Just-In-Time (JIT) Access
Users are granted privileges for a limited amount of time to perform a specific task, and once the time is up, the privileges are revoked automatically.
Last updated
Users are granted privileges for a limited amount of time to perform a specific task, and once the time is up, the privileges are revoked automatically.
Last updated
When JIT is used in combination with Active Directory, the Privileged Access Management Feature (PAM) must be enabled. Upon enabling the feature, it writes certain attributes that we can enumerate as a standard user. Note that once PAM is enabled in AD, it cannot be disabled again.
Even though JIT requires that Privileged Access Management is enabled in the domain, having it enabled is not a guaranteed indicator that JIT is in use since PAM also supports other features.
Exploitation of JIT solutions often happens in the later stages of an assessment.
Compromised JIT solution could become a weak link if multiple accounts with the power to request and approve access fall into the wrong hands
Most of the JIT solutions require that someone else approves the request on behalf of the user if it is not auto granted based on adding more trust to a specific user itself, so we may have to compromise several accounts in order to take advantage of the solution unless the solution itself has a vulnerability that we can exploit directly.
The AD PowerShell Module is often used by system administrators to manage AD via PowerShell and is a part of the Remote Server Administration Tools (RSAT). RSAT mostly requires administrative privileges, but simply loading the DLL used for Active Directory management does not. Microsoft.ActiveDirectory.Management.dll
For further enumeration, we can enumerate the infrastructure itself to find traces of JIT. We could thoroughly enumerate users, groups, GPOs, description fields, etc. Information about a JIT solution may also come from an assumed breach penetration test or from websites visited on compromised clients, etc.
found a JIT manager application on MGMT01 based on mary's browser history. Visiting http://mgmt01 reveals the web application.
According to the website, mary has previously requested access to the sql_admins group, and according to the status, it has been approved by someone. Reviewing the RequestedTimespan, it appears that the access lasted one hour
Requests may also be configured to happen automatically, adding more trust to the user account logging in. Can try request for other group, but even it is granted, may need logout and login to refresh TGT for the new groups to be in effect. Hard to do if we do not know the password for the account.
In this case, the sql_admins gives access to the MSSQL instance on SQL01 and it uses a remote login. If our user is added to the sql_admins group in Active Directory, we can simply purge our existing Kerberos tickets with klist purge, initiate the login, and have a new TGT assigned. The same goes for WEB01 since it has WinRM enabled, which supports Kerberos authentication.
Refreshing TGTs may not always be a simple task unless we have access to clear text passwords or we can use NTLM authentication with pass-the-hash techniques