Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
Last updated
Last updated
Pass-the-hash attack is a part of the Lateral Movement as is known to all. It can be a crucial technique for compromising the domain environment. Suppose that you obtained the NT hash of built-in local admin privilege user and detected this NT hash authenticates other servers due to victim user used to the same password on different servers. In another scenario, you compromised the NT hash of a user that has high privilege on the Active Directory. The next step should get initial access. This article focuses on using the NT hash to execute commands successfully on the target server which includes ESET Server Security and File Security even if the packet inspection settings restrict communication with a few services. All scenarios are conducted targeting Windows Server 2012 R2 which runs ESET Server/File Security product. Keep in mind that these techniques will generate a lot of event logs.
Eset released a few updates that product renaming from ESET File Security for Microsoft Windows Server to ESET Server Security for Microsoft Windows Server with version 8.012003.0.
One of the ESET Server Security features is network attack protection. They describe this protection as “ESET Network Attack Protection improves detection of known vulnerabilities on the network level.” This feature makes different the Server Security product than traditional antivirus systems. There are a few advanced options to prevent lateral movement via packet inspection and intrusion detection features. For instance; deny communication with the server service, remote registry service, LSA
, etc. However, packet inspection settings don’t handle this issue properly. A few services can be used for communication without getting alert and block by intrusion detection.
· a network SMB pipe (listening ports are 139 & 445)
· plain TCP or plain UDP (listening port set at the service creation)
The Eset Server Security packet inspection detects plain TCP or plain UDP packets and blocks them according to packet inspection settings. However, a remote user can still establish a connection to restricted services through named pipes (\pipe\atsvc and \pipe\svcctl
). The advantage of this connection method is encrypted traffic.
The malicious user that obtains NT hash of Administrator user (RID 500
) is restricted for remote password and hash extracting, admin share connection and pass-the-hash attack by applied the following settings which prevent access to services.
For example, impacket wmiexec
python script is blocked due to “connection to other RPC service” event (wmiexec
needs DCOM
).
The default WMI
namespace is root/cimv2
and classic WMI
uses DCOM
to communicate with devices.
When the wmiexec
script makes a DCOM
connection request, Eset Server Security detects and blocks packets. (DCERPC
packet is caught)
As another example, pth-winexe
is failed due to it can not connect to \svcctl
pipe. (Named Pipe: \pipe\svcctl
, Description: Service control manager and server services, used to remotely start and stop services and execute commands.)
However, a remote user can bypass these restrictions to execute commands with SYSTEM
privileges on the target server through the Task Scheduler service
with impacket atexec python script and NT hash of the user that has local Administrator(RID 500
) privileges.
Microsoft AT-Scheduler Service is described as following:
Protocol dependencies; DCE/RPC: This protocol is implemented ontop of the DCE/RPC transport. This protocol is often access from the \PIPE\atsvc named pipe on IPC$ but can also be reached through a dynamically assigned TCP port. Accessing this service using TCP as transport requires the support of the EPM Endpoint Mapper service.”5 The atexec.py makes a connection through \pipe\atsvc pipe. (RPC over SMB communication)
The atexec.py makes a connection through \pipe\atsvc
pipe. (RPC
over SMB
communication)
Below screenshot shows RPC over SMB
communication steps after the python script was executed:
1- Establish a TCP
connection on TCP
port 445.
2- Negotiate dialect request/response.
3- Session Setup Request/Response to establish the SMB
session.
On the targeted server-side;
1- Task file is created under the Windows\System32\Tasks
and the registry key is created.
2- .tmp file that includes the output of the task is created while the task is running.
3- Then task file is deleted which is locates under the Windows\System32\Tasks
directory and the registry key is closed.
4- The output file (ADMIN$\Temp\{random_value}.tmp
file is printed to the terminal via smbConnection.
5- The output file (.tmp
file) is deleted
Also, we can run commands which include space characters according to the following code block:
Below explains this basically; typed words after the first space are defined as an argument.
Impacket smbexec python script executes commands on the target upon the \svcctl
named pipe binding is completed. (Named Pipe: \pipe\svcctl
, Description: Service control manager and server services, used to remotely start and stop services and execute commands.)
We mentioned above that pth-winexe
is caught by the Eset Server Security while it is connecting the \svcctl
named pipe. Interestingly, smbexec
connects the \svcctl
as well. However, it is not caught by the Eset agent. Encrypted SMB
traffic (between attacker machine and server) is one of the reasons undetectable communication to Service Control Manager service. Unfortunately, this method will drop a lot of event logs that increases attack detectability.
The script creates the execute.bat
file under the c:\Windows\Temp
directory and then creates a service that has the same name as an executed command. The service is triggered with the hRStartServiceW
function in the scmr
module.
The executed command is echoed to \\127.0.0.1\C$\_output
file.
For example, if we type ipconfig /all
as a command:
In this case, contrary to what is claimed, the Service Control Manager service can be reached by the attacker.
Well, we discussed that Eset Server Security is installed on the Windows Server operating system without additional roles. Let’s look closely at what happens if targeting Domain Controller. The main goal is to execute a command on the Domain Controller without blocking by Eset Server Security.
Assuming that you compromised a client or server which had joined the Active Directory and dump NT hash value of domain admin user from LSASS
. In this case, we have a few approaches.
1. Trying to crack NT hash value (dependent password complexity)
2. Conducting DCSync
attack to get the krbtgt
account hash for Golden Ticket
3. Connecting Active Directory with NT user hash with https://github.com/passtheticket/DCDumlupinar
4. Pass-the-Hash attack
5. Overpass-The-Hash Attack
We will handle pass-the-hash and DCSync
attack methods in this document.
If we attempt to get the domain users list and its hashes using secretsdump6 script through MS-DRSR
(Directory Replication Service Remote Protocol)
DRSGetNCChanges()
call. It will be caught that DCERPC
bind request to port TCP 135 (RPC)
by packet inspection.
We can evade using the -use-vss
option which uses vssadmin to get a copy of NTDS.dit
. The remote execution step is completed with the smbexec method which sends encrypted SMB
packets.
Golden Ticket attack can be conducted upon krbtgt
user hash is obtained with above techniques.
This section is similar targeting Windows Server which runs Eset Server Security. Please note that targeting Windows server you must obtain local Administrator (RID 500
) or member of Domain Admins group user (or member of a domain group which has local administrator privilege). If you conduct PtH
against server in the WORKGROUP
(not joined Active Directory environment), Administrator user which has RID 500
must be compromised because the LocalAccountTokenFilterPolicy
does not exist, so 0
“value default and only the RID 500
“Administrator” account can conduct remote administration tasks.
For example, if we try to connect with a member of a local Administrators group that has a different RID
value than 500
, the “access is denied” error is returned.
If you try to coerce the Windows Server to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw
function without credential, the packet inspection will detect DCERPC
packet and block the connection.
However, domain user can still connect named pipes due to communication is encrypted for binding.
Coming RPC call packets from the domain controller to attacker machine could be captured as clear. (not from client to DC)
The Eset Server Security can prevent stealing NTLMv2 hash of computer account if attacker try to bind named pipes without credentials.
On 14 June 2021 the issue is reported to vendor.
On 21 June 2021 our submission is classified as functional bug and was passed to their development team for further review.
On 27 July 2021 the vendor defined as won't
fix issue