Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows Privilege Escalation

13,055 views

Published on

A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.

Published in: Software

Windows Privilege Escalation

  1. 1. Windows Privilege Escalation A Pentester's Methodology to Discover and Exploit flaws on the network
  2. 2. • Riyaz Walikar • @riyazwalikar • @wincmdfu • http://ibreak.software • OWASP Bangalore chapter leader, null Bangalore contributor • Trainer/Speaker: BlackHat Asia, BlackHat USA, nullcon Goa, nullcon Delhi, c0c0n, OWASP AppSec USA
  3. 3. • This talk is not about • Kernel level exploits • Race conditions • Heap/stack any form of overflows • A pentester’s approach on a network • jibber jabber from experience • Real world examples • Design issues, misconfigurations, binary planting, permission issues, forensics, hash passing/spraying etc.
  4. 4. Limited privileges already obtained on the machine/network via pentest, valid auth, unicorns.
  5. 5. Administrator to System is trivial • psexec -s -i -d cmd.exe • Token impersonation/stealing • C:> at /interactive 14:50 cmd.exe (schtasks in Win 7 and higher)
  6. 6. Demo
  7. 7. Limited user to Administrator/SYSTEM Local Admin to Domain Admin
  8. 8. Abusing Scheduled Tasks
  9. 9. C:> schtasks /query /fo LIST /v
  10. 10. C:> schtasks /query /fo LIST /v
  11. 11. C:> icacls C:AdminTasks
  12. 12. Passwords in files/registry [unencrypted (like for real!)]
  13. 13. c:sysprep.inf
  14. 14. c:sysprepsysprep.xml
  15. 15. unattended.xml
  16. 16. wdscapture.inf
  17. 17. Groups.xml in sysvol
  18. 18. *vnc • RealVNC [HKEY_LOCAL_MACHINESOFTWARERealVNCvncserver] • TightVNC [HKEY_CURRENT_USERSoftwareTightVNCServer] • TigerVNC [HKEY_LOCAL_USERSoftwareTigerVNCWinVNC4] • UltraVNC [C:Program FilesUltraVNCultravnc.ini]
  19. 19. Other places / software • Autologon [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon] • HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions • Search the OS using dir /s and findstr /S /I (.xlsx, .docx, .pdf etc.) • Search the Windows registry using reg query
  20. 20. Forensics and Data carving
  21. 21. Disk Image data • Search for *.vmdk, *.vdi, *.vhd, *.qed • Vmware, Virtual and Virtual PC disk images • ISO files, Ghost images, Daemon tool images etc. • Memory snapshopts (*.vmem files for example) • Volatility FTW!
  22. 22. Demo
  23. 23. I came, I saw, I passed the hash • use exploit/windows/smb/psexec • Windows Credential Editor + net use + sysinternals psexec • Windows Credential Editor + net use + wmiexec.py (Impacket) • Good way to identify if the user is local admin on any other machine
  24. 24. Abusing Service (mis)configurations
  25. 25. Service permission issues • C:> sc qc <servicename>
  26. 26. Service permission issues • C:accesschk -cqwvu <servicename> | *
  27. 27. Windows window Messaging
  28. 28. Message Passing • Passing a message via SendMessage to the message loop of the main thread of the program • Shatter attack allowed cross process message passing between unprivileged process and a privileged thread. • Can be used to pass a message to a windowed system object running on a thread as NT AuthoritySYSTEM • CB_DIR, LB_DIR etc.
  29. 29. Demo
  30. 30. Limited user access
  31. 31. utilman.exe running with privileges
  32. 32. SendMessage & LB_DIR
  33. 33. Session separation!
  34. 34. Binary Planting
  35. 35. Abusing load paths • A binary can call code from external link libraries (DLLs) • Static Runtime loading • Dynamic loading using kernel32.LoadLibrary() • Both can be abused because the path is (most likely) user controlled
  36. 36. Static Linking (bginfo.exe)
  37. 37. Dynamic Linking (bginfo.exe)
  38. 38. Weak directory permissions
  39. 39. Demo
  40. 40. Delayed/Selective Patching
  41. 41. Several exploits available • wmic qfe get hotfixid, description, Installedon | findstr “Security”
  42. 42. Resources • http://pentestmonkey.net/tools/windows-privesc-check • http://www.fuzzysecurity.com/tutorials/16.html • https://msdn.microsoft.com/en-us/library/cc422924.aspx • https://ibreak.software • Sysinternals FTW
  43. 43. Q&A Riyaz Walikar @riyazwalikar @wincmdfu http://ibreak.software

×