Downloaded 418 times
![Passwords in files/registry
[unencrypted (like for real!)]](https://image.slidesharecdn.com/windowsprivesctalk-151021184037-lva1-app6892/75/Windows-Privilege-Escalation-12-2048.jpg)
![*vnc
• RealVNC [HKEY_LOCAL_MACHINESOFTWARERealVNCvncserver]
• TightVNC [HKEY_CURRENT_USERSoftwareTightVNCServer]
• TigerVNC [HKEY_LOCAL_USERSoftwareTigerVNCWinVNC4]
• UltraVNC [C:Program FilesUltraVNCultravnc.ini]](https://image.slidesharecdn.com/windowsprivesctalk-151021184037-lva1-app6892/75/Windows-Privilege-Escalation-19-2048.jpg)
![Other places / software
• Autologon [HKLMSoftwareMicrosoftWindows
NTCurrentVersionWinlogon]
• HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions
• Search the OS using dir /s and findstr /S /I (.xlsx, .docx, .pdf etc.)
• Search the Windows registry using reg query](https://image.slidesharecdn.com/windowsprivesctalk-151021184037-lva1-app6892/75/Windows-Privilege-Escalation-20-2048.jpg)
Uploaded byRiyaz Walikar
Windows Privilege Escalation
The document outlines a pentester's methodology for Windows privilege escalation, emphasizing techniques for exploiting network flaws and misconfigurations. It discusses various methods such as token impersonation, scheduled task abuse, and window messaging attacks, with real-world examples and demonstrations. Additionally, it provides resources and tools for further exploration of Windows security vulnerabilities.
More Related Content
![Carlos García - Pentesting Active Directory [rooted2018]](https://cdn.slidesharecdn.com/ss_thumbnails/carlosgarcia-slides-180312234839-thumbnail.jpg?width=640&height=640&fit=bounds)
![Carlos García - Pentesting Active Directory Forests [rooted2019]](https://cdn.slidesharecdn.com/ss_thumbnails/carlosgarcia-rooted2019-pentestingactivedirectoryforests-public-190403185357-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Windows Privilege Escalation
Windows Privilege Escalation
- 1. Windows Privilege Escalation APentester's Methodology to Discover and Exploit flaws on the network
- 2. • Riyaz Walikar •@riyazwalikar • @wincmdfu • http://ibreak.software • OWASP Bangalore chapter leader, null Bangalore contributor • Trainer/Speaker: BlackHat Asia, BlackHat USA, nullcon Goa, nullcon Delhi, c0c0n, OWASP AppSec USA
- 3. • This talkis not about • Kernel level exploits • Race conditions • Heap/stack any form of overflows • A pentester’s approach on a network • jibber jabber from experience • Real world examples • Design issues, misconfigurations, binary planting, permission issues, forensics, hash passing/spraying etc.
- 4. Limited privileges alreadyobtained on the machine/network via pentest, valid auth, unicorns.
- 5. Administrator to Systemis trivial • psexec -s -i -d cmd.exe • Token impersonation/stealing • C:> at /interactive 14:50 cmd.exe (schtasks in Win 7 and higher)
- 6.
- 7. Limited user to Administrator/SYSTEM LocalAdmin to Domain Admin
- 8.
- 9. C:> schtasks /query/fo LIST /v
- 10. C:> schtasks /query/fo LIST /v
- 11.
- 12. Passwords in files/registry [unencrypted(like for real!)]
- 14.
- 15.
- 16.
- 17.
- 18.
- 19. *vnc • RealVNC [HKEY_LOCAL_MACHINESOFTWARERealVNCvncserver] •TightVNC [HKEY_CURRENT_USERSoftwareTightVNCServer] • TigerVNC [HKEY_LOCAL_USERSoftwareTigerVNCWinVNC4] • UltraVNC [C:Program FilesUltraVNCultravnc.ini]
- 20. Other places /software • Autologon [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon] • HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions • Search the OS using dir /s and findstr /S /I (.xlsx, .docx, .pdf etc.) • Search the Windows registry using reg query
- 21.
- 22. Disk Image data •Search for *.vmdk, *.vdi, *.vhd, *.qed • Vmware, Virtual and Virtual PC disk images • ISO files, Ghost images, Daemon tool images etc. • Memory snapshopts (*.vmem files for example) • Volatility FTW!
- 23.
- 26. I came, Isaw, I passed the hash • use exploit/windows/smb/psexec • Windows Credential Editor + net use + sysinternals psexec • Windows Credential Editor + net use + wmiexec.py (Impacket) • Good way to identify if the user is local admin on any other machine
- 27.
- 28. Service permission issues •C:> sc qc <servicename>
- 29. Service permission issues •C:accesschk -cqwvu <servicename> | *
- 30.
- 31. Message Passing • Passinga message via SendMessage to the message loop of the main thread of the program • Shatter attack allowed cross process message passing between unprivileged process and a privileged thread. • Can be used to pass a message to a windowed system object running on a thread as NT AuthoritySYSTEM • CB_DIR, LB_DIR etc.
- 32.
- 33.
- 34. utilman.exe running withprivileges
- 35.
- 36.
- 37.
- 38. Abusing load paths •A binary can call code from external link libraries (DLLs) • Static Runtime loading • Dynamic loading using kernel32.LoadLibrary() • Both can be abused because the path is (most likely) user controlled
- 40.
- 41.
- 42.
- 43.
- 44.
- 45. Several exploits available •wmic qfe get hotfixid, description, Installedon | findstr “Security”
- 46. Resources • http://pentestmonkey.net/tools/windows-privesc-check • http://www.fuzzysecurity.com/tutorials/16.html •https://msdn.microsoft.com/en-us/library/cc422924.aspx • https://ibreak.software • Sysinternals FTW
- 47.
Editor's Notes
- #6 Psexec –s –I –d cmd.exe from a UAC free console
- #34 Check using PokeWindows
- #35 Check using PokeWindows
- #36 Check using PokeWindows
- #37 Check using PokeWindows
- #42 Not exhaustive. Will not know entire list till program is decompiled and all LoadLibraryA() calls are traced. Loadlibrary may exist in uncalled functions.
- #43 Not exhaustive. Will not know entire list till program is decompiled and all LoadLibraryA() calls are traced. Loadlibrary may exist in uncalled functions.