Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Windows Privilege Escalation
A Pentester's Methodology to Discover and Exploit flaws on the network
• Riyaz Walikar
• @riyazwalikar
• @wincmdfu
• http://ibreak.software
• OWASP Bangalore chapter leader, null Bangalore cont...
• This talk is not about
• Kernel level exploits
• Race conditions
• Heap/stack any form of overflows
• A pentester’s appr...
Limited privileges already obtained on the
machine/network via pentest, valid auth,
unicorns.
Administrator to System is trivial
• psexec -s -i -d cmd.exe
• Token impersonation/stealing
• C:> at /interactive 14:50 cm...
Demo
Limited user to
Administrator/SYSTEM
Local Admin to Domain
Admin
Abusing Scheduled
Tasks
C:> schtasks /query /fo LIST /v
C:> schtasks /query /fo LIST /v
C:> icacls C:AdminTasks
Passwords in files/registry
[unencrypted (like for real!)]
c:sysprep.inf
c:sysprepsysprep.xml
unattended.xml
wdscapture.inf
Groups.xml in sysvol
*vnc
• RealVNC [HKEY_LOCAL_MACHINESOFTWARERealVNCvncserver]
• TightVNC [HKEY_CURRENT_USERSoftwareTightVNCServer]
• TigerVN...
Other places / software
• Autologon [HKLMSoftwareMicrosoftWindows
NTCurrentVersionWinlogon]
• HKEY_CURRENT_USERSoftwareSim...
Forensics and Data
carving
Disk Image data
• Search for *.vmdk, *.vdi, *.vhd, *.qed
• Vmware, Virtual and Virtual PC disk images
• ISO files, Ghost i...
Demo
I came, I saw, I passed the hash
• use exploit/windows/smb/psexec
• Windows Credential Editor + net use + sysinternals pse...
Abusing Service
(mis)configurations
Service permission issues
• C:> sc qc <servicename>
Service permission issues
• C:accesschk -cqwvu <servicename> | *
Windows window
Messaging
Message Passing
• Passing a message via SendMessage to the message loop of the main
thread of the program
• Shatter attack...
Demo
Limited user access
utilman.exe running with privileges
SendMessage & LB_DIR
Session separation!
Binary Planting
Abusing load paths
• A binary can call code from external link libraries (DLLs)
• Static Runtime loading
• Dynamic loading...
Static Linking (bginfo.exe)
Dynamic Linking (bginfo.exe)
Weak directory permissions
Demo
Delayed/Selective
Patching
Several exploits available
• wmic qfe get hotfixid, description, Installedon | findstr “Security”
Resources
• http://pentestmonkey.net/tools/windows-privesc-check
• http://www.fuzzysecurity.com/tutorials/16.html
• https:...
Q&A
Riyaz Walikar
@riyazwalikar
@wincmdfu
http://ibreak.software
Windows Privilege Escalation
Windows Privilege Escalation
Windows Privilege Escalation
Windows Privilege Escalation
Upcoming SlideShare
Loading in …5
×

34

Share

Download to read offline

Windows Privilege Escalation

Download to read offline

A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Windows Privilege Escalation

  1. 1. Windows Privilege Escalation A Pentester's Methodology to Discover and Exploit flaws on the network
  2. 2. • Riyaz Walikar • @riyazwalikar • @wincmdfu • http://ibreak.software • OWASP Bangalore chapter leader, null Bangalore contributor • Trainer/Speaker: BlackHat Asia, BlackHat USA, nullcon Goa, nullcon Delhi, c0c0n, OWASP AppSec USA
  3. 3. • This talk is not about • Kernel level exploits • Race conditions • Heap/stack any form of overflows • A pentester’s approach on a network • jibber jabber from experience • Real world examples • Design issues, misconfigurations, binary planting, permission issues, forensics, hash passing/spraying etc.
  4. 4. Limited privileges already obtained on the machine/network via pentest, valid auth, unicorns.
  5. 5. Administrator to System is trivial • psexec -s -i -d cmd.exe • Token impersonation/stealing • C:> at /interactive 14:50 cmd.exe (schtasks in Win 7 and higher)
  6. 6. Demo
  7. 7. Limited user to Administrator/SYSTEM Local Admin to Domain Admin
  8. 8. Abusing Scheduled Tasks
  9. 9. C:> schtasks /query /fo LIST /v
  10. 10. C:> schtasks /query /fo LIST /v
  11. 11. C:> icacls C:AdminTasks
  12. 12. Passwords in files/registry [unencrypted (like for real!)]
  13. 13. c:sysprep.inf
  14. 14. c:sysprepsysprep.xml
  15. 15. unattended.xml
  16. 16. wdscapture.inf
  17. 17. Groups.xml in sysvol
  18. 18. *vnc • RealVNC [HKEY_LOCAL_MACHINESOFTWARERealVNCvncserver] • TightVNC [HKEY_CURRENT_USERSoftwareTightVNCServer] • TigerVNC [HKEY_LOCAL_USERSoftwareTigerVNCWinVNC4] • UltraVNC [C:Program FilesUltraVNCultravnc.ini]
  19. 19. Other places / software • Autologon [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon] • HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions • Search the OS using dir /s and findstr /S /I (.xlsx, .docx, .pdf etc.) • Search the Windows registry using reg query
  20. 20. Forensics and Data carving
  21. 21. Disk Image data • Search for *.vmdk, *.vdi, *.vhd, *.qed • Vmware, Virtual and Virtual PC disk images • ISO files, Ghost images, Daemon tool images etc. • Memory snapshopts (*.vmem files for example) • Volatility FTW!
  22. 22. Demo
  23. 23. I came, I saw, I passed the hash • use exploit/windows/smb/psexec • Windows Credential Editor + net use + sysinternals psexec • Windows Credential Editor + net use + wmiexec.py (Impacket) • Good way to identify if the user is local admin on any other machine
  24. 24. Abusing Service (mis)configurations
  25. 25. Service permission issues • C:> sc qc <servicename>
  26. 26. Service permission issues • C:accesschk -cqwvu <servicename> | *
  27. 27. Windows window Messaging
  28. 28. Message Passing • Passing a message via SendMessage to the message loop of the main thread of the program • Shatter attack allowed cross process message passing between unprivileged process and a privileged thread. • Can be used to pass a message to a windowed system object running on a thread as NT AuthoritySYSTEM • CB_DIR, LB_DIR etc.
  29. 29. Demo
  30. 30. Limited user access
  31. 31. utilman.exe running with privileges
  32. 32. SendMessage & LB_DIR
  33. 33. Session separation!
  34. 34. Binary Planting
  35. 35. Abusing load paths • A binary can call code from external link libraries (DLLs) • Static Runtime loading • Dynamic loading using kernel32.LoadLibrary() • Both can be abused because the path is (most likely) user controlled
  36. 36. Static Linking (bginfo.exe)
  37. 37. Dynamic Linking (bginfo.exe)
  38. 38. Weak directory permissions
  39. 39. Demo
  40. 40. Delayed/Selective Patching
  41. 41. Several exploits available • wmic qfe get hotfixid, description, Installedon | findstr “Security”
  42. 42. Resources • http://pentestmonkey.net/tools/windows-privesc-check • http://www.fuzzysecurity.com/tutorials/16.html • https://msdn.microsoft.com/en-us/library/cc422924.aspx • https://ibreak.software • Sysinternals FTW
  43. 43. Q&A Riyaz Walikar @riyazwalikar @wincmdfu http://ibreak.software
  • SamRassam

    Jun. 17, 2019
  • natarajbhargava

    Mar. 4, 2019
  • edlin71

    Jan. 6, 2019
  • JunichiHatta

    Jan. 5, 2019
  • KumpunPunkum

    Jan. 5, 2019
  • JatupornSukaudom1

    Jan. 5, 2019
  • csucom

    Jan. 5, 2019
  • LeeSoyeon3

    Jan. 5, 2019
  • DeejayEtsh

    Dec. 26, 2017
  • bolzano1989

    Sep. 24, 2017
  • joaquimn1

    Mar. 27, 2017
  • jessefmoore

    Mar. 27, 2017
  • prakashkumar41

    Mar. 21, 2017
  • opexxx

    Feb. 10, 2017
  • thinbashane

    Jan. 20, 2017
  • darkr4y

    Jul. 11, 2016
  • LucaIuliano

    Jul. 9, 2016
  • zwned

    Jun. 13, 2016
  • EarHoa

    Jun. 13, 2016
  • DaniyarKassenov2

    Apr. 7, 2016

A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.

Views

Total views

14,701

On Slideshare

0

From embeds

0

Number of embeds

1,667

Actions

Downloads

415

Shares

0

Comments

0

Likes

34

×