Listen up, folks. I am about to share with you a practical way to own any corporate Windows network. Before you bitch, first let me tell you that I won't tell you anything you don't already know or is anything other than obvious. That said, this approach works 85-90% of the time. It is time tested. It works. I've done it many times. And if you try this outside of legitimate network vulnerability testing, I hope you go to prison for a long time. That said, on with the show...
First, the bigger the Windows network, the higher likelihood of success. You'll understand why in a moment.
Any company with greater than 100 workstations uses workstation images to deploy new machines. It's a fact of life. The trouble is, the machines are a bit too similar. No one thinks about the local Administrator account. Yes, the local admin account has the same password for every machine. This is the key. Sure, the local admin account password may change when they change the image. But more times than not, many/most/all local admin passwords will be the same.
Get access to a workstation. If you're a consultant, tell them you need one before you show up. That way, a nice fresh workstation will be waiting for you when you get there. If not, wait until everyone goes home and help yourself to one (or more). No matter. Get your hands on at least one.
Did you guess step two? Dump the hashes and crack them. If you're lucky, you'll have LANMAN hashes. If not, you'll have NT hashes. LM hashes fall faster than SCO's stock price. NT hashes can be cracked, but you better be prepared. Rainbow tables work for NT hashes too. Maybe you'll get lucky. Maybe you'll have a few hundred gigs of NT hash Rainbow tables. Whatever. Chances are good you'll have LANMAN hashes. (For you auditors out there, that's finding number two. Number one was common passwords for local Admin accounts.)
Step three is to see how many machines you can access with your new local admin password. Look up how to attach to other machines from the command line. Write a few batch files. You can test your newly stolen credentials against a couple of hundred machines in a few hours.
Find your Windows admin users. They may be smart enough to change the local admin passwords. With a big enough comapny, they won't all be smart enough. Keep plugging and keep good notes.
Review the file systems of the machines you can access. There may be some good nuggets inside. Maybe you'll find router passwords, maybe you'll find love letters to the admin's mistress. It's all valuable. (Keep good notes.)
When you find a Windows admin's workstation, bug it. You want to record all authentication sessions. There are many good keystroke loggers out there. If your paranoid, don't use them. Write your own.
Retrieve your Domain Admin creds and have fun. Make a new domain admin account. Call it something that fits in with the present members of the domain admin group. If the group is large (finding number four for you auditors), just make an account that looks natural. If not, make one that mimics another legit account. Many admins have extra accounts for whatever reason. If you see an account "bwilson", try "bwilson2". The admins will naturally think it belongs to Bill. Why did Bill make another account? Believe me, no one will ask him.
Obfuscation:
Change your mac address for each session. Better yet, change your network port.
Use another workstation you already own. Use an encrypted volume for your activities. Have the volume close after ten minutes of inactivity.
Steal the mac address of a lonely network printer. Use the printer's network jack too. Printers don't use 802.11x.
Use a wireless bridge. If they can't find you connected to a port, they can't find you.
Variations on a theme:
Tell the admin about the common local admin passwords. Chances are, he will make a job to run once a month to change all the local admin passwords. If the local admin passwords weren't all the same before, they are now. Be sure to thank him for making the vulnerability even bigger than it was before. (Hey Rob-The-Windows-Security-Guru: That one's for you, dumbass!)
Get stuck on a NetWare network? Consider yourself lucky. NetWare caches NDS credentials down to the local machine as a local user by default. Crack the local and you have NDS creds. Even if the NDS account is deleted, the local account stays, and may get you access to any machine the NDS user accessed when the account was active. I've accessed local workstations with two year old expired NDS accounts. Thanks Novell! (See what happens when you make interoperability with Microsoft a higher concern than security? With moves like that, you deserve to have Bill Gates eat your lunch.)
I will update this post whenever I feel like it, which may be never. If you have something to say about it, feel free.
-pegr