So far in this series, we’ve learned how attackers can target weak domain passwords in Active Directory. To complete the story, we need to look beyond domain accounts and understand the ways to attack local accounts on Windows servers and desktops. For this post, we will focus on the most important local account: Administrator. The Administrator account is built into every Windows operating system and provides full control over the system, including the ability to compromise domain accounts through pass-the-hash and pass-the-ticket attacks.
The Administrator account is vulnerable to password attacks for two reasons:
- There is no lockout policy for the Administrator account. According to Microsoft this makes the account “a prime target for brute-force, password-guessing attacks.”
- Administrator accounts often share the same password, so if you can compromise one account you can replay the password across other local accounts within the environment
Let’s walk through a typical attack against the Administrator account using our favorite application CrackMapExec.
Step 1 – Brute Force Attack
Because the Administrator account has no lockout policy at all, it is possible to make unlimited guesses of what the account’s password is. Using password lists, like the SecList collections, you can craft a custom list of well-known passwords to use to crack the Administrator account.
To create a more targeted account, you can enumerate the password policy on the target systems. This will tell you what the minimum password length and password complexity settings are, so you can craft your list of only viable passwords.
By issuing this command against a member server or workstation, it will return local policy information.
Once you have your password dictionary, the following command will run a brute-force attack against the local Administrator account until it is successfully cracked.
Here you can see I clearly exceeded the local account lockout policy of 10 bad passwords, but was still able to compromise the password of the account in plain text.
Step 2 – Spread Laterally
The other common exploit of the local Administrator account is to replay the password against other systems in the environment. This is typically successful because it can be difficult to set and manage different passwords for the Administrator account across each endpoint. Therefore attackers can use lateral movement attacks to go from compromising a single machine to a large number of machines very easily.
Fortunately there are several effective ways to protect yourself from password attacks against local Administrator accounts. One effective way is to disable the account entirely, and create a new administrative account in its place. Alternatively, Microsoft provides a useful tool called the Local Administrator Password Solution (LAPS). LAPS will automatically randomize the Administrator passwords across domain-joined computers and store the secrets centrally within Active Directory. This can guarantee passwords are long and complex, and not reused across multiple computers. This alone will prevent these types of attacks from happening.
Another useful protection is to leverage the Local account and member of Administrators group security principal to deny network logon rights. By leveraging this security principal (available in 2008 R2 or later) will prevent the password replay attack against local accounts.
Previous blog posts in the series:
- Post #1 – Compromising Plain Text Passwords
- Post #2 – Finding Weak Passwords
- Post #3 – Attacking Weak Passwords
- Post #4 – Attacking Local Account Passwords
Sign up for the full blog series to be notified when each new installment posts, here.
Register for the 4 AD Password Attacks webinar, here.