Article directory
-
-
-
- Introduction to Reset DSRM Password
- Reset DSRM Password Exploitation
- Introduction to AdminSDHolder Abuse
- AdminSDHolder Abuse Exploitation
- Summarize
-
-
Introduction to resetting DSRM password
Directory Restore Mode (DSRM) is a safe mode startup option for domain controllers in Windows domain environments. Each domain controller has a local administrator administrator account, which is the DSRM account, DR The purpose of the SM is to allow administrators to restore/repair/rebuild activities when the domain environment fails or crashes. The directory database is activated to restore the domain environment to normal operation, that is, the DSRM account is actually the domain controller. By default, the DSRM account of the local administrator cannot be used for RDP or remote connection To log in to the domain controller, this is related to the login method of the DSRM account.
Reset DSRM password using
Utilization steps: 1. Execute the ntdsutil command on the domain controller to change the DSRM password 2. Modify the DSRM login method to RDP through the registry Take advantage of step 1: Execute the ntdsutil command on the domain controller Enter the command under ntdsutil set DSRM password reset password on server null Enter new DSRM password
Using Step 2: After modifying the DSRM password, you need to modify the DSRM login method before you can log in with RDP. DSRM has 3 login methods. 0: Default value, only when the current domain controller restarts and enters DSRM mode, the DSRM administrator account can be used. 1: Use the DSRM administrator account to log in to the domain controller only when the local active directory domain service is stopped. 2: In any case, you can use the DSRM administrator account to log in to the domain controller. It needs to be set to mode 2 to modify the following registry: The DSRMAdminlogonbehavior item control of HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Lsa is 2 mode and the value is 0 without changing the item. Administrator privileges are modified through Powershell: New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -name "DSRMAdminlogonbehavior" -value 2 -propertyType DWORD
The remote connection can be made now. It should be noted that the prefix of the machine name needs to be added. Examples are as follows: Suppose the domain is test administrator member in the test\administrator domain WIN-DC\administrator domain controller local group administrator
Introduction to AdminSDHolder Abuse
Active Directory Domain Services using AdminSDHolder/Protected Groups/Security Descriptor Propagator To protect privileged users and privileged groups from malicious modification or abuse. Protected Groups Protected groups refer to some privileged objects of Active Directory. In 2016, there are the following objects: Administrator Domain Admins Enterprise Admins Schema Admins administrator krbtgt Read-only Domain Controllers New in 2019 R2: Key Admins Enterprise Key Admins The object of Protected Groups (protected group) will set the value of adm-inCount to 1, which can be used to query ldap To list protected group objects, the following is a query using Adfind: Adfind.exe -f " &(objectcategory=group)(admincount=1)" -dn
Adfind.exe -f " & amp;(objectcategory=user)(admincount=1)" -dn
Each active directory has a container object named AdminSDHolder, the storage path is: CN=AdminSDHolder,CN=System,DC=test,DC=com
The AdminSDHolder object has a unique ACL, which is used to control the permissions of the security topics of Protected Groups, To avoid malicious modification or abuse of these privileged objects, it can be understood that the ACL configuration of AdminSDHolder is a Security configuration template, the AdminSDHolder object disables inheritance by default to ensure that parent permissions are not inherited, only The Administrator/Domain Admins/Enterprise Admins group owns the AdminSDHolder object Attributes have modify permissions. By default, a SDProp (Security Descriptor Propagation) is run on the domain controller every hour The background process SDProp does not know which objects are in Protected Groups, it can only Whether the AdminCount attribute is 1 to determine whether the target object is protected, you can refer to the previous Adfind query, The ACL of these objects is then compared with the ACL of the AdminSDHolder object if the ACL of the protected object is configured If the ACL configuration of the AdminSDHolder container is different, the SDProp process will rewrite the ACL of the protected object, Make it restore the same ACL configuration as the AdminSDHolder container, so it can be used as permission maintenance, and common domain members Wait for the SDProp program to run after adding the ACL that has full control over AdminSDHolder, and it will run with The ACL of AdminSDHolder is used as a template to check the ACL of the protected object. If the two ACLs are inconsistent, SDProp The process will rewrite the ACL of the protected object to restore the ACL configuration exactly the same as that of the AdminSDHolder container, So the ordinary domain member who is ultimately controlled will have full control over all protected objects.
AdminSDHolder Abuse
Utilization steps: 1. Set the normal domain user to the WriteDACL permission of the AdminSDHolder group 2. Force the SDProp process to run or wait to run 3. A normal domain account with WriteDACL permission is used for privilege escalation Take advantage of step 1: PowerView utilizes: \tdownload: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 Import-Module .\PowerView.PS1 Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=test,DC=com" -PrincipalIdentity hack123 -Rights ALL -Verbose
It should be noted that the protected group does not have hack123 at this time because the SDProp process has not been triggered to run The following screenshot is based on The Domain Admins group is an example.
Using Step 2: Modify the registry to force the SDProp process to run: In HKLM\SYSTEM\CurrentControlSet\Services\\ TDS\Parameters Add or modify the value of AdminSDProtectFrequency in the value range from 60 to 7200, The unit is seconds, and the key type is DWORD reg add hklm\SYSTEM\CurrentControlSet\Services\\ TDS\Parameters /v AdminSDProtectFrequency /t REG_DWORD /d 600
If you need to return to the default 60min, you can delete the item AdminSDProtectFrequency in the registry After success, query the Domain Admins group again to find that hack123 already has full control authority.
At present, hack123 is only a member of the Domain Users group, and the following commands are used to escalate rights to the administrator group:
net group "Domain Admins" hack123 /add /domain
Summary
This article explains two common methods of maintaining permissions in the domain: resetting the DSRM password and abusing AdminSDHolder, Of course, there are many other postures that can be used. Here are just a few tools to explain. Next, I will write domain permissions to maintain ACL abuse. Related articles welcome your attention.