Skip to Main Content
May 14, 2014

Microsoft to fix two major attack methods for hackers

Written by David Kennedy
Penetration Testing Security Testing & Analysis
For years hackers and penetration testers alike have enjoyed two massive attack vectors from a post exploitation standpoint. The first was the ability to gain access to the SYSVOL share if a regular user account was obtained and successfully decrypt the cpassword variable contained in a subfolder under the SYSVOL share. The way the attack works is by first obtaining access to a limited domain user account. The attacker uses the account to connect to the SYSVOL share of a domain controller. By default, when a user logs into the computer, the machine reaches out to a domain controllers SYSVOL share to populate group policy and machine settings. If the administrators of the organization set passwords through group policy, it is possible to extract an XML file (there are several, most notable is Groups.xml). Inside the XML file contains a cpassword variable which contains the AES encrypted string of the password. Microsoft accidentally posted the decryption keys on technet which works universally for all versions of Windows. The keys were removed from the site but attackers have been using this method for successful administrative privilege escalation for years. TrustedSec's CEO did a presentation on this at BSIDES Las Vegas in 2012 documenting the process: BSIDES LV 2012. The initial disclosure and discovery came from Sogeti ESEC. Microsoft is apparently fixing this issue with the recently released update: Microsoft Bulletin. A Metasploit module was released after this attack method was publicly disclosed and makes the process extremely simple: GPP Metasploit Module The second fix is apparently around Pass the Hash which has been a method that has been used for over a decade for post exploitation. An attacker will traditionally compromise a server or workstation and extract the LM/NTLM/NTLMv2 credentials from the system utilizing multiple methods (LSASS injection, registry hive, etc) and use the hashes (if LM/NTLM) in order to impersonate an authenticating server and not need to crack the actual hash values. This makes post exploitation significantly easier for the attacker. TrustedSec has not validated the patch yet however there have been claims made in the past for completely fixing pass the hash which has fell short. Microsoft has released the security advisory here: Microsoft Advisory. Time will tell if the mitigation patches effectively stop these attacks and TrustedSec however this is a great step from a defense perspective as these are two common techniques used by attackers to further compromise an environment.