Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Well, that escalated quickly! - a penetration tester's approach to privilege escalation

54 views

Published on

Khalil Bijjou in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Well, that escalated quickly! - a penetration tester's approach to privilege escalation

  1. 1. © 2017 SEC Consult | All rights reserved © 2018 SEC Consult | All rights reserved © fotolia 62904980 Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou | Confidentiality Class: Public Well, that escalated quickly! - A penetration tester's approach to privilege escalation
  2. 2. © 2018 SEC Consult | All rights reserved • Usually, attackers gain low privileged access to a system • High privileges are required to be fully operative • Escalating privileges is an important and complex aspect of a penetration test • Little literature that profoundly deals with privilege escalation has been identified Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 2 Escalating Privileges – Why?
  3. 3. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 3 Main Goals • Impart in-depth knowledge of the theory and practice of different privilege escalation attacks and concepts • Provide penetration testers with a practical and systematic privilege escalation approach
  4. 4. © 2018 SEC Consult | All rights reserved Windows Basics 4Title: SEC Consult // who we are. | Responsible: U. Fleck | Version / Date: V1.0/2018-04 | Confidentiality Class: public
  5. 5. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 5 Overview • Windows is the de-facto standard operating system for company desktops and holds a total desktop market share of over 80% • Windows Server is often used in company networks • Contains a number of different components and (security) mechanisms • On a local Windows system, Administrator and SYSTEM are the highest privileges
  6. 6. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 6 Registry • Composed of keys and values • Keys included in other keys are called sub-keys • Highest level keys are called root keys • Stores • boot and system information • systemwide software settings • the security database and • per-user configuration settings • Protected by an ACL
  7. 7. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 7 Processes • A process contains a set of resources used when executing the instance of the program: • an executable program mapped into the process’ private virtual address space • a security context (called access token) which includes identification of the user, security groups, privileges, etc. • a process ID • one or more threads of execution
  8. 8. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 8 Jobs & Threads • Jobs are groups of processes • Threads are entities within a process
  9. 9. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 9 Services • Used to start processes at system startup • Run in the context of a user • Mostly non-interactive users • Usually in context of SYSTEM user • Consist of at least one executable file
  10. 10. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 10 Service Accounts Name Privileges Attributes Local System Account Can enable all privileges -> Highest privileges possible • Also referred to as SYSTEM account. • Core Windows components run under the Local System Account. Network Service Account High privileges Is used by services that authenticate themselves to network services. Local Service Account Same as Network Service Account -> but can not be used for authenticating to network services
  11. 11. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 11 Startup Programs & Scheduled Tasks • Similar to services • Loading of an executable file at startup that runs under a certain user
  12. 12. © 2018 SEC Consult | All rights reserved Privilege Escalation - Methods and Techniques 12Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  13. 13. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 13 Overview • Some techniques may be applicable to several Windows components due to their similar design • Attack trees will give an overview of different techniques for exploiting a certain component or mechanism
  14. 14. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 14 Insecure Services
  15. 15. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 15 Insecure Services - Weak Executable File Permissions • Service’s executable or configuration file with weak permissions • Can be modified by a low privileged user → Exploit: Replace or modify file and trigger a restart of the service
  16. 16. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 16 Insecure Services – Unquoted Service Paths • File paths that are not embedded within double quotes and contain white spaces are possibly vulnerable • Windows tries to execute a file where the first white space is located → Exploit: If write permissions to C: are given, a malicious Program.exe can be created and will be executed upon restart of the service C:Program.exe C:Program FilesWavesMaxxAudioWavesSysSvc64.exe
  17. 17. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 17 Insecure Services – DLL Hijacking • Applications that try to load a missing DLL file and use relative file paths may be prone to DLL Hijacking • Windows tries to find the missing DLL file in the following directories: → Exploit: if write permissions to one of the above folders is granted, a malicious DLL file can be placed • The directory from which the application is loaded • C:WindowsSystem32 • C:WindowsSystem • C:Windows • The current working directory • Directories in the system PATH environment variable • Directories in the user PATH environment variable
  18. 18. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 18 Insecure Startup Programs
  19. 19. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 19 Insecure Scheduled Tasks
  20. 20. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 20 Outdated Software • Companies can not always deploy patches in a timely manner • Successful kernel exploits result in SYSTEM privileges → Exploit: applications that run as high privileged processes result in privilege escalation
  21. 21. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 21 Weak Passwords • Users may use weak passwords: • Wordlist • Brute force attacks • Plaintext passwords in files: ▪ C:unattend.xml ▪ C:WindowsPantherUnattend.xml ▪ C:WindowsPantherUnattendUnattend.xml ▪ C:Windowssystem32sysprep* ▪ … • Plaintext passwords in registry: ▪ HKLMSoftwareMicrosoftWindows NTWinLogon ▪ …
  22. 22. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 22 Insufficient Physical Access Protection • An attacker with physical access to a system has more attack vectors: • Unencrypted disks can be attacked by replacing manipulating Windows startup functions • The same attack can be applied to encrypted disks that do not require a token for decryption after successfully extracting the decryption key from memory • Attacks against CPU micro controller are possible
  23. 23. © 2018 SEC Consult | All rights reserved Privilege Escalation Approach 23Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  24. 24. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 24 Overview
  25. 25. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 25 Phase 1: General Information Gathering • Systems have different Windows versions, service packs, CPU architectures, purposes, network configurations, etc. • Goal is to have a good overview of the system
  26. 26. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 26 Phase 2: Method and Technique Iteration • Privilege escalation methods and techniques are iterated through in this phase • These can be ordered accordingly to the penetration test’s objective • Every iteration consists of four steps
  27. 27. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 27 Steps of Phase 2 • [Step 1] Information Gathering: ▪ Check whether system is vulnerable to the method • [Step 2] Research and Development: ▪ Gather information about available exploits and customize to target system ▪ A test environment can be set-up ▪ Possible security mechanisms have to be considered ▪ Very important as possibly only one attempt is given
  28. 28. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 28 Steps of Phase 2 • [Step 3] Exploitation: ▪ Test the exploit developed in step 2. ▪ Sometimes the previous steps have to be repeated • [Step 4] Post-Exploitation ▪ Document the previous steps ▪ In case monitoring systems are in place, identify whether the attack has been detected
  29. 29. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 29 Phase 3: Reporting • Any vulnerability should be reported, independent of whether it was exploitable or not • Passwords and sensitive data should be censored • If evidence of a previous compromise has been found, the customer should be informed right away • Exploits, added users and other modifications should be documented
  30. 30. © 2018 SEC Consult | All rights reserved Tools 30Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  31. 31. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 31 Tools Name Link Metasploit https://github.com/rapid7/metasploit-framework PowerSploit https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc BeRoot https://github.com/AlessandroZ/BeRoot Windows-Exploit-Suggester https://github.com/GDSSecurity/Windows-Exploit-Suggester
  32. 32. © 2018 SEC Consult | All rights reserved Conclusion 32Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  33. 33. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 33 Conclusion • Learnt things about • Windows • Privilege escalation concepts • An approach for penetration testers • Tools that can be used • The content can be used by system administrators and architects to improve their systems’ security • Windows systems: • offer a great number of security mechanisms • allow a granular configuration of privileges and access rights • are patched typically fast
  34. 34. © 2018 SEC Consult | All rights reserved Q&A Session 34Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou P.S.: We are in need of curious and smart people! --> (k.bijjou@sec-consult.com)
  35. 35. © 2018 SEC Consult | All rights reserved 35Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou Khalil Bijjou k.bijjou@sec-consult.com +41 79 896 73 08 SEC Consult (Schweiz) AG Turbinenstrasse 28 8005 Zürich, Schweiz www.sec-consult.com Any further questions? Don‘t hesitate to contact me.
  36. 36. © 2018 SEC Consult | All rights reserved 36Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou Portfolio • Vulnerability Lab • Security Consulting • ISMS Consulting • Trainings • … Career • Curiosity and enthusiasm for security • Participate in bleeding edge technology projects • Permanent Learning https://www.sec-consult.com • Security Consulting since 02’ • Advisories: severe vulnerabilities in popular products found • International Team • Different Locations

×