Pass-the-Hash Attack Over Named Pipes Against ESET Server Security

Introduction

Pass-the-hash attack is a part of the Lateral Movement as is known to all. It can be a crucial technique for compromising the domain environment. Suppose that you obtained the NT hash of built-in local admin privilege user and detected this NT hash authenticates other servers due to victim user used to the same password on different servers. In another scenario, you compromised the NT hash of a user that has high privilege on the Active Directory. The next step should get initial access. This article focuses on using the NT hash to execute commands successfully on the target server which includes ESET Server Security and File Security even if the packet inspection settings restrict communication with a few services. All scenarios are conducted targeting Windows Server 2012 R2 which runs ESET Server/File Security product. Keep in mind that these techniques will generate a lot of event logs.

Eset released a few updates that product renaming from ESET File Security for Microsoft Windows Server to ESET Server Security for Microsoft Windows Server with version 8.012003.0.

One of the ESET Server Security features is network attack protection. They describe this protection as “ESET Network Attack Protection improves detection of known vulnerabilities on the network level.” This feature makes different the Server Security product than traditional antivirus systems. There are a few advanced options to prevent lateral movement via packet inspection and intrusion detection features. For instance; deny communication with the server service, remote registry service, LSA, etc. However, packet inspection settings don’t handle this issue properly. A few services can be used for communication without getting alert and block by intrusion detection.

MS-RPC (Microsoft Remote Procedure Call) is a protocol that allows requesting service from a program on another computer without having to understand the details of that computer's network. An MS-RPC service can be accessed through different transport protocols, among which:

· a network SMB pipe (listening ports are 139 & 445)

· plain TCP or plain UDP (listening port set at the service creation)

· a local SMB pipe

RPC services over an SMB transport, i.e. port 445/TCP, are reachable through "named pipes"' (through the IPC$ share).

The Eset Server Security packet inspection detects plain TCP or plain UDP packets and blocks them according to packet inspection settings. However, a remote user can still establish a connection to restricted services through named pipes (\pipe\atsvc and \pipe\svcctl). The advantage of this connection method is encrypted traffic.

Command Execution Through ATSVC

The malicious user that obtains NT hash of Administrator user (RID 500) is restricted for remote password and hash extracting, admin share connection and pass-the-hash attack by applied the following settings which prevent access to services.

For example, impacket wmiexec python script is blocked due to “connection to other RPC service” event (wmiexec needs DCOM).

The default WMI namespace is root/cimv2 and classic WMI uses DCOM to communicate with devices.

When the wmiexec script makes a DCOM connection request, Eset Server Security detects and blocks packets. (DCERPC packet is caught)

As another example, pth-winexe is failed due to it can not connect to \svcctl pipe. (Named Pipe: \pipe\svcctl , Description: Service control manager and server services, used to remotely start and stop services and execute commands.)

However, a remote user can bypass these restrictions to execute commands with SYSTEM privileges on the target server through the Task Scheduler service with impacket atexec python script and NT hash of the user that has local Administrator(RID 500) privileges.

Microsoft AT-Scheduler Service is described as following:

This is a DCE/RPC based protocol used by CIFS hosts to access/control the AT-Scheduler Service across a network. This dissector is described by an IDL file and is automatically generated by the Pidl compiler.

Protocol dependencies; DCE/RPC: This protocol is implemented ontop of the DCE/RPC transport. This protocol is often access from the \PIPE\atsvc named pipe on IPC$ but can also be reached through a dynamically assigned TCP port. Accessing this service using TCP as transport requires the support of the EPM Endpoint Mapper service.5 The atexec.py makes a connection through \pipe\atsvc pipe. (RPC over SMB communication)

The atexec.py makes a connection through \pipe\atsvc pipe. (RPC over SMB communication)

Below screenshot shows RPC over SMB communication steps after the python script was executed:

‌ 1- Establish a TCPconnection on TCP port 445.

‌ 2- Negotiate dialect request/response.

‌ 3- Session Setup Request/Response to establish the SMB session.

On the targeted server-side;

1- Task file is created under the Windows\System32\Tasks and the registry key is created.

2- .tmp file that includes the output of the task is created while the task is running.

3- Then task file is deleted which is locates under the Windows\System32\Tasks directory and the registry key is closed.

4- The output file (ADMIN$\Temp\{random_value}.tmp file is printed to the terminal via smbConnection.

5- The output file (.tmp file) is deleted

Also, we can run commands which include space characters according to the following code block:

Below explains this basically; typed words after the first space are defined as an argument.

Command Execution Through SVCCTL

Impacket smbexec python script executes commands on the target upon the \svcctl named pipe binding is completed. (Named Pipe: \pipe\svcctl , Description: Service control manager and server services, used to remotely start and stop services and execute commands.)

We mentioned above that pth-winexe is caught by the Eset Server Security while it is connecting the \svcctl named pipe. Interestingly, smbexec connects the \svcctl as well. However, it is not caught by the Eset agent. Encrypted SMB traffic (between attacker machine and server) is one of the reasons undetectable communication to Service Control Manager service. Unfortunately, this method will drop a lot of event logs that increases attack detectability.

The script creates the execute.bat file under the c:\Windows\Temp directory and then creates a service that has the same name as an executed command. The service is triggered with the hRStartServiceW function in the scmr module.

The executed command is echoed to \\127.0.0.1\C$\_output file.

For example, if we type ipconfig /all as a command:

In this case, contrary to what is claimed, the Service Control Manager service can be reached by the attacker.

Attack Approaches Against Domain Controller

Well, we discussed that Eset Server Security is installed on the Windows Server operating system without additional roles. Let’s look closely at what happens if targeting Domain Controller. The main goal is to execute a command on the Domain Controller without blocking by Eset Server Security.

Assuming that you compromised a client or server which had joined the Active Directory and dump NT hash value of domain admin user from LSASS. In this case, we have a few approaches.

1. Trying to crack NT hash value (dependent password complexity)

2. Conducting DCSync attack to get the krbtgt account hash for Golden Ticket

3. Connecting Active Directory with NT user hash with https://github.com/passtheticket/DCDumlupinar

4. Pass-the-Hash attack

5. Overpass-The-Hash Attack

We will handle pass-the-hash and DCSync attack methods in this document.

Conducting DCSync attack to get Krbtgt account hash for Golden Ticket

If we attempt to get the domain users list and its hashes using secretsdump6 script through MS-DRSR (Directory Replication Service Remote Protocol) DRSGetNCChanges() call. It will be caught that DCERPC bind request to port TCP 135 (RPC)by packet inspection.

We can evade using the -use-vss option which uses vssadmin to get a copy of NTDS.dit. The remote execution step is completed with the smbexec method which sends encrypted SMB packets.

‌ Golden Ticket attack can be conducted upon krbtgt user hash is obtained with above techniques.

Conducting Pass-the-Hash attack

This section is similar targeting Windows Server which runs Eset Server Security. Please note that targeting Windows server you must obtain local Administrator (RID 500) or member of Domain Admins group user (or member of a domain group which has local administrator privilege). If you conduct PtH against server in the WORKGROUP (not joined Active Directory environment), Administrator user which has RID 500 must be compromised because the LocalAccountTokenFilterPolicy does not exist, so 0“value default and only the RID 500 “Administrator” account can conduct remote administration tasks.

‌ For example, if we try to connect with a member of a local Administrators group that has a different RID value than 500, the “access is denied” error is returned.

Bonus:MS-EFSR abuse (PetitPotam)

If you try to coerce the Windows Server to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function without credential, the packet inspection will detect DCERPC packet and block the connection.

However, domain user can still connect named pipes due to communication is encrypted for binding.

Coming RPC call packets from the domain controller to attacker machine could be captured as clear. (not from client to DC)

The Eset Server Security can prevent stealing NTLMv2 hash of computer account if attacker try to bind named pipes without credentials.

# Author: Metin Yunus Kandemir

Timeline

  • On 14 June 2021 the issue is reported to vendor.

  • On 21 June 2021 our submission is classified as functional bug and was passed to their development team for further review.

  • On 27 July 2021 the vendor defined as won't fix issue

Reference

PrevioussAMAccountName Spoofing in the ForestNextNetcat Relay

Last updated