During Penetration Tests I often gain access to a selection of domain user accounts on my path to compromising a domain admin account. This is often a requirement these days for enumerating domain policy and also it’s quite common to find standard user accounts that have access to interesting information, such as HR or Finance accounts with access to staff and payroll information or a user with VPN access. During the post-engagement meeting with clients they’re often shocked at how I could launch online brute-force attacks against accounts without locking them out.
Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials). GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSLVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.
This essentially means that a share exists on the domain controller which any domain user can access which contains other user account credentials, possible including a local administrator password which is reused across the network. This can mean that privilege escalation from a domain user to domain administrator becomes incredibly easy, as I’ve described before.
Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP.
When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.
If an attacker is able to get SYSTEM level access to a workstation, for example by compromising a local administrator account, and a Domain Administrator account is logged in to that machine then it may be possible for the attacker to simply read the administrator’s access token in memory and steal it to allow them to impersonate that account. There’s a tool available to do this, it’s called Incognito.