Pennyw0rth
New smb module : restricted admin
Description
Hello, I am proposing a small module for SMB. This module is designed to perform three main actions on a registry key: "DisableRestrictedAdmin".
This key manages Windows "Restricted Admin" protection. If this protection is enabled, it is possible to perform Pass-The-Hash (PTH) on the RDP protocol, particularly with xfreerdp, as Windows uses the NTLM hash for authentication.
This idea comes from my tool pyRestrictedAdmin
modes:
- [x] read : See the value of the registry key and deduce if PTH is is possible or not
- [x] disable : Set value to 1, PTH will be no longer possible
- [x] enable : Set value to 0, that will enable the security option "RestricedAdmin" and allow PTH on RDP
How Has This Been Tested?
I tested this module in an Active Directory lab environment, specifically on Windows Server 2022 machines:
OS Name: Microsoft Windows Server 2022 Standard Evaluation
OS Version: 10.0.20348 N/A Build 20348
To test, if you are using Poetry, you can proceed as follows:
- Read mode (default):
poetry run nxc smb IP -u USER -p '<PASS>' -M restrictedadmin - Disable mode:
poetry run nxc smb IP -u USER -p '<PASS>' -M restrictedadmin -o ACTION=disable - Enable mode:
poetry run nxc smb IP -u USER -p 'PASS' -M restrictedadmin -o ACTION=enable
Screenshots (if appropriate):
-
Read mode (default):
-
Enable mode :
-
Disable mode :
Checklist:
- [x] I have ran Ruff against my changes (via poetry:
poetry run python -m ruff check . --preview, use--fixto automatically fix what it can) - [x] I have added or updated the tests/e2e_commands.txt file if necessary
- [x] New and existing e2e tests pass locally with my changes
- [x] My code follows the style guidelines of this project (should be covered by Ruff above)
- [x] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
- [x] I have performed a self-review of my own code
- [x] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)
Thanks for the PR, looks really cool! Gonna take a look at it as soon as i got some time to work on all the PRs :)
Hi, just took a quick look at the modules and it seems that there already is the rdp module that enables/disables the RestrictedAdminAccess. Could you check if it covers the same functionality or if rather that module should be extended if you have added new functionality?
Thank you for your responses. I believe my module doesn't bring anything more compared to the existing one. However, I find that the rdp module is not very explicit regarding actions on the DisableRestrictedAdmin key. That’s why I liked this module it’s more explicit and therefore easier to use. To let users know that this is possible with the RDP module, could we add a short note or example to the nxc documentation?
Thank you for your responses. I believe my module doesn't bring anything more compared to the existing one. However, I find that the
rdpmodule is not very explicit regarding actions on theDisableRestrictedAdminkey. That’s why I liked this module it’s more explicit and therefore easier to use. To let users know that this is possible with the RDP module, could we add a short note or example to the nxc documentation?
Absolutely! Feel free to PR a change to the module and/or notes to the wiki, whatever you have in mind.
Ok I will take the time to add this to the documentation. I think we can close the PR. Thank you for your time and work on the tool