Domain penetration-Analysis of Hook passwordchangenoworkflow

Domain penetration-Analysis of Hook passwordchangenoworkflow

0x00 Preface

In the previous article, we introduced two methods for maintaining domain control permissions-SSP and Skeleton Key. Both methods need to be implemented by Mimikatz, and there are more or less deficiencies, so next we will introduce a more concealed backdoor method without using Mimikatz-Hook passwordchangenoworkflow.

0x01 Introduction

The concept of Hook PasswordChangeNotify was first proposed by clymb3r in September 15, 2013, and the account password modified was intercepted by Hook PasswordChangeNotify.

The following background information is required:

The following synchronization operation is performed when the domain control password is changed:

A. when changing the domain control password, LSA first calls PasswordFileter to determine whether the New Password meets the Password Complexity Requirements. B. If yes, LSA then calls PasswordChangeNotify to synchronously update the password on the system.

The PasswordChangeNotify function exists in rassfm. dll.

Rassfm. dll can be understood as Remote Access Subauthentication dll. It only exists in the Server system and does not exist in xp, win7, win8, etc.

You can use dumpbin to view the rassfm. dll export function to verify conclusion 2:

#!bashdumpbin /exports c:\windows\system32\rassfm.dll

0x02 features

For Security Support providers that have been introduced earlier, the following problems are inevitable during actual use:

After installation, You need to restart the system and place the dll in the System32 folder to modify the registry.

The use of Hook PasswordChangeNotify has the following advantages:

You do not need to restart, you do not need to modify the registry, or even place the dll in the system.

It can be said that in terms of concealment, the use of Hook passwordchangenovel is better than the Security Support Provider

0x03 technical implementation

According to the poc provided by clymb3r, the implementation of Hook passwordchangenoworkflow consists of two parts:

1. Hook dll

Download link:
Https://github.com/clymb3r/Misc-Windows-Hacking
(1)Creates an inline Hook for PasswordChangeNotify and redirects the initial function to PasswordChangeNotifyHook.
(2)In PasswordChangeNotifyHook, the password record operation is implemented, and the control is handed over to PasswordChangeNotify again.

2. dll Injection

You can use the Process Injection in Powershell tricks to inject our own dll into the lsass Process to implement the Hook function.

0x04 actual test

Test environment:

Server 2008 R2 x64Server 2012 R2 x64

Test procedure:

1. Generate Hook dll

Poc:
Https://github.com/clymb3r/Misc-Windows-Hacking

Use the VS2015 development environment, and set the MFC to be used in a static library
Compile the project and generate HookPasswordChange. dll

2. Generate the powershell script for dll Injection

Download the Powershell dll injection script
Https://github.com/clymb3r/PowerShell/blob/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1

Add the following code at the end of the Code:

Invoke-ReflectivePEInjection-PEPath HookPasswordChange. dll-procname lsass

And name it hookpasswordchangenoworkflow. ps1.

3. Hook passwordchangenoworkflow

Upload hookpasswordchangenoworkflow. ps1 and HookPasswordChange. dll

Administrator permission execution:

#!bashPowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1

4. automatically record new passwords

In Server 2012 R2 x64, after Manually changing the domain control password
Passwords.txt can be found under C: \ Windows \ temp. the new password is recorded.

In Server 2008 R2 x64

0x05 Summary

This article is still a demonstration of conventional functions. You can customize dll code to implement more advanced functions, such as automatic upload of new passwords.

The Code in the following link can be used as a reference to upload the obtained new password to the Http server.

Http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html

Hook passwordchangenovel is used to record the new password. If it is put before, the process injection operation is easy to be detected. However, thanks to the development of the Powershell application, process injection through Powershell can bypass regular interception.

Of course, Hook PasswordChangeNotify is only one of the many Hook methods.

I have Fork the clymb3r code and updated it with the Code required in this article, as follows:

Https://github.com/3gstudent/Hook-PasswordChangeNotify