Hi All,
This post is a little different to what I normally do and I
think it is a long time coming in general.
Nowadays the bloggers in the IT Security community are all focusing on the hacks, exploits and ways to break in. I
thought I would show you a way to improve the overall security of your
network. This can be implemented quite
easily and is a control mandated in the Internet Security Manual. For anyone not in Australia or not aware of
the ISM here is the blurb from ASD.
“The Australian
Signals Directorate (ASD) produces the Australian Government Information
Security Manual (ISM). The manual is the standard which governs the security of
government ICT systems”
I want to state that this is not the only way to design your
network and this example is specifically for handling keylogging to protect
your domain admin accounts.
From what I am seeing there are two types of networks around
these days.
Flat Networks: Hosts, Admin hosts and Servers in same Subnet
Layered networks: Hosts one subnet, admin another subnet and
servers in another subnet
In a flat network any normal host / admin host can RDP into
any server.
In a layered network normal hosts cannot RDP into the server
subnet but admin hosts can.
What does this mean
for keyloggers?
Flat Network
In a flat network your domain admins / server admins are
able to logon to any server they want with their admin credentials. If this is the same as there workstation
credentials, email associated, this is a bad thing in general. For this example we will assume the following:
- The workstation credentials are different to the admin credentials.
- The workstation credential will be named BobSmith
- The admin credentials will be named BobAdmin.
Layered Network
Now expand on this, Bob is in a separate subnet to the rest
of the environment and he can RDP to any server he chooses to.
Bob has a keylogger that he doesn’t know about. When bob decides to logon to Server A he uses
his BobAdmin account. Here is what it
looks like.
Attack #1
Bob logs in to RDP server.
Meterpreter dumps out the password that is typed and Admin
credentials are presented.
Dammit! Isn’t defense in layers supposed to be better? Well yes.
So
you are now asking how do you protect the domain admin credentials? Easy… Setup
a management server. Here is a picture
of how it works. I dummied up some IP
ranges to give you an example.
Management Server:
You can handle this one of two ways.
- Bob Smith needs a separate account that is allowed to RDP onto the management server but has no admin privileges on the management server. For example an account named bobRDP. bobRDP can only RDP to the management server and nowhere else.
- Bob Smith uses ‘BobSmith’ to RDP to the server and again has no admin privileges on the management server.
Option 1 allows a little more separation of accounts and adds an administrative burden. Option 2 is a quick fix. It is important that BobSmith is only allowed
to logon to the management server and nowhere else.
Essentially the admin subnet is only allowed
TCP 3389 / RDP to the management server NOWHERE ELSE! No other ports.
For this example I am using option 2 because I’m lazy and it
allows me to bang out this post quickly.
Attack # 2
Permissions on Jump Server for bobsmith
Pre meterpreter dump on Bobs workstation. Nothing showed.
Bob RDPs to the management server
Runs mstsc and RDPs to domain controller server.
Open Command Prompt on Jump Server
Open Command prompt on Nested RDP - Domain controller
Dump of meterpreter keylogger after
As you can see there is no remnants of bobAdmins
password or him typing in the management server. Keylogging problem solved!
Now people may look at this post and find so many ways
around this design with other attack vectors. But, this post was
specifically for one issue and that is to beatMy keyloggers nothing else.
Hopefully this post has been helpful to you.
No comments:
Post a Comment