DAs got nothing to do with it. It makes it easier, but this can be done by
someone without any account at all.
--Paul
----- Original Message -----
From: "Bernard, Aric" <[EMAIL PROTECTED]>
To: <[email protected]>; <[email protected]>
Sent: Friday, September 15, 2006 10:33 PM
Subject: RE: [ActiveDir] Elevating privileges from DA to EA
Kevin,
FWIW - as others are stating, assuming you know what you are doing, it is
*simple* and painless so long assuming that you are a DA of any domain in
the forest and have access to the console of a GC. There are many
exploits strategies in this area and in its most basic form this can be
done with rudimentary knowledge, native tools, and no coding or scripting.
Aric
-----Original Message-----
From: "Kevin Brunson" <[EMAIL PROTECTED]>
To: "[email protected]" <[email protected]>
Sent: 9/15/06 1:35 PM
Subject: RE: [ActiveDir] Elevating privileges from DA to EA
http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx
discusses some elevation of privilege attacks. It also links to another
article that is supposed to have more details on SID filtering, which
doesn't seem to exist anymore. All references I have found point only
at NT4 and 2000 as susceptible to this kind of attack, and they have a
patch to fix it. So I guess 2003 is secure at least when it comes to
the SIDHistory method. There must be other ways of doing it, though. I
don't know that they could possibly be "simple" if MS put out a patch to
fix this particular hole way back in 02. The referenced article (for
those who don't read it) calls for "a binary edit of the data structures
that hold the SIDHistory information". Not exactly "candy from a baby"
level, unless you happen to be a 3rd level black-belt in
babies-canditsu. But I'm sure someone with extreme skills could take on
an unpatched 2000 domain without much trouble. Either way, it looks
like sidfiltering mitigates most of the risk.
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, September 15, 2006 2:48 AM
To: [email protected]
Subject: RE: [ActiveDir] Elevating privileges from DA to EA
Al - we are designing a forest with regional domains (don't ask!) and
one region has suggested it needs to split from this forest since
elevating rights in any regional domain from DA to EA (forest wide) is
'simple' [and this would break the admin / support model].
What is being said is very very true. Either you trust ALL Domain Admins
(no matter the domain those are in) or you do not trust ANY! Every
Domain Admin or ANY person with physical access to a DC has the
possibility to turn the complete forest into crap!
Because if that was NOT the case the DOMAIN would be the security
boundary. Unfortunately it is not! The Forest is the security boundary,
whereas EVERY single DC in the forest MUST be protected and EVERY Domain
Admin MUST be trusted!
I am arguing that it is not simple and am looking for methods which
may be used to elevate rights as per the above
When you know HOW, it is as easy as taking candy from a baby
jorge
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, September 15, 2006 09:36
To: [email protected]
Subject: RE: [ActiveDir] Elevating privileges from DA to EA
Thanks for responses, all.
Al - we are designing a forest with regional domains (don't
ask!) and one region has suggested it needs to split from this forest
since elevating rights in any regional domain from DA to EA (forest
wide) is 'simple' [and this would break the admin / support model].
I am arguing that it is not simple and am looking for methods
which may be used to elevate rights as per the above.
Make sense?
neil
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 14 September 2006 20:59
To: [email protected]
Subject: Re: [ActiveDir] Elevating privileges from DA to EA
Can you reword? I'm not sure I clearly understand the question.
FWIW, going from DA to EA is a matter of adding one's id to the
EA group. DA's have that right in the root domain of the forest (DA's
of the root domain have that right). Editing etc. is not necessary. Nor
are key-loggers etc.
If physical access is available, there are plenty of ways to get
the access you require to a domain but I suspect you're asking how can a
DA from a child domain gain EA access; is that the question you're
looking to answer?
Just for curiousity, what brings up that question?
Al
On 9/14/06, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
It has been suggested by certain parties here that elevating
one's rights from AD to EA is 'simple'.
I have suggested that whilst it's possible it is not simple at
all.
Does anyone have any descriptions of methods / backdoors /
workarounds etc that can be used to elevate rights in this way?
Naturally, you may prefer to send this to me offline :) [
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ]
I can think of the following basic methods:
- Remove DC disks and edit offline
- Introduce key logger on admin workstation / DC
- Inject code into lsass
As you can see, I don't want specific steps to 'hack' the DC,
just basic ideas / methods.
Thanks,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied upon
as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc; (3)
is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied upon
as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc; (3)
is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
