The attached stream is the result of research I have been working on. It’s partly crazy research I admit, but I’m presently interested in the theory of, would it be possible to compromise a target without ever using a shell?
This proof of concept uses the powershell script PowerView.ps1 created by Will Schroeder to perform a Kerberoast attack, but before you think I have seen Kerberoasting before, this proof of concept differs from previous demonstrations, because this demonstrates that a remote shell is not required to fully compromise a target.
I am a true believer of the concept that included functionality is the preferred way to exploit a windows based operating system.
Background on the stream.
A standard user of a windows domain joined machine, opens a word document and is then encouraged to double click on what looks to be an embedded PDF. (OLE) The OLE could be replaced with any other method that uses PS to exploit.
In reality the fake PDF is a .bat file, so why .bat file?
Previous research shows that email gateways use signatures and the likelyhood of bypassing email gateways increases, when an unusual container is used. (Try another scripting language now)
The .bat file contains functional commands, which following been triggered, result in the domain users account making a request to the local domain controller asking for a copy of all local service accounts, accompanied by there correlating password hashes (Kerberoast).
Service accounts are commonly set to never expire, allocated weak passwords and often a member of the domain admin (DA) security group.
Following this, the request concludes by sending the collected accounts with password hashes, back to the defined remote PC and then cleans up after itself.
This proof of concept shows the collection of a local domain DA account, sent to a defined remote host following a single click by a standard user.
Worryingly this is just the start as the request could include anything you wish.
How about a request to send a copy of all local files from the users pc, or how about a request to send a copy of all the available files from the users assigned share folders, possibly send a list of full domain account enumeration and conclude if required then with a remote shell.
This research I hope will help demonstrate the dangers of weak security practices.
To help lower the risk to such dangers, patch office applications, enforce strong outbound firewall rules, use a security information and event management (SIEM) solution, deploy host based intrusion prevention systems (HIPS), enable local host firewalls and restrict traffic.
Then educated your teams to the dangers of social engineering attacks.
A single click can do real damage.
Thanks to people who inspire me
@harmj0y no POC without your script.
@5ub34x Who replies all hours of the day to the most noob PS questions I ask, and he never gets annoyed. Much respect as always dude!
@hagan_23 whos replies to questions, and then make me wish I was as smart. ;0)
@benpturner the PS wizard.