Attacking Local Account Passwords

Attacking Local Account Passwords

So far in this series, we’ve learned how attackers can target weak domain passwords in Active Directory.  To complete the story, we need to look beyond domain accounts and understand the ways to attack local accounts on Windows servers and desktops.  For this post, we will focus on the most important local account: Administrator.  The Administrator account is built into every Windows operating system and provides full control over the system, including the ability to compromise domain accounts through pass-the-hash and pass-the-ticket attacks.

The Administrator account is vulnerable to password attacks for two reasons:

  • There is no lockout policy for the Administrator account. According to Microsoft this makes the account “a prime target for brute-force, password-guessing attacks.”
  • Administrator accounts often share the same password, so if you can compromise one account you can replay the password across other local accounts within the environment

Let’s walk through a typical attack against the Administrator account using our favorite application CrackMapExec.

Step 1 – Brute Force Attack

Because the Administrator account has no lockout policy at all, it is possible to make unlimited guesses of what the account’s password is.  Using password lists, like the SecList collections, you can craft a custom list of well-known passwords to use to crack the Administrator account.

To create a more targeted account, you can enumerate the password policy on the target systems.  This will tell you what the minimum password length and password complexity settings are, so you can craft your list of only viable passwords.

By issuing this command against a member server or workstation, it will return local policy information.

cme smb [hostname or list] –u [username] –p [password] –pass-pol
Enumerating local password policy options for a target server with CrackMapExec
Enumerating local password policy options for a target server with CrackMapExec

Once you have your password dictionary, the following command will run a brute-force attack against the local Administrator account until it is successfully cracked.

cme smb [hostname or list] –u Administrator –d builtin –p [password list]
Brute force attacking the Administrator account using CrackMapExec
Brute force attacking the Administrator account using CrackMapExec

Here you can see I clearly exceeded the local account lockout policy of 10 bad passwords, but was still able to compromise the password of the account in plain text.

Step 2 – Spread Laterally

The other common exploit of the local Administrator account is to replay the password against other systems in the environment.  This is typically successful because it can be difficult to set and manage different passwords for the Administrator account across each endpoint.  Therefore attackers can use lateral movement attacks to go from compromising a single machine to a large number of machines very easily.

Protecting Yourself

Fortunately there are several effective ways to protect yourself from password attacks against local Administrator accounts.  One effective way is to disable the account entirely, and create a new administrative account in its place.  Alternatively, Microsoft provides a useful tool called the Local Administrator Password Solution (LAPS).  LAPS will automatically randomize the Administrator passwords across domain-joined computers and store the secrets centrally within Active Directory.  This can guarantee passwords are long and complex, and not reused across multiple computers.  This alone will prevent these types of attacks from happening.

Another useful protection is to leverage the Local account and member of Administrators group security principal to deny network logon rights.  By leveraging this security principal (available in 2008 R2 or later) will prevent the password replay attack against local accounts.

Previous blog posts in the series:

Sign up for the full blog series to be notified when each new installment posts, here

Register for the 4 AD Password Attacks webinar, here

Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.

With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.

Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.

Leave a Reply

Your email address will not be published. Required fields are marked *

*