Sunday 14 September 2014

Defence - Beating Keyloggers to protect Domain Admin Creds - Windows



Hi All,

This post is a little different to what I normally do and I think it is a long time coming in general.  Nowadays the bloggers in the IT Security community are all focusing on the hacks, exploits and ways to break in.  I thought I would show you a way to improve the overall security of your network.  This can be implemented quite easily and is a control mandated in the Internet Security Manual.  For anyone not in Australia or not aware of the ISM here is the blurb from ASD.

“The Australian Signals Directorate (ASD) produces the Australian Government Information Security Manual (ISM). The manual is the standard which governs the security of government ICT systems”


I want to state that this is not the only way to design your network and this example is specifically for handling keylogging to protect your domain admin accounts.

From what I am seeing there are two types of networks around these days. 

Flat Networks: Hosts, Admin hosts and Servers in same Subnet



Layered networks: Hosts one subnet, admin another subnet and servers in another subnet



In a flat network any normal host / admin host can RDP into any server.
In a layered network normal hosts cannot RDP into the server subnet but admin hosts can.

What does this mean for keyloggers?
Flat Network
In a flat network your domain admins / server admins are able to logon to any server they want with their admin credentials.  If this is the same as there workstation credentials, email associated, this is a bad thing in general.  For this example we will assume the following:

  • The workstation credentials are different to the admin credentials.  
  • The workstation credential will be named BobSmith
  • The admin credentials will be named BobAdmin.
Layered Network
Now expand on this, Bob is in a separate subnet to the rest of the environment and he can RDP to any server he chooses to. 

Bob has a keylogger that he doesn’t know about.  When bob decides to logon to Server A he uses his BobAdmin account.  Here is what it looks like.

Attack #1

Bob logs in to RDP server.



Meterpreter dumps out the password that is typed and Admin credentials are presented.


Dammit! Isn’t defense in layers supposed to be better? Well yes.  

So you are now asking how do you protect the domain admin credentials? Easy… Setup a management server.  Here is a picture of how it works.  I dummied up some IP ranges to give you an example.



Management Server:
You can handle this one of two ways. 
  • Bob Smith needs a separate account that is allowed to RDP onto the management server but has no admin privileges on the management server.  For example an account named bobRDP.  bobRDP can only RDP to the management server and nowhere else. 
  •  Bob Smith uses ‘BobSmith’ to RDP to the server and again has no admin privileges on the management server.

Option 1 allows a little more separation of accounts and adds an administrative burden.  Option 2 is a quick fix.  It is important that BobSmith is only allowed to logon to the management server and nowhere else.  

Essentially the admin subnet is only allowed TCP 3389 / RDP to the management server NOWHERE ELSE! No other ports.

For this example I am using option 2 because I’m lazy and it allows me to bang out this post quickly.

Attack # 2
Permissions on Jump Server for bobsmith


Pre meterpreter dump on Bobs workstation.  Nothing showed.


Bob RDPs to the management server

Runs mstsc and RDPs to domain controller server.



Open Command Prompt on Jump Server




Open Command prompt on Nested RDP - Domain controller



Dump of meterpreter keylogger after



As you can see there is no remnants of bobAdmins password or him typing in the management server.  Keylogging problem solved!

Now people may look at this post and find so many ways around this design with other attack vectors.  But, this post was specifically for one issue and that is to beatMy keyloggers nothing else.

Hopefully this post has been helpful to you.

No comments:

Post a Comment