I think Aric was just specifically bringing it back to the original point of having some domains (say regional domains) with different DA's than others. I can assure you that Aric could hack an AD with the best of them. :o)
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Sunday, September 17, 2006 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Elevating privileges from DA to EA DAs got nothing to do with it. It makes it easier, but this can be done by someone without any account at all. --Paul ----- Original Message ----- From: "Bernard, Aric" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org>; <ActiveDir@mail.activedir.org> Sent: Friday, September 15, 2006 10:33 PM Subject: RE: [ActiveDir] Elevating privileges from DA to EA > Kevin, > > FWIW - as others are stating, assuming you know what you are doing, it is > *simple* and painless so long assuming that you are a DA of any domain in > the forest and have access to the console of a GC. There are many > exploits strategies in this area and in its most basic form this can be > done with rudimentary knowledge, native tools, and no coding or scripting. > > > Aric > > -----Original Message----- > From: "Kevin Brunson" <[EMAIL PROTECTED]> > To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org> > Sent: 9/15/06 1:35 PM > Subject: RE: [ActiveDir] Elevating privileges from DA to EA > > http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx > discusses some elevation of privilege attacks. It also links to another > article that is supposed to have more details on SID filtering, which > doesn't seem to exist anymore. All references I have found point only > at NT4 and 2000 as susceptible to this kind of attack, and they have a > patch to fix it. So I guess 2003 is secure at least when it comes to > the SIDHistory method. There must be other ways of doing it, though. I > don't know that they could possibly be "simple" if MS put out a patch to > fix this particular hole way back in 02. The referenced article (for > those who don't read it) calls for "a binary edit of the data structures > that hold the SIDHistory information". Not exactly "candy from a baby" > level, unless you happen to be a 3rd level black-belt in > babies-canditsu. But I'm sure someone with extreme skills could take on > an unpatched 2000 domain without much trouble. Either way, it looks > like sidfiltering mitigates most of the risk. > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, > Jorge de > Sent: Friday, September 15, 2006 2:48 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Elevating privileges from DA to EA > > > >>>>Al - we are designing a forest with regional domains (don't ask!) and > one region has suggested it needs to split from this forest since > elevating rights in any regional domain from DA to EA (forest wide) is > 'simple' [and this would break the admin / support model]. > > > > What is being said is very very true. Either you trust ALL Domain Admins > (no matter the domain those are in) or you do not trust ANY! Every > Domain Admin or ANY person with physical access to a DC has the > possibility to turn the complete forest into crap! > > Because if that was NOT the case the DOMAIN would be the security > boundary. Unfortunately it is not! The Forest is the security boundary, > whereas EVERY single DC in the forest MUST be protected and EVERY Domain > Admin MUST be trusted! > > > >>>>I am arguing that it is not simple and am looking for methods which > may be used to elevate rights as per the above > > > > When you know HOW, it is as easy as taking candy from a baby > > > > jorge > > > > > ________________________________ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, September 15, 2006 09:36 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Elevating privileges from DA to EA > > Thanks for responses, all. > > > > Al - we are designing a forest with regional domains (don't > ask!) and one region has suggested it needs to split from this forest > since elevating rights in any regional domain from DA to EA (forest > wide) is 'simple' [and this would break the admin / support model]. > > > > I am arguing that it is not simple and am looking for methods > which may be used to elevate rights as per the above. > > > > Make sense? > > > > neil > > > > > ________________________________ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: 14 September 2006 20:59 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Elevating privileges from DA to EA > > Can you reword? I'm not sure I clearly understand the question. > > > FWIW, going from DA to EA is a matter of adding one's id to the > EA group. DA's have that right in the root domain of the forest (DA's > of the root domain have that right). Editing etc. is not necessary. Nor > are key-loggers etc. > If physical access is available, there are plenty of ways to get > the access you require to a domain but I suspect you're asking how can a > DA from a child domain gain EA access; is that the question you're > looking to answer? > > Just for curiousity, what brings up that question? > > Al > > On 9/14/06, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > It has been suggested by certain parties here that elevating > one's rights from AD to EA is 'simple'. > > I have suggested that whilst it's possible it is not simple at > all. > > Does anyone have any descriptions of methods / backdoors / > workarounds etc that can be used to elevate rights in this way? > Naturally, you may prefer to send this to me offline :) [ > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] > > I can think of the following basic methods: > - Remove DC disks and edit offline > - Introduce key logger on admin workstation / DC > - Inject code into lsass > > As you can see, I don't want specific steps to 'hack' the DC, > just basic ideas / methods. > > Thanks, > neil > > PLEASE READ: The information contained in this email is > confidential and > > intended for the named recipient(s) only. If you are not an > intended > > recipient of this email please notify the sender immediately and > delete your > > copy from your system. You must not copy, distribute or take any > further > > action in reliance on it. Email is not a secure method of > communication and > > Nomura International plc ('NIplc') will not, to the extent > permitted by law, > > accept responsibility or liability for (a) the accuracy or > completeness of, > > or (b) the presence of any virus, worm or similar malicious or > disabling > > code in, this message or any attachment(s) to it. If > verification of this > > email is sought then please request a hard copy. Unless > otherwise stated > > this email: (1) is not, and should not be treated or relied upon > as, > > investment research; (2) contains views or opinions that are > solely those of > > the author and do not necessarily represent those of NIplc; (3) > is intended > > for informational purposes only and is not a recommendation, > solicitation or > > offer to buy or sell securities or related financial > instruments. NIplc > > does not provide investment services to private customers. > Authorised and > > regulated by the Financial Services Authority. Registered in > England > > no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St > Martin's-le-Grand, > > London, EC1A 4NP. A member of the Nomura group of companies. > > > > PLEASE READ: The information contained in this email is > confidential and > > intended for the named recipient(s) only. If you are not an > intended > > recipient of this email please notify the sender immediately and > delete your > > copy from your system. You must not copy, distribute or take any > further > > action in reliance on it. Email is not a secure method of > communication and > > Nomura International plc ('NIplc') will not, to the extent > permitted by law, > > accept responsibility or liability for (a) the accuracy or > completeness of, > > or (b) the presence of any virus, worm or similar malicious or > disabling > > code in, this message or any attachment(s) to it. If > verification of this > > email is sought then please request a hard copy. Unless > otherwise stated > > this email: (1) is not, and should not be treated or relied upon > as, > > investment research; (2) contains views or opinions that are > solely those of > > the author and do not necessarily represent those of NIplc; (3) > is intended > > for informational purposes only and is not a recommendation, > solicitation or > > offer to buy or sell securities or related financial > instruments. NIplc > > does not provide investment services to private customers. > Authorised and > > regulated by the Financial Services Authority. Registered in > England > > no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St > Martin's-le-Grand, > > London, EC1A 4NP. A member of the Nomura group of companies. > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx