Hacks Weekly #2: Microsoft Local Admin Password Solution (LAPS) – Deployment Steps

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this is Paula from Sakura Academy and this is our second episode of seeker hacks weekly today I'm going to talk about the local admin password management a very nice solution by Microsoft that will allow you to manage local at least shredder accounts in order to prevent a couple of things for example pastillage attacks today I will demonstrate how to implement local admin password solution or locality password management in general we call it labs and what we going to do we're going to first of all install it on the domain controller and on the endpoints and I will show you how to configure it with the powershell how to configure the group policy and effectively how it works including grabbing the hashes anyway if you want to see the full episode go to secure academy blog and you're going to find the link in the description let's start ok guys so you should see my screen right now let's learn how to implement laughs but before we do it I would like to show you where the problem is by performing the pastillage attack with our customized tool which is the customized mimic ads and well it will be important to understand the problem first so that we get the solution later ok we are ready to go first thing we will do I will elevate using PS exact tool using - s to run LS a local system - I to make it interactive - D to run the same D dot exe in a separate window the link to PS exec you're going to find in the block below so um let's do it we've got the console running as a local system very good so I need that in order to get the hashes from the local some database bed by the way represents the situation where someone could be in one being for example a domain user and at the same time being a member of the local administrators in order to perform the pastillage you need to be somehow a local administrator okay so we've got a CQ hushed on version two this is our tool that we wrote you can find the link as well in the blog post below so that you can download it so make sure that you will have it so we've got a CQ - dumb version - and then some dumb in order to get the list of the hashes very good so what we see over here especially this value this value here it's something that we call NT hash I'm not going right now into much details here because we're going to have a separate video that is devoted directly to pass the hash and we're going to cover it in a much much more details so let's just focus on a problem here and then on the solution so we've got this NT hash we call it NT out so I will copy it this is the same so it will be comfortable if I copy it like this and we're going to use this to perform the pasty hash so if you check out who we are over here we are Freddy Krueger and this is as I already mentioned that local administrator being a domain user as well at the same time and we will verify if on some other machines the local administrator password which which little I don't know was that because I only think I see it's the NT Hodge if it's the same and if it's the same then I should be able to of course authenticate yes so this is a single sign-on that we are leveraging over here very good so let's dig in into our custom version of mimic ads so it looks like this thanks to Benjamin Delpy who wrote an amazing tool and thanks to our our cooperation with Benjamin we have our own a personal Team Edition with a couple of options here one of the things that you can do but you can also do it in a public version is to perform the passage so let's do it privilege debug to be able to interact with for example local security authority subsystem so LS is s dot exe process and secure sa P th for pastillage user administrator and then domain I don't know that domain and I'm not while I am in the domain but this is a local user so local host so we're going to pass the hash locally and then ntlm and then we specify the hash that we know enter so this is kind of funny because if we do Who am I in this new console that we have just opened let me move the console so that you can see the whole attack background here we can see that we are Freddy Krueger well for real we are actually local administrator we've got a token of the local administrator but a common prompt will not show us this this way so we should be ready for a gnome and in order to jump father and also do the hop hop hop between workstations and servers I will use PSX cyghfer dad by the way um remember that psi exact within the license it's mentioned that this is not a hacking tool yes so as long as we play in order to understand and that's good but just just to make this one little note here so we've got a PSX AG at 1010 to 2 or 1 or 2 to will be better so we are getting access to this 202 server and we're going to have the remote command prompt open let's try to do it very good host name as you see we are on the other server and now this is the best Who am I we are here and admin shutter so that proves the point that we were previously an administrator and we perform the pastillage thanks to the single sign-on possibility in Windows ok very good so how to mitigate that well in order to mitigate us we need to install labs we do it and we sell it on the manage machines and also not the main controller let me do it from the manage machines first so we've got our laps downloaded from the Microsoft website lapse is free by the way so you can you can definitely freely implement it and it's very easy to implement it let's perform the installation so next we accept them license we only install here that group policy extension since it's a managed box and when we are installing of course I need to manage into and when we are installing of course I need to say what kind of requirements we've got for labs well first of all Active Directory needs to be Windows Server 2003 sp1 or anything higher and from the manage endpoints perspective Windows Vista with the current service pack or Windows Server even 2003 with the current service pack so it's not that bad ok so we are all set now it's time to switch the domain controller and configure everything from there ok so we are right now on a domain controller and what I need to do is to first install labs on the domain controller here and I will install it with more components because I will also install PowerShell module that we're going to use for implementation and management and I will also use a so let me accept your agreement the fat client and the a group policy GP editor templates the reason why is because of course I have to manage it somehow on the endpoints so let's let's do it and we install of course all of the features so this is all good next install and we are ready in the meantime because this is actually quite quite quick so we don't need to wait for too long but in the meantime let me show you over here we've got PWD clients or you that I've created before and we've got as well here windows 8.1 client computer a computer account created and there's also but it doesn't have to be there I just put it over here so that it's convenient for you to see help this group that's the digital guys that will be managing our passwords of the local administrators within this oh you okay let's see what's the status okay this is all good installed so we can perform the implementation good so I have started a PowerShell over here and the first thing we need to do import module ADM PWD TPS yes so this is the one well you don't even have to do that but I want to show you everything step by step so details it's all nice and clear if we do get command ADM PWD let's do it maybe this way this is the all set of commands that you've got four laps that's not much as you see so that's that's not too bad implementation is also very simple the first thing we need to do is to create two new attributes which is that this one ADM PWD expiration time which sets up an expiration time for the password and also the password itself now the next step we need to specify the computer are rights and also the user rights so we need to specify which computers will be managed and for that we use this particular cmdlets so let's do it and then we specify org unit PWD clients and here we make sure that all the computers within this oh you have self permission to update its own attributes yes so we are talking for example here about the password the next two operations that we will do is to specify who will be able to manage in that in that level particularly the passwords of these computers so we specify set ADM PW read password permission to wear organizational unit PWD clients and who is allowed to do this let's say let's make it nicely secured help desk group lovely and the same operation so arrow up but not read but reset perfect so this is the implementation in the meantime we need to make sure that none of the additional people that we've got in the product production environment are allowed to reach that password so we don't want any unauthorized operations over here and in order to do that and within the Etsy edit within the default naming context you go to the properties of the o you that you want to manage and then you go to security and then advanced and then you find on this list people that you don't want to see their local administrators passwords so you can choose for example let's say account operators yes hypothetically we go edit and this this group that we have over here it has to have unselected so you have to clear it that all extended rights yes so basically this is in order to make sure that particular group that you choose is not able to read the values of the attribute the one that we had which was the MS MCS atm PWD so this is clear which it's okay but for example if I will be back over here if we do this for let's say our helpdesk that we had so we've got helpdesk we can verify of course what the help Tech's can do and in this case well this is this is all clear but it we can we can verify of course what help this it can read and we can verify one by one what kind of options of course all these accounts have okay so this is this is good and step by step we are able to verify who has access to the certain attributes okay so we can give our remove access depends on the on the situation but for sure what we can do we can verify by using find extended rights yes who has extended rights on the particular oh you which is PWD clients and as you see over here one of the group's is helped skin so this is this is all good and we are able to spot who is able to read that particular attribute okay we are all good this is all good now when we have implemented this the last step is to dig in once again so this is all good and the last step is to implement group policy so we've got our PWD clients create a GPO in this domain and link it here let's name it labs we got it edit and let's jump immediately to the setting which is computer configuration policies administrative templates and then we've got our labs and password settings allow us to configure that we should have the password for example with a certain length let's say 20 change every 30 days why not and over here we specify enable local administrator local admin password management enabled apply very good so we've got these two policies configured then we are ready to update the policy on the client level so let's switch the client and now when we are on the client we can do gpupdate saj force and the policy is getting updated and in the meantime we can check if the password for the local administrator was generated so let's see and let's go to that if the password will generate so right now we are on the domain controller and we can go to Active Directory users and computers to the proper properties of the windows 8.1 client we go to attribute editor I have filtered all the values that have all the attributes that have values and here we can see that the password has been generated for that of misrata so that's the one that right now will be we'll be using of course and there is also this client that I was mentioning briefly so this is the labs UI where we are able to specify where the pot what the password is and what time the password expires we're able to set the certain expiration time we can set it that let's say it was some in the past it could be it could be this so the password reset was successful and effectively and we are able to control the password this way yes and when we are ready on the windows 8 client we are able to check if the password was reset it now we are back on a client we can do one more time gpupdate slash force and let's verify how it works from the hash perspective is it changed yes so it means of course it proves the point that the password is changed to let me remind you which hash we use for the pass the hash attack it's for the local of me shudder it started from the in 19 so right now we can check with the CQ hash term some dump yes and we've got the 9c 553 C and so on that proves the point that the password was actually changed okay so you have learned right now how to implement labs we didn't talk about auditing which is a subject for the next video maybe but this shows you the technical steps how we are able to make sure that labs will be working and the rest of the things are little very important details that you are able also to setup after the implementation ok so that's about it if you liked the episode don't forget to follow us on social media sign up for the newsletter because very soon we're going to share with you another interesting episode thank you and see you
Info
Channel: CQURE Academy
Views: 44,858
Rating: undefined out of 5
Keywords: hacking tutorials, hardening, securing windows, hacking windows, security testing, pentesting, network security toolkit, network security tutorial, local admin password, LAPS, pass the hash, psexec, sysinternals
Id: WD2cBKRvERc
Channel Id: undefined
Length: 17min 47sec (1067 seconds)
Published: Thu Sep 01 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.