SeEnableDelegationPrivilege permissions are only available to domain controllers, so we need to detect which group policies applied to these domain controllers have changed the user's SeEnableDelegationPrivilege permission configuration.

Generally speaking, the default group policy is "Default Domain Controllers Policy".

The permissions of SeEnableDelegationPrivilege are very special. The setting method is to modify the GPO policy file. The location is the domain server\SYSVOL\sysvol\testlab.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf file

Add eviluser with SeEnableDelegationPrivilege permission, then eviluser can modify the delegation settings for all users in the domain. The following figure is a test to modify the delegation settings of win7x86cn$ account in the login session of eviluser

I checked the delegation settings of this account for win7x86cn. The useraccountcontrol marked red indicates that there is no delegation set. In the middle, Set-DomainObject is used for delegation settings. 16777216 indicates that TRUS TED_TO_AUTH_FOR_DELEGATION is set. The results after setting are queryed through Get-DomainObject. The msds-allowedtodelego option has been changed, and the useraccountcontrol has been changed.

应对此后门的安全策略

The maximum validity period for forced setting of a host account through the domain's group policy is 30 days;

Protect the integrity of the {6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf file, that is, the integrity of the key group policy;

High-authorized users, settings cannot be delegated

When the host account needs to be assigned, it can only be set as a binding delegation.

LAPS

In the domain network, the host's local administrator is rarely used, but it poses great risks to network security. If an attacker obtains the local administrator's NTLM, he does not have to crack it and can attack other hosts in the domain through PTH. To solve this problem, Microsoft released two patches, KB2871997 and KB2928120 in 2014, and the PTH method failed.

If the password of the local administrator of the host in the domain is relatively simple, it may be cracked, and the password can still be used for password guessing or blasting dictionary library, IPC or remote desktop login, etc.

In 2015, Microsoft released a local administrator password solution, LAPS (Local Administrator Password Solution), which is used to centrally manage passwords for local administrators of hosts within the domain. Through LAPS production policies, we force the local administrator password of the host within the domain to prevent malicious attackers from using the local administrator password to conduct horizontal attacks within the domain. This solution includes clients and servers, which are installed on the host and domain server respectively

LAPS 功能

Collect local administrator accounts according to the policy (maximum one local administrator account is managed) and set a random password that complies with the password policy.

Upload the new password to the domain server and store it in the properties of the corresponding host account in the domain

Update the new expiration date to the host account attribute

Check whether the password of the local administrator account has expired. If the password expires, a new random password will be generated and the relevant attributes of the host account in AD will be updated.

LAPS provides two management tools: GUI and AdmPwd.PS script module. After LAPS is installed, you need to use the Set-AdmPwdComputerSelfPermission command of the AdmPwd.PS module to give the host in an OU or the entire domain permission to set its own properties.

Each host object can automatically store password statements and password expiration time.

In the domain server, you can directly view the password plaintext of the local administrator in the specified host through the GUI.

LAPS adds two attributes: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime to the host account attributes in the domain. The first attribute stores the password plaintext of the local administrator, and the second attribute stores the password expiration time. Here, some readers may ask why plain text passwords are stored instead of some kind of password in ciphertext form.

The Find-AdmPwdExtendedRights command of the AdmPwd.PS module can detect which accounts or groups in the domain have permission to read the ms-Mcs-AdmPwd attribute.

When detecting AD permissions for a specific domain object, there are 2 things to consider :

Which domain subjects can give this AD permission to itself or other domain subjects;

Which existing ACEs contain this AD permission and which objects are used by these ACEs.

When doing the check for the first thing, Find-AdmPwdExtendedRights does not have control over the detection of security descriptors.

In the second thing check, the interface determines the result through 4 aspects :

AD object type

ACE access mask

ACE object type

ACE inherited object type

During AD object type detection, Find-AdmPwdExtendedRi ghts only analyzes the ACE applied to the OU or computer, and all other container objects are ignored. The parameters when setting permissions using Set-AdmPwdComputerSelfPermission are also OU types. An attacker can give himself permission to read the ms-Mcs-AdmPwd attribute on a non-OU container object

msImaging-PSPs type container is not within the scope of detection analysis. If you place computer objects in a container of this type, you can avoid being detected.

If a low-privileged user is given full permissions about the container of that type, you can control the properties of the computer in the container, including the ms-Mcs-AdmPwd property.

win7x86user is an ordinary user in the domain. NotOu is a msImaging-PSPs type container, which has a machine win7x86cn. On NotOu, win7x86user is given all permissions to the container. The object win7x86cn in the container inherits all permissions

The above tests and experiments show that in a domain network with a LAPS environment, LAPS can be effectively used as a hidden backdoor, giving low-privileged users permission to read the local administrator password plaintext at any time, thereby quickly obtaining control of the high-privileged host, and further obtaining domain control permissions through hash value acquisition and other methods. Of course, the premise of all this is that domain control permissions have been obtained.

LAPS only deploys an AdmPwd.dll file on the client, which is used to respond to the password change policy from the domain server, and then stores the password plaintext to the ms-Mcs-AdmPwd attribute of the corresponding host account in the server in Kerberos encryption.

LAPS originated from a public project. Through the analysis of the public project source code, you can use manual methods to simulate the password modification process.

When the client uses the AdmPwd.dll file, Windows does not perform integrity verification or signature verification on the file. Therefore, a tampered DLL can also be used normally. So if the attacker compiles a DLL with similar functions based on the public source code, and adds some functions to the DLL, write the modified password plaintext to the specified location. This allows attackers to obtain the password plaintext at any time, thus having full control over the client

According to the installation instructions of LAPS, there are 3 ways to install on the client.

Client installation LAPS.x64.msi or LAPS.x86.msi

Install on the client using regsvr32.exe AdmPwd.dll

If LAPS is installed on the client in the second way, and the directory of AdmPwd.dll is a writable directory for ordinary users, ordinary users can directly replace the original real DLL file with the fake DLL file. You can obtain the password text of the local administrator, obtain the full control of the machine, and achieve the privilege escalation.

LAPS is a solution deployed by Microsoft to strengthen password management for local administrators and improve network security, but some flaws in the solution have led to LAPS becoming a tool for attackers to create hidden backdoors. Not only LAPS, but many other software are the same. With the increase of products, while the security is improved, the attack surface exposed to attackers has also been expanded. The road to safety is long.