Added option to do Session Enumeration as local Admin User #40
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
recheck |
|
That is very cool and should be merged! Another feature that would be awesome: Check the local groups especially members of "RDP Users" and "Administrators" or the common name in the localized version. Often you find domain groups in those local groups that Sharphound won't see. |
JonasBK
approved these changes
Oct 30, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the needed PR to SharpHound that allows to set an option to do session enumeration with a dedicated local (admin) user.
Credits to @eversinc33 how helped me a lot with this.
The situation with more recent pentests and red-team engagements is most likely that you see higher numbers of Windows Server 2016 + as well as Windows 10 1607 +. So the privileged session enumeration via NetWkstaUserEnum needs to be with a user that has local admin rights. Once gaining a foothold or in an assumed breach scenario we will most likely do not have these rights.
But, and that is very common, we do local priv esc on the client, fetch the local admin's credentials, and it happens to be some lame password that is reused accross a large scope of systems - worst case even servers. Same applies to once we get a server's local admin password, and this one is reused.
SharpHound was not able to do this, because it would run the session checks in the context of the user that runs the collector.
What we did was to add 3 new flags:
-DoLocalAdminSessionEnum
-LocalAdminUsername
-LocalAdminPassword
We added a new library (Impersonate.cs ) that allows us to impersonate another remote local user in the current user's context via the LOGON32_PROVIDER_WINNT50 option from the advapi32.dll.
That allows us to wrap the session enumeration stuff inside an impersonated user's context and overcome the limitations mentioned above.
Credits to @phillipharding for this library.
Everything else is done as the running user, so no impact on the rest of what SharpHound is doing.
I created a POC video demonsrating how it works:
https://www.youtube.com/watch?v=mMpNs3MXISM
BloodHound documentation was extended accordingly as well as the SharpHoundCommon project itself. Accordings PRs were opened.
BloodHoundAD/SharpHoundCommon#47
BloodHoundAD/BloodHound#646