22 Aug Case Study: Low-level credentials can get big gains
Why are the credentials of an intern (or whatever level employee) valuable to the attackers?
NodeZero ran a penetration test using a low-level user’s credentials. Below is an example of a real attack performed by NodeZero.
Attack Path to domain compromise
- In this case, NodeZero started as an authenticated member of the internal network. NodeZero was given the credential for domain user user1.
NodeZero verified the credential for domain user1 in domain1 over SMB.
NodeZero discovered that user1 has local Administrator privileges on a Windows machine, machine1.
Logged in as user1 on machine1, NodeZero dumped credentials from LSASS memory. Raised weaknesses H3-2021-0044.
Among the credentials dumped from LSASS memory on machine1 is the NTLM hash for domain user user2. Using a Pass-The-Hash attack, NodeZero verified the credential for user2 against domain1 over SMB.
NodeZero discovered that user2 has local Administrator privileges on another Windows machine, mahine2. NodeZero raised a new weakness, H3- 2022-0086.
Logged in as user2 on machine2, NodeZero again dumped credentials from LSASS memory. NodeZero raised weakness H3-2021-0044.
Among the credentials dumped from LSASS memory on machine1 is the NTLM hash for domain user admin1. Using the Pass-The-Hash attack, NodeZero verified the credential for admin1 against domain1 over SMB.
NodeZero further identified that domain user admin1 is a domain admin.
A domain user also has local admin rights.
With local admin rights, an attacker can access sensitive processes like LSASS.LSASS stores credentials in memory for users active on the machine.
Once LSASS is dumped, additional credentials can be harvested and used to log into adjacent machines,where LSASS can be dumped again (and again, and again)
Starting with a seemingly minor step like acquiring the credentials of a junior employee can eventually pave the way for attackers to ascend the position of a domain administrator, signifying a complete compromise of the domain.
This attack path is very common in internal pentests and is typical of the methods real-world attackers use once they have breached the perimeter. Not a single CVE was used in this attack, no humans were involved, just NodeZero pivoting credentials and becoming Domain Admin in a little over six hours.