TrustedSec - Check Yo Privilege

Many of our customers follow the best practice of creating separate accounts for day-to-day tasks and administrative ones. In the event of an attack, using separate accounts is often a great way to slow things down and give security teams a little extra time for discovery and identification of an attack. Because many attacks happen in the user context, this creates an extra step for an attacker, who must escalate the privileges to administrative permissions.

Unfortunately, something I have discovered on a number of engagements is that users don’t like to remember multiple passwords. Many users just set the same password for both accounts. This practice circumvents the whole purpose of having separate accounts.

Many organizations even make it easy for an attacker to identify these accounts by using “tags” in the naming convention to designate if the user is administrative or not. For example, the user John Smith’s regular account may be jsmith, while the administrative account assigned to John may be jsmith-adm. When escalating privileges during a penetration test, I often have success by simply trying the known password against the “paired” administrative account.

One additional step that I’ll take during a penetration test is after compromising an Active Directory domain, I’ll take the extracted hashes and run them against a script to identify accounts that share the same password. Including this information in a report can give valuable insight to organizations, which often leads to updating end-user training.

https://gist.github.com/bandrel/3dd47c93cd430606865ec84d281913dc

To use the script, just add the file to be checked as an argument. The script will output groups of users that share the same password.

C’mon Dave, you know better than that. Guess we’re going to have to send you back to training!

The post Check Yo Privilege appeared first on TrustedSec.



from TrustedSec https://www.trustedsec.com/2018/06/check-yo-privilege/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more