DAMP: Persistence Through Host-based Security Descriptor Modification
Category : Blog
Security Descriptor Modification | Host Based | DAMP
Security Descriptor Modification, host based persistence into DAMP.
This project contains several files that implement host-based security descriptor “backdoors” that facilitate the abuse of various remotely accessible services for arbitrary trustees/security principals.
tl;dr – this grants users/groups (local, domain, or ‘well-known’ like ‘Everyone’) of an attacker’s choosing the ability to perform specific administrative actions on a modified host without needing membership in the local administrators group.
Note: to implement these backdoors, you need the right to change the security descriptor information for the targeted service, which in stock configurations nearly always means membership in the local administrators group.
Remote Hash Extraction On Demand Via Host Security Descriptor Modification
This is the long overdue follow-up to the “An ACE in the Hole: Stealthy Host Persistence via Security Descriptors” presentation (slides and video) that @tifkin_, @enigma0x3, and I gave at DerbyCon last year. This past weekend we gave a talk at @Sp4rkCon titled “The Unintended Risks of Trusting Active Directory” that explored combining our host-based security descriptor research with the work that @_wald0 and I detailed at Black Hat and DEF CON last year on Active Directory security descriptor backdooring. One of the more interesting case studies at both DerbyCon and Sp4rkCon involved a host-based security descriptor modification primitive that allows indefinite remote retrieval of a machine’s account hash. This post will dive deeply into this approach, the newly released weaponized code that implements it, and the extension allowing for the extraction of local account hashes and domain cached credentials.
Security Descriptor Operations
The Windows API provides functions for getting and setting the components of the security descriptor associated with a securable object. Use the GetSecurityInfo and GetNamedSecurityInfo functions to retrieve a pointer to an object’s security descriptor. These functions can also retrieve pointers to the individual components of the security descriptor: DACL, SACL, owner SID, and primary group SID. Use the SetSecurityInfo and SetNamedSecurityInfo functions to set the components of an object’s security descriptor.
The Windows API provides additional functions for manipulating the components of a security descriptor. For information about working with access control lists (DACLs or SACLs), see Getting Information from an ACL and Creating or Modifying an ACL. For information about SIDs, see Security Identifiers (SIDs).
Remote Registry:
Add-RemoteRegBackdoor.ps1
Add-RemoteRegBackdoor
Implements a new remote registry backdoor that allows for the remote retrieval of a system’s machine and local account hashes, as well as its domain cached credentials.
RemoteHashRetrieval.ps1
Get-RemoteMachineAccountHash
Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteLocalAccountHash
Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteCachedCredential
Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Summer Training for CSE, IT, BCA & MCA Students
Network Penetration Testing training
Certified Network Penetration Tester
Diploma in Web Application Security
Certified Web Application Penetration Tester
Certified Android Penetration Tester
Cybersecurity services that can protect your company:
Web Security | Web Penetration Testing
Network Penetration Testing – NPT
Android App Penetration Testing
Other Location for Online Courses:
