Successfully reported this slideshow.
Your SlideShare is downloading. ×

Windows Privilege Escalation

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 47 Ad

Windows Privilege Escalation

Download to read offline

A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.

A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Advertisement

Similar to Windows Privilege Escalation (20)

Advertisement

Windows Privilege Escalation

  1. 1. Windows Privilege Escalation A Pentester's Methodology to Discover and Exploit flaws on the network
  2. 2. • Riyaz Walikar • @riyazwalikar • @wincmdfu • http://ibreak.software • OWASP Bangalore chapter leader, null Bangalore contributor • Trainer/Speaker: BlackHat Asia, BlackHat USA, nullcon Goa, nullcon Delhi, c0c0n, OWASP AppSec USA
  3. 3. • This talk is not about • Kernel level exploits • Race conditions • Heap/stack any form of overflows • A pentester’s approach on a network • jibber jabber from experience • Real world examples • Design issues, misconfigurations, binary planting, permission issues, forensics, hash passing/spraying etc.
  4. 4. Limited privileges already obtained on the machine/network via pentest, valid auth, unicorns.
  5. 5. Administrator to System is trivial • psexec -s -i -d cmd.exe • Token impersonation/stealing • C:> at /interactive 14:50 cmd.exe (schtasks in Win 7 and higher)
  6. 6. Demo
  7. 7. Limited user to Administrator/SYSTEM Local Admin to Domain Admin
  8. 8. Abusing Scheduled Tasks
  9. 9. C:> schtasks /query /fo LIST /v
  10. 10. C:> schtasks /query /fo LIST /v
  11. 11. C:> icacls C:AdminTasks
  12. 12. Passwords in files/registry [unencrypted (like for real!)]
  13. 13. c:sysprep.inf
  14. 14. c:sysprepsysprep.xml
  15. 15. unattended.xml
  16. 16. wdscapture.inf
  17. 17. Groups.xml in sysvol
  18. 18. *vnc • RealVNC [HKEY_LOCAL_MACHINESOFTWARERealVNCvncserver] • TightVNC [HKEY_CURRENT_USERSoftwareTightVNCServer] • TigerVNC [HKEY_LOCAL_USERSoftwareTigerVNCWinVNC4] • UltraVNC [C:Program FilesUltraVNCultravnc.ini]
  19. 19. Other places / software • Autologon [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon] • HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions • Search the OS using dir /s and findstr /S /I (.xlsx, .docx, .pdf etc.) • Search the Windows registry using reg query
  20. 20. Forensics and Data carving
  21. 21. Disk Image data • Search for *.vmdk, *.vdi, *.vhd, *.qed • Vmware, Virtual and Virtual PC disk images • ISO files, Ghost images, Daemon tool images etc. • Memory snapshopts (*.vmem files for example) • Volatility FTW!
  22. 22. Demo
  23. 23. I came, I saw, I passed the hash • use exploit/windows/smb/psexec • Windows Credential Editor + net use + sysinternals psexec • Windows Credential Editor + net use + wmiexec.py (Impacket) • Good way to identify if the user is local admin on any other machine
  24. 24. Abusing Service (mis)configurations
  25. 25. Service permission issues • C:> sc qc <servicename>
  26. 26. Service permission issues • C:accesschk -cqwvu <servicename> | *
  27. 27. Windows window Messaging
  28. 28. Message Passing • Passing a message via SendMessage to the message loop of the main thread of the program • Shatter attack allowed cross process message passing between unprivileged process and a privileged thread. • Can be used to pass a message to a windowed system object running on a thread as NT AuthoritySYSTEM • CB_DIR, LB_DIR etc.
  29. 29. Demo
  30. 30. Limited user access
  31. 31. utilman.exe running with privileges
  32. 32. SendMessage & LB_DIR
  33. 33. Session separation!
  34. 34. Binary Planting
  35. 35. Abusing load paths • A binary can call code from external link libraries (DLLs) • Static Runtime loading • Dynamic loading using kernel32.LoadLibrary() • Both can be abused because the path is (most likely) user controlled
  36. 36. Static Linking (bginfo.exe)
  37. 37. Dynamic Linking (bginfo.exe)
  38. 38. Weak directory permissions
  39. 39. Demo
  40. 40. Delayed/Selective Patching
  41. 41. Several exploits available • wmic qfe get hotfixid, description, Installedon | findstr “Security”
  42. 42. Resources • http://pentestmonkey.net/tools/windows-privesc-check • http://www.fuzzysecurity.com/tutorials/16.html • https://msdn.microsoft.com/en-us/library/cc422924.aspx • https://ibreak.software • Sysinternals FTW
  43. 43. Q&A Riyaz Walikar @riyazwalikar @wincmdfu http://ibreak.software

Editor's Notes

  • Psexec –s –I –d cmd.exe from a UAC free console
  • Check using PokeWindows
  • Check using PokeWindows
  • Check using PokeWindows
  • Check using PokeWindows
  • Not exhaustive. Will not know entire list till program is decompiled and all LoadLibraryA() calls are traced. Loadlibrary may exist in uncalled functions.
  • Not exhaustive. Will not know entire list till program is decompiled and all LoadLibraryA() calls are traced. Loadlibrary may exist in uncalled functions.

×