Saturday, July 9, 2016

RCE by abusing NAC to gain Domain Persistence.

Hi there!
I want to share how to compromise whole enterprise network in less than ONE minute :)

If you'll refer to this article, please leave credit to Alexander Korznikov & Viktor Minin.. thanks.

Let's begin... As security consultants, we often advice to our clients to implement Network Access Control systems to prevent some nasty people to do their nasty things...

This article is not about how to bypass Network Access Control systems, but if you're interested, read this: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Arkin.pdf
In two words, NAT can bypass almost everything and stay undetectable in enterprise network.

So when somebody (huge organisations) implementing NAC in their network environment, they are implementing a huge backdoor -  called NAC.

Let me explain some NAC logic:
1. Check for trusted MAC address.
2. Check installed components/registry keys in workstation via WMI interface.
3. Check another stuff in workstation's NAC agent.

Wait for a second. How NAC will connect to a workstation to check (2) Registry Keys via WMI?
Right. SMB Authentication with highly privileged account, in Domain Admin group.

Let's assume these:
1. We have a list of workstation's IPs gathered in passive reconnaissance (wireshark for example)
2. We know which IP belongs to Domain Contoller.

Is something or someone can prevent me from performing SMB-Relay attack? NO!
On servers this will not work, because of SMB Signing option is required.

We take some workstation IP address, and while NAC is performing it's host validation, we will relay SMB authentication to legitimate workstation.

It is trivial, but as result we are able to:
1. Reuse this authentication token and create a new Domain Admin account.
2. In case if this fails, we can create a local administrator account on ANY workstation.
3. Extract credentials of ALL local users including local admins.
4. Gain full control of the corporate network, including Domain Admin accounts.

All this is done in less than ONE minute, before the port will be closed (by NAC).

This issue was tested on several Network Access Control systems.

Bottom line: Think twice before advice.

Leave credits to:
Alexander Korznikov & Viktor Minin

5 comments:

  1. Nice finding!
    Looks similar to a tick with Kaspersky https://erpscan.com/press-center/blog/smbrelay-bible-4-smbrelay-with-no-action-or-attacking-security-software-kaspersky-avsymantec-dlp-gfi-languard-0-days/

    There is only one thing: you can relay to servers too. SMB singing is not required by default (except DC)


    ReplyDelete
  2. In your article you only talk about very bad NAC implementation. In 2016 when implementing NAC I would demand the use of 802.1X and certificates.

    ReplyDelete
    Replies
    1. Indeed.. But in my humble experience, people in large organizations in Israel are too lazy to implement 802.1x or ipsec. By the way, if you owned a workstation with NAC agent installed (sure, with dot1x), you're still have the ability to perform SMBRelay while NAC will examine your host again. Right?

      Delete
  3. I know you linked to the article about NAC bypass could you make a blogpost with the techniques and steps to pull it off and same for 802.1x?

    ReplyDelete
  4. Not all NAC systems using agents,
    and not all nac systems use only MAC address to authenticate, some of them use 4 more parameters.
    so this article is not that correct,
    think twice before posting.

    Thank you,
    NAC expert.

    ReplyDelete