Jump to content
Nytro

Defence - Beating Keyloggers to protect Domain Admin Creds - Windows

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=3]Defence - Beating Keyloggers to protect Domain Admin Creds - Windows[/h]

Hi All,

This post is a little different to what I normally do and I think it is a long time coming in general. Nowadays the bloggers in the IT Security community are all focusing on the hacks, exploits and ways to break in. I thought I would show you a way to improve the overall security of your network. This can be implemented quite easily and is a control mandated in the Internet Security Manual. For anyone not in Australia or not aware of the ISM here is the blurb from ASD.

“The Australian Signals Directorate (ASD) produces the Australian Government Information Security Manual (ISM). The manual is the standard which governs the security of government ICT systems”

Link: http://www.asd.gov.au/publications/Information_Security_Manual_2014_Controls.pdf

I want to state that this is not the only way to design your network and this example is specifically for handling keylogging to protect your domain admin accounts.

From what I am seeing there are two types of networks around these days.

Flat Networks: Hosts, Admin hosts and Servers in same Subnet

1.PNG

Layered networks: Hosts one subnet, admin another subnet and servers in another subnet

2.PNG

In a flat network any normal host / admin host can RDP into any server.

In a layered network normal hosts cannot RDP into the server subnet but admin hosts can.

What does this mean for keyloggers?

Flat Network

In a flat network your domain admins / server admins are able to logon to any server they want with their admin credentials. If this is the same as there workstation credentials, email associated, this is a bad thing in general. For this example we will assume the following:

  • The workstation credentials are different to the admin credentials.
  • The workstation credential will be named BobSmith
  • The admin credentials will be named BobAdmin.

Layered Network

Now expand on this, Bob is in a separate subnet to the rest of the environment and he can RDP to any server he chooses to.

Bob has a keylogger that he doesn’t know about. When bob decides to logon to Server A he uses his BobAdmin account. Here is what it looks like.

Attack #1

Bob logs in to RDP server.

1.png

Meterpreter dumps out the password that is typed and Admin credentials are presented.

2.png

Dammit! Isn’t defense in layers supposed to be better? Well yes.

So you are now asking how do you protect the domain admin credentials? Easy… Setup a management server. Here is a picture of how it works. I dummied up some IP ranges to give you an example.

3.PNG

Management Server:

You can handle this one of two ways.

  • Bob Smith needs a separate account that is allowed to RDP onto the management server but has no admin privileges on the management server. For example an account named bobRDP. bobRDP can only RDP to the management server and nowhere else.
  • Bob Smith uses ‘BobSmith’ to RDP to the server and again has no admin privileges on the management server.

Option 1 allows a little more separation of accounts and adds an administrative burden. Option 2 is a quick fix. It is important that BobSmith is only allowed to logon to the management server and nowhere else.

Essentially the admin subnet is only allowed TCP 3389 / RDP to the management server NOWHERE ELSE! No other ports.

For this example I am using option 2 because I’m lazy and it allows me to bang out this post quickly.

Attack # 2

Permissions on Jump Server for bobsmith

3.png

Pre meterpreter dump on Bobs workstation. Nothing showed.

4.png

Bob RDPs to the management server

Runs mstsc and RDPs to domain controller server.

5.png

Open Command Prompt on Jump Server

6.png

Open Command prompt on Nested RDP - Domain controller

7.png

Dump of meterpreter keylogger after

8.png

As you can see there is no remnants of bobAdmins password or him typing in the management server. Keylogging problem solved!

Now people may look at this post and find so many ways around this design with other attack vectors. But, this post was specifically for one issue and that is to beatMy keyloggers nothing else.

Hopefully this post has been helpful to you.

Posted by Mickey Perre at 20:07

Sursa: Mickeys Security Blogspot: Defence - Beating Keyloggers to protect Domain Admin Creds - Windows

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...