Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added option to do Session Enumeration as local Admin User #47

Merged
merged 10 commits into from
Oct 30, 2023

Conversation

LuemmelSec
Copy link
Contributor

@LuemmelSec LuemmelSec commented Feb 18, 2023

This is the needed PR to SharpHoundCommon that allows to set an option to do session enumeration with a dedicated local (admin) user.
Credits to @eversinc33 how helped me a lot with this.

The situation with more recent pentests and red-team engagements is most likely that you see higher numbers of Windows Server 2016 + as well as Windows 10 1607 +. So the privileged session enumeration via NetWkstaUserEnum needs to be with a user that has local admin rights. Once gaining a foothold or in an assumed breach scenario we will most likely do not have these rights.
But, and that is very common, we do local priv esc on the client, fetch the local admin's credentials, and it happens to be some lame password that is reused accross a large scope of systems - worst case even servers. Same applies to once we get a server's local admin password, and this one is reused.

SharpHound was not able to do this, because it would run the session checks in the context of the user that runs the collector.
What we did was to add 3 new flags:

-DoLocalAdminSessionEnum
-LocalAdminUsername
-LocalAdminPassword

We added a new library (Impersonate.cs ) that allows us to impersonate another remote local user in the current user's context via the LOGON32_PROVIDER_WINNT50 option from the advapi32.dll.
That allows us to wrap the session enumeration stuff inside an impersonated user's context and overcome the limitations mentioned above.
Credits to @phillipharding for this library.

Everything else is done as the running user, so no impact on the rest of what SharpHound is doing.

I created a POC video demonsrating how it works:
https://www.youtube.com/watch?v=mMpNs3MXISM

BloodHound documentation was extended accordingly as well as the SharpHound project itself. Accordings PRs were opened.

SpecterOps/SharpHound#40
SpecterOps/BloodHound-Legacy#646

@github-actions
Copy link

github-actions bot commented Feb 18, 2023

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

@eversinc33
Copy link
Contributor

I have read the CLA Document and I hereby sign the CLA

@eversinc33
Copy link
Contributor

recheck

@rvazarkar
Copy link
Contributor

This is an awesome PR, I've gotta dig into this a bit

@LuemmelSec
Copy link
Contributor Author

This is an awesome PR, I've gotta dig into this a bit

Thanks Rohan.
There were already people asking if local Admin enum would now also be possible:
https://twitter.com/NotMedic/status/1626968323920482306

This ofcourse could now be wrapped too, as the library is there. Accordingly every function that would need it as well.

@JonasBK JonasBK changed the base branch from main to v3 October 13, 2023 06:00
@JonasBK JonasBK changed the base branch from v3 to main October 13, 2023 06:31
@JonasBK
Copy link
Collaborator

JonasBK commented Oct 13, 2023

Hi @phillipharding,

I noticed you have been given credit for creating the Impersonate.cs file in this PR: https://github.com/BloodHoundAD/SharpHoundCommon/pull/47/files#diff-4121b9ee7af13bcce5901c1278346c5985d7964db39d80f718b0ffb2ff35a81b

Can you confirm that you are ok with your work being used in this project? :)

BR Jonas

@LuemmelSec
Copy link
Contributor Author

Hi @phillipharding,

I noticed you have been given credit for creating the Impersonate.cs file in this PR: https://github.com/BloodHoundAD/SharpHoundCommon/pull/47/files#diff-4121b9ee7af13bcce5901c1278346c5985d7964db39d80f718b0ffb2ff35a81b

Can you confirm that you are ok with your work being used in this project? :)

BR Jonas

To add to this for the sake of completeness it was found here:
https://stackoverflow.com/questions/125341/how-do-you-do-impersonation-in-net

Which linked to here:
https://web.archive.org/web/20150315063000/https://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/

@rvazarkar rvazarkar changed the base branch from main to v3 October 23, 2023 14:24
@rvazarkar rvazarkar changed the base branch from v3 to main October 23, 2023 14:25
@JonasBK JonasBK merged commit 395bffc into SpecterOps:main Oct 30, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Oct 30, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants