Owning Computers Without Shell Access

http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access

Really cool. You can see how much they pull - SAM/SECURITY hives for example.

 

Wouldn't work on my XP/SP2 as cmd.exe/regedit.exe/vssadmin.exe/ are governed by ProcessGuard I agree though it does seem Very clever & Noiseless too

Some interesting links if you search for NTDS.dit file. You might like to have a look at this one http://www.ntdsxtract.com/downloads/ntdsxtract/ntds_forensics.pdf as it also mentions utilising Volume Shadow Copy Services to help extract NTDS.DIT

Amongst other things in there is this.

 

Is reg.exe? Just curious.

A sandbox would prevent this from working depending on how it's configured. A default Sandboxie wouldn't stop this from what I can tell, but you could easily configure it to do so.

 

Yes

 

Nice, that should stop this attack cold then.

 

Correct me if I'm wrong. Does this attack assume that port 445 is open and accessible?

 

This particular attack does, or it relies uses the SMB protocol, which runs over a few ports including 445. The attack in general shouldn't though, I can't see why it would be specific to that port or even that protocol but I'm not sure.

 

OK. If I'm understanding it correctly, SMB is a lot like NETBIOS and is used for many of the same purposes, primarily on the local network. Like NETBIOS, the simplest way to defend against this attack is closing the port and disabling the service behind it unless you actually use it.

 

Right. But the idea of using windows executables to attack the system should be independent of the initial exploit. I think the psexec.rb may require the port. It is unclear.

 

Using Windows own components maliciously isn't exactly new. I seem to recall something a lot like this that used NETBIOS ports to gain access to a command prompt. There's been attacks similar to this dating back to the 9X days. That said, if an attacker can gain access to a command prompt, it's game over no matter what OS you have.

That's one problem I have with some of the "whitelisting" tools. Executables like cmd.exe, reg.exe, etc might be legitimate system files, but they shouldn't be permitted for anyone but the system administrator. Preventing these and others from running in user mode are some of the first rules I make for SSM.

No matter how much Windows changes, some things never do when you think about it, starting with leaving ports open by default that give an attacker this kind of access.