Windows Service Accounts have been one of those enterprise neccessary evils - things that you have to have, but nobody ever talks about or considers to be a problem. All too often, these service accounts are in the Domain Admins group, with passwords like Service123, S3rvic3 or something equally lame. And all too often, application vendors that use these services insist on just such a configuration.
Why is using actual service accounts a bad thing? Aside from the fact that the passwords are generally set to never change, the passwords are stored in the registry, in a text format that is easily captured to arrive at the actual password. Needless to say, this generally allows an attacker to fly under the radar and move laterally to other hosts - pillaging your AD Domain at will.
Enumeration:
So, how do we find these service accounts? Its the same method, whether you are doing this to protect your assets, or if you are in a Penetration Test or Security Assessment. List all the services for all stations in the domain, and winnow out the ones that have service accounts (either local or domain) attached to them.
In days gone by, I would have used WMIC:
First, look at getservices.cmd">REM one or both of
netdom query server | find /v List targetlist.out
netdom query workstation | find /v List ">for /F tokens=1 %%S in (targetlist.out) DO call servicelist.cmd %%S ">type services.out | find /v /i LocalSystem | find /v LocalService | find /v /i NetworkService">wmic /node:%1 service get systemname,displayname,started,startmode,Startname
This will give you a list of all services that use local or domain accounts, what machines they are installed on, if they are running and if they are enabled, disabled or set for manual control. However, this takes **forever**, especially the netdom command! How can we do this in Powershell?
Enumeration Again - with Powershell:
So, if youve used the WMIC approach to recover windows Service account information in a reasonably sized AD Domain, youve likely found it to be is a very sl-o-o-o-w process - well see that it runs much faster using Powershell.
First, lets try the Get-Service cmdlet. ">get-service -computername $TARGET | format-list
....
Name : WwanSvc
DisplayName : WWAN AutoConfig
Status : Stopped
DependentServices : {}
ServicesDependedOn : {PlugPlay, NdisUio, RpcSs, NlaSvc}
CanPauseAndContinue : False
CanShutdown : False
CanStop : False
ServiceType : Win32ShareProcess
....
We see here that get-service doesnt give us service account login information - in fact it doesnt give us a lot of things about the services that youd expect to see. What to do?">get-wmiobject win32_service -computername $TARGET | format-table systemname, displayname,startname, state
How do we then link this up to a list of computers in the domain? Use the Get-ADComputers cmdlet of course! (You might need to run import-module activedirectory">get-adcomputer | foreach { Get-WmiObject Win32_service -Computer $_.name } | format-table systemname, displayname,startname, state | export-csv services.csv
Will get you the list of all services on all hosts in the domain. I normally grab the entire list, then filter it, just as in the WMIC example, to find our problem services, the hosts that they">type services.csv | find /v /i LocalSystem | find /v LocalService | find /v /i NetworkService
Fixing the Problem
Microsoft has come up with a decent way to mitigate this issue. Where possible, have your services run as LocalSystem, NT AUTHORITY\LocalService or NT AUTHORITY\NetworkService
These settings are run levels for services only (they cant be used for interactive login), with differing security permissions, but NO PASSWORD. What this means is that the service has the authority that it needs, but there isnt a password to crack, and the account cant be used for a normal interactive login session.
Tools like Metasploit can of course be used to run processes on a target (compromised) host with these privilege levels, but this service account approach is still way better than using actual accounts with real passwords.
If youve got a neater way of enumerating service accounts, especially in Powershell, please use our comment section - wed love to hear from you!
===============
Rob VandenBrink
Metafore