SlideShare a Scribd company logo

Well, that escalated quickly! - a penetration tester's approach to privilege escalation

DefCamp
DefCamp

Khalil Bijjou in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

1 of 36
Download to read offline
© 2017 SEC Consult | All rights reserved
© 2018 SEC Consult | All rights reserved
© fotolia 62904980
Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou | Confidentiality Class: Public
Well, that escalated quickly! -
A penetration tester's approach to privilege
escalation
© 2018 SEC Consult | All rights reserved
• Usually, attackers gain low privileged access to a system
• High privileges are required to be fully operative
• Escalating privileges is an important and complex aspect of a penetration
test
• Little literature that profoundly deals with privilege escalation has been
identified
Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
2
Escalating Privileges – Why?
© 2018 SEC Consult | All rights reserved
Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
3
Main Goals
• Impart in-depth knowledge of the theory and practice of different privilege
escalation attacks and concepts
• Provide penetration testers with a practical and systematic privilege
escalation approach
© 2018 SEC Consult | All rights reserved
Windows Basics
4Title: SEC Consult // who we are. | Responsible: U. Fleck | Version / Date: V1.0/2018-04 | Confidentiality Class: public
© 2018 SEC Consult | All rights reserved
Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
5
Overview
• Windows is the de-facto standard operating system for company desktops
and holds a total desktop market share of over 80%
• Windows Server is often used in company networks
• Contains a number of different components and (security) mechanisms
• On a local Windows system, Administrator and SYSTEM are the highest
privileges
© 2018 SEC Consult | All rights reserved
Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
6
Registry
• Composed of keys and values
• Keys included in other keys are called sub-keys
• Highest level keys are called root keys
• Stores
• boot and system information
• systemwide software settings
• the security database and
• per-user configuration settings
• Protected by an ACL

Recommended

7. Security Operations
7. Security Operations7. Security Operations
7. Security OperationsSam Bowne
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementSam Bowne
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)Sam Bowne
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
CNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingCNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingSam Bowne
 
CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)Sam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 

More Related Content

What's hot

CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecuritySam Bowne
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you   rva sec 2019Compliance technical controls and you   rva sec 2019
Compliance technical controls and you rva sec 2019Derek Banks
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
5 infrastructure security
5 infrastructure security5 infrastructure security
5 infrastructure securityLen Bass
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 

What's hot (20)

CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you   rva sec 2019Compliance technical controls and you   rva sec 2019
Compliance technical controls and you rva sec 2019
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
5 infrastructure security
5 infrastructure security5 infrastructure security
5 infrastructure security
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 

Similar to Well, that escalated quickly! - a penetration tester's approach to privilege escalation

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Kill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin RightsKill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin RightsScriptLogic
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Centrify Customer Success Webinar - Expert Hour for Privilege Management
Centrify Customer Success Webinar - Expert Hour for Privilege ManagementCentrify Customer Success Webinar - Expert Hour for Privilege Management
Centrify Customer Success Webinar - Expert Hour for Privilege ManagementCentrify Support
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CloudIDSummit
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch   ASM WAF  unified learning – building policy with asm v12Lior rotkovitch   ASM WAF  unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
Shrinking the container_zurich_july_2018
Shrinking the container_zurich_july_2018Shrinking the container_zurich_july_2018
Shrinking the container_zurich_july_2018Ewan Slater
 
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Cloudera, Inc.
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerTom Keetch
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Jayesh Naik
 
Application hardening
Application hardeningApplication hardening
Application hardeningJayesh Naik
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Compuware
 
Lecture 11 managing the network
Lecture 11   managing the networkLecture 11   managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 

Similar to Well, that escalated quickly! - a penetration tester's approach to privilege escalation (20)

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Kill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin RightsKill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin Rights
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Centrify Customer Success Webinar - Expert Hour for Privilege Management
Centrify Customer Success Webinar - Expert Hour for Privilege ManagementCentrify Customer Success Webinar - Expert Hour for Privilege Management
Centrify Customer Success Webinar - Expert Hour for Privilege Management
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch   ASM WAF  unified learning – building policy with asm v12Lior rotkovitch   ASM WAF  unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
 
Shrinking the container_zurich_july_2018
Shrinking the container_zurich_july_2018Shrinking the container_zurich_july_2018
Shrinking the container_zurich_july_2018
 
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
 
Application hardening
Application hardeningApplication hardening
Application hardening
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The Basics
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast
 
Lecture 11 managing the network
Lecture 11   managing the networkLecture 11   managing the network
Lecture 11 managing the network
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Recently uploaded

GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...James Anderson
 
Python For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emPython For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emNho Vĩnh
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...SearchNorwich
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewAshraf Fouad
 
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfQ4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfTejal81
 
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGBoosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGRick Ossendrijver
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...ShapeBlue
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyMustafa Kuğu
 
AI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsAI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsPremsankar Chakkingal
 
KUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionKUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionNeo4j
 
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...BookNet Canada
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareAsma Ben Abacha
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31shyamraj55
 
software-quality-assurance question paper 2023
software-quality-assurance question paper 2023software-quality-assurance question paper 2023
software-quality-assurance question paper 2023RohanMistry15
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfMostafa Higazy
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Jay Zhao
 
Pragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfPragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfinfogdgmi
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIVijayananda Mohire
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerSaiLinnThu2
 

Recently uploaded (20)

GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
 
Python For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emPython For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ em
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book Review
 
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfQ4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
 
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGBoosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5Company
 
AI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsAI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the Classrooms
 
KUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionKUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ion
 
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in Healthcare
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
 
software-quality-assurance question paper 2023
software-quality-assurance question paper 2023software-quality-assurance question paper 2023
software-quality-assurance question paper 2023
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdf
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
 
Pragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfPragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdf
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AI
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 

Well, that escalated quickly! - a penetration tester's approach to privilege escalation

  • 1. © 2017 SEC Consult | All rights reserved © 2018 SEC Consult | All rights reserved © fotolia 62904980 Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou | Confidentiality Class: Public Well, that escalated quickly! - A penetration tester's approach to privilege escalation
  • 2. © 2018 SEC Consult | All rights reserved • Usually, attackers gain low privileged access to a system • High privileges are required to be fully operative • Escalating privileges is an important and complex aspect of a penetration test • Little literature that profoundly deals with privilege escalation has been identified Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 2 Escalating Privileges – Why?
  • 3. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 3 Main Goals • Impart in-depth knowledge of the theory and practice of different privilege escalation attacks and concepts • Provide penetration testers with a practical and systematic privilege escalation approach
  • 4. © 2018 SEC Consult | All rights reserved Windows Basics 4Title: SEC Consult // who we are. | Responsible: U. Fleck | Version / Date: V1.0/2018-04 | Confidentiality Class: public
  • 5. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 5 Overview • Windows is the de-facto standard operating system for company desktops and holds a total desktop market share of over 80% • Windows Server is often used in company networks • Contains a number of different components and (security) mechanisms • On a local Windows system, Administrator and SYSTEM are the highest privileges
  • 6. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 6 Registry • Composed of keys and values • Keys included in other keys are called sub-keys • Highest level keys are called root keys • Stores • boot and system information • systemwide software settings • the security database and • per-user configuration settings • Protected by an ACL
  • 7. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 7 Processes • A process contains a set of resources used when executing the instance of the program: • an executable program mapped into the process’ private virtual address space • a security context (called access token) which includes identification of the user, security groups, privileges, etc. • a process ID • one or more threads of execution
  • 8. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 8 Jobs & Threads • Jobs are groups of processes • Threads are entities within a process
  • 9. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 9 Services • Used to start processes at system startup • Run in the context of a user • Mostly non-interactive users • Usually in context of SYSTEM user • Consist of at least one executable file
  • 10. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 10 Service Accounts Name Privileges Attributes Local System Account Can enable all privileges -> Highest privileges possible • Also referred to as SYSTEM account. • Core Windows components run under the Local System Account. Network Service Account High privileges Is used by services that authenticate themselves to network services. Local Service Account Same as Network Service Account -> but can not be used for authenticating to network services
  • 11. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 11 Startup Programs & Scheduled Tasks • Similar to services • Loading of an executable file at startup that runs under a certain user
  • 12. © 2018 SEC Consult | All rights reserved Privilege Escalation - Methods and Techniques 12Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  • 13. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 13 Overview • Some techniques may be applicable to several Windows components due to their similar design • Attack trees will give an overview of different techniques for exploiting a certain component or mechanism
  • 14. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 14 Insecure Services
  • 15. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 15 Insecure Services - Weak Executable File Permissions • Service’s executable or configuration file with weak permissions • Can be modified by a low privileged user → Exploit: Replace or modify file and trigger a restart of the service
  • 16. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 16 Insecure Services – Unquoted Service Paths • File paths that are not embedded within double quotes and contain white spaces are possibly vulnerable • Windows tries to execute a file where the first white space is located → Exploit: If write permissions to C: are given, a malicious Program.exe can be created and will be executed upon restart of the service C:Program.exe C:Program FilesWavesMaxxAudioWavesSysSvc64.exe
  • 17. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 17 Insecure Services – DLL Hijacking • Applications that try to load a missing DLL file and use relative file paths may be prone to DLL Hijacking • Windows tries to find the missing DLL file in the following directories: → Exploit: if write permissions to one of the above folders is granted, a malicious DLL file can be placed • The directory from which the application is loaded • C:WindowsSystem32 • C:WindowsSystem • C:Windows • The current working directory • Directories in the system PATH environment variable • Directories in the user PATH environment variable
  • 18. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 18 Insecure Startup Programs
  • 19. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 19 Insecure Scheduled Tasks
  • 20. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 20 Outdated Software • Companies can not always deploy patches in a timely manner • Successful kernel exploits result in SYSTEM privileges → Exploit: applications that run as high privileged processes result in privilege escalation
  • 21. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 21 Weak Passwords • Users may use weak passwords: • Wordlist • Brute force attacks • Plaintext passwords in files: ▪ C:unattend.xml ▪ C:WindowsPantherUnattend.xml ▪ C:WindowsPantherUnattendUnattend.xml ▪ C:Windowssystem32sysprep* ▪ … • Plaintext passwords in registry: ▪ HKLMSoftwareMicrosoftWindows NTWinLogon ▪ …
  • 22. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 22 Insufficient Physical Access Protection • An attacker with physical access to a system has more attack vectors: • Unencrypted disks can be attacked by replacing manipulating Windows startup functions • The same attack can be applied to encrypted disks that do not require a token for decryption after successfully extracting the decryption key from memory • Attacks against CPU micro controller are possible
  • 23. © 2018 SEC Consult | All rights reserved Privilege Escalation Approach 23Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  • 24. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 24 Overview
  • 25. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 25 Phase 1: General Information Gathering • Systems have different Windows versions, service packs, CPU architectures, purposes, network configurations, etc. • Goal is to have a good overview of the system
  • 26. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 26 Phase 2: Method and Technique Iteration • Privilege escalation methods and techniques are iterated through in this phase • These can be ordered accordingly to the penetration test’s objective • Every iteration consists of four steps
  • 27. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 27 Steps of Phase 2 • [Step 1] Information Gathering: ▪ Check whether system is vulnerable to the method • [Step 2] Research and Development: ▪ Gather information about available exploits and customize to target system ▪ A test environment can be set-up ▪ Possible security mechanisms have to be considered ▪ Very important as possibly only one attempt is given
  • 28. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 28 Steps of Phase 2 • [Step 3] Exploitation: ▪ Test the exploit developed in step 2. ▪ Sometimes the previous steps have to be repeated • [Step 4] Post-Exploitation ▪ Document the previous steps ▪ In case monitoring systems are in place, identify whether the attack has been detected
  • 29. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 29 Phase 3: Reporting • Any vulnerability should be reported, independent of whether it was exploitable or not • Passwords and sensitive data should be censored • If evidence of a previous compromise has been found, the customer should be informed right away • Exploits, added users and other modifications should be documented
  • 30. © 2018 SEC Consult | All rights reserved Tools 30Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  • 31. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 31 Tools Name Link Metasploit https://github.com/rapid7/metasploit-framework PowerSploit https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc BeRoot https://github.com/AlessandroZ/BeRoot Windows-Exploit-Suggester https://github.com/GDSSecurity/Windows-Exploit-Suggester
  • 32. © 2018 SEC Consult | All rights reserved Conclusion 32Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  • 33. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 33 Conclusion • Learnt things about • Windows • Privilege escalation concepts • An approach for penetration testers • Tools that can be used • The content can be used by system administrators and architects to improve their systems’ security • Windows systems: • offer a great number of security mechanisms • allow a granular configuration of privileges and access rights • are patched typically fast
  • 34. © 2018 SEC Consult | All rights reserved Q&A Session 34Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou P.S.: We are in need of curious and smart people! --> (k.bijjou@sec-consult.com)
  • 35. © 2018 SEC Consult | All rights reserved 35Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou Khalil Bijjou k.bijjou@sec-consult.com +41 79 896 73 08 SEC Consult (Schweiz) AG Turbinenstrasse 28 8005 Zürich, Schweiz www.sec-consult.com Any further questions? Don‘t hesitate to contact me.
  • 36. © 2018 SEC Consult | All rights reserved 36Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou Portfolio • Vulnerability Lab • Security Consulting • ISMS Consulting • Trainings • … Career • Curiosity and enthusiasm for security • Participate in bleeding edge technology projects • Permanent Learning https://www.sec-consult.com • Security Consulting since 02’ • Advisories: severe vulnerabilities in popular products found • International Team • Different Locations