Merit Student · 2016/03/21 10:30
0 x00 preface
In the previous article, I introduced two ways to maintain domain control rights — SSP and Skeleton Key. Both of these methods require the help of Mimikatz, and they have more or less shortcomings. So here’s a more subtle backdoor approach that doesn’t require the use of Mimikatz: Hook PasswordChangeNotify.
0 x01 profile
The concept of Hook PasswordChangeNotify was first proposed by Clymb3r on September 15, 2013. It intercepts the changed account password by Hook PasswordChangeNotify.
Relevant background knowledge to know is as follows:
-
The following synchronization operations are performed when the domain controller password is changed:
A. When the password of the domain controller is changed, the LSA invokes PasswordFileter to check whether the new password meets password complexity requirements b. If so, the LSA then calls PasswordChangeNotify to update the password synchronously on the system
-
The PasswordChangeNotify function exists in rassfm.dll
-
Rassfm. DLL can be understood as Remote Access Subauthentication DLL, only exists in the Server system, Windows xp, Windows 7, Windows 8, etc
-
You can verify conclusion 2 by looking at the rassfm.dll export function using Dumpbin:
#! bash dumpbin /exports c:\windows\system32\rassfm.dllCopy the code
As shown in figure
0 x02 characteristics
The Security Support Provider introduced before inevitably has the following shortcomings in actual use:
- After the installation, restart the system
- You need to place the DLL in the System32 folder
- The registry needs to be modified
Using Hook PasswordChangeNotify has the following advantages:
- No need to reboot
- No registry changes are required
- You don’t even need to put DLLS on your system
It can be said that Hook PasswordChangeNotify is better than Security Support Provider in concealment
0x03 Technical implementation
According to the POC provided by Clymb3R, implementing Hook PasswordChangeNotify consists of two parts:
1, the Hook DLL
Download link: github.com/clymb3r/Mis… PasswordChangeNotifyHook: inline Hook: PasswordChangeNotifyHook: inline Hook: PasswordChangeNotifyHook: inline Hook: PasswordChangeNotifyHook Then give control back to PasswordChangeNotify
2. DLL injection
We can use Process Injection in Powershell Tricks to inject our own DLL into lsASS Process to achieve Hook function
0x04 Actual Test
Test environment:
Server 2008 R2 x64
Server 2012 R2 x64
Copy the codeTest steps:
1. Generate Hook DLL
Poc download address: github.com/clymb3r/Mis…
Using VS2015 development environment, MFC is set to compile project using MFC in static library, generating hookPasswordchange.dll
2. Generate powershell scripts for DLL injection
Download Powershell DLL injection scripts github.com/clymb3r/Pow…
Add the following code to the end of the code:
Invoke-reflectivepeinjection -PEPath hookPasswordChange. DLL - procName lsass
And named HookPasswordChangeNotify ps1
3, Hook PasswordChangeNotify
Upload HookPasswordChangeNotify. Ps1 and HookPasswordChange. DLL
Administrator permission To execute:
#! bash PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1Copy the codeAs shown in figure
4, automatically record the new password
On Server 2012 R2 X64, after the password of the domain controller is manually changed, you can find passwords. TXT in C:\Windows\Temp, which contains the new password
As shown in figure
The same is true for Server 2008 R2 X64
As shown in figure
0 x05 summary
This article is still the general function of the demonstration, the subsequent can be customized DLL code to achieve more advanced functions, such as automatic upload new password.
For reference, the code in the following link implements uploading the obtained new password to the Http server
Carnal0wnage.attackresearch.com/2013/09/ste…
Use Hook PasswordChangeNotify to record new passwords. Previously, process injection was easy to detect, but thanks to the development of Powershell applications, process injection through Powershell can bypass routine interception.
Of course, Hook PasswordChangeNotify is just one of many Hook methods.
I have forked the code of ClYMb3r and updated it with the code required in this article. The download address is as follows:
Github.com/3gstudent/H…
0x06 References
- Clymb3r.wordpress.com/2013/09/15/…
- Carnal0wnage.attackresearch.com/2013/09/ste…
- www.processlibrary.com/en/director…
- Github.com/clymb3r/Mis…
- www.slideshare.net/nFrontSecur…
This article was originally written by three good students and first published by Cloud Drops