SlideShare a Scribd company logo

1000 to 0

Sunny Neo
Sunny Neo

Privilege Escalation for Windows and Linux

Technology
1 of 72
Download to read offline
1000 to 0 Sunny Neo 1
Who am I •Pen tester from Singapore •Started learning about security since 15 and still learning •Want to learn: Reverse Engineering, Kernel Debugging & Exploit 2
What I am not talking about •How to use Kernel exploit 3
What I am talking •How to find typical misconfigurations made by Sysadmins and Developers •How to capitalize on the misconfigurations to gain super user privileges 4
Why am I talking about this? •Running limited shell is not fun •Running kernel exploit is a high risk activity •Kernel exploits are rare •Kernel vulnerabilities usually get patched very quickly 5
Linux Privilege Escalation 6
SUID/SGID •Set User ID Bit / Set Group ID Bit •Enable users to execute file with file owner/group’s permission •Improve security by not assigning permissions for sensitive files to every user -rwsr-xr-x 1 root root 48920 Nov 13 00:58 /usr/bin/passwd 7
SUID/SGID What if Buffer Overflow Exists? Command Injection Exists? Interactive Shell Exists? 8
SUID/SGID Source: http://www.rebootuser.com/?p=1623 9
SUID/SGID 10
SUID/SGID Find all SUID/SGID files find / -perm /u=s,g=s -type f -exec ls -la {} + 2> /dev/null 11
sudo •Enable users to run command with privilege of another user •Commonly found in scripts to run privileged commands without password authentication 12
sudo 13
sudo 14
sudo 15 VMware vRealize Appliance Source: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus
sudo 16 VMWare vRealize Appliance Source: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus
Weak Folder/File Permission •Reveal sensitive information in history or configuration files •Enable modification of important files or scripts executed by Init or Cron job 17
Weak Folder/File Permission •Look out for • Home Directory (.rhosts, .ssh/authorized_keys, .bashrc, .*_history) • Config files (httpd.conf, my.cnf, config.inc.php, sshd.config) • Source codes (.php, .c, .cpp, .pl, .py) • Init (/etc/rc.*) and Cron job (/etc/cron.*/, /var/spool/cron/) • Scripts executed by Init or Cron job 18
Weak Folder/File Permission 19
Weak Folder/File Permission World Readable Files/Folders find / -perm /o+r -exec ls -la {} + 2>/dev/null World Writeable Files/Folder find / -perm /o+w -exec ls -la {} + 2>/dev/null Search for ‘password’ in conf files find / -name *.conf -type f -exec grep -Hn password {} + 2>/dev/null 20
PATH •Environment variable for Shell to search for executable •Meant for convenience however could be abused for Relative Path commands 21
PATH Assume this is a complex app that allows an authenticated user to view log SUID Enabled 22
PATH 23
PATH 24
Symbolic Link Attack •Symbolic link a.k.a soft link points to another file by filename •Able to link any files regardless of the existence of target file •Race Condition •User with write access 25
Symbolic Link Attack Cron Job runs this Program to ensure foo is always Writable 26
Symbolic Link Attack User has write access for /tmp to create symlink foo User has NO write access to /etc/cron.d/john YET 27
Symbolic Link Attack After Cron Job executed the Program User has write access to /etc/cron.d/john 28
Symbolic Link Attack Source: https://packetstormsecurity.com/files/133692/Ubuntu-Security-Notice-USN-2744-1.html 29
Linux Enumeration Scripts •LinEnum - http://www.rebootuser.com/?p=1758 •LinuxPrivChecker - www.securitysift.com/download/linuxprivchecker.py 30
Windows Privilege Escalation 31
Weak Folder/File Permission 32
Weak Folder/File Permission The vulnerability is due to incorrect installation and permissions settings on binary files during the MSE physical or virtual appliance install procedure. An attacker could exploit this vulnerability by logging into the device and escalating their privileges. A successful exploit could allow the attacker to acquire root-level privileges and take full control of the device. Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-privmse 33
Weak Folder/File Permission Get list of Services not in System32 for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> services.txt Get Permissions for /f eol^=^"^ delims^=^" %a in (services.txt) do cmd.exe /c icacls "%a" >> permissions.txt Source: http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/ 34
Weak Service Permission •Well known vulnerability for Windows XP SP1 and Windows 2003 Server •MS06-011 - Upnphost, SCardSvr, SSDPSRV, DnsCache, and DHCP services Source: http://www.fuzzysecurity.com/tutorials/16.html 35
Weak Service Permission •sc config upnphost binpath=“ “ Source: http://www.fuzzysecurity.com/tutorials/16.html 36
Weak Service Permission Get permissions on Services accesschk.exe –uwcqv “Authenticated Users” * accesschk.exe –uwcqv “Users”|”Everyone”|”Any Other Group” * Source: http://www.fuzzysecurity.com/tutorials/16.html 37
Weak Registry Permission •Services registered on the System are stored in the Registry • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices •Weak Registry Permission enables non-privilege user to modify the Service’s configurations 38
Unquoted Service Paths DisplayName Name PathName hMailServer hMailServer C:ServerMail ServerhMailServerBinhMailServer.exe RunAsService Mobile Broadband HL Service Mobile Broadband HL Service "C:ProgramDataMobileBrServmbbservice.exe" VMware Tools VMTools "C:Program FilesVMwareVMware Toolsvmtoolsd.exe" 39
Unquoted Service Paths •Unquoted Service Paths with Space(s) lead to ambiguous binary executions •Windows will attempt to execute a Path ending with the first space onwards •Number of attempted execution = Number of Space + 1 40
Unquoted Service Paths C:Program FilesService Dirbinary name.exe 1) C:Program.exe 2) C:Program FilesService.exe 3) C:Program FilesService Dirbinary.exe 4) C:Program FilesService Dirbinary name.exe 41
Unquoted Service Paths •Look out for services installed in C:*Folder* •“Authenticated Users” has Modify Permission for C:*Folder* inherited from C: Permissions (except for folders created by Windows) 42
Unquoted Service Paths 43
Unquoted Service Paths The hMailServer service is now registered in Windows with a quoted path, to prevent the service from being vulnerable to "Unquoted service path". Unquoted service paths would allow a user with access to the server where hMailServer runs, but with less privileges than hMailServer, to gain the privileges of hMailServer by creating a new executable and placing it in C:ProgramFileshMailServerhMailserver.exe. Not Right! 44
Unquoted Service Paths C:ServerMail ServerhmailServerBinhMailServer.exe RunAsService 45
Unquoted Service Paths Mail.exe is a reverse shell 46
Unquoted Service Paths 47
Unquoted Service Paths Find all Unquoted Service Paths wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v """ Quick Exploit Use Metasploit - exploit/windows/local/trusted_service_path 48
DLL Hijacking •Dynamic Link Libraries (DLL) •Shared Library Concept – allows application to reuse code in DLL •Hijacking happens when an application loads an attacker’s DLL instead of the intended DLL 49
DLL Hijacking •Loading non-existent DLL •Loading DLL without fully qualified path 50
DLL Hijacking •Windows 32 bits DLL Search Order with SafeDllSearchMode Enabled 1. Directory from which application is loaded 2. Windows 32bit System Directory (C:WindowsSystem32) 3. Windows 16 bits System Directory (C:WindowsSystem) 4. Windows Directory (C:Windows) 5. Current Directory 6. Directories listed in %PATH% 51
DLL Hijacking •CVE-2016-2855: Huawei Mobile Broadband HL Service Local Privilege Escalation •The Huawei Mobile Broadband HL Service 22.001.25.00.03 and earlier uses a weak ACL for the MobileBrServ program data directory, which allows local users to gain SYSTEM privileges by modifying VERSION.dll. 52
DLL Hijacking 53
DLL Hijacking 54
DLL Hijacking Used ExportsToC++ to generate all Export functions from C:WindowsSystem32version.dll 55
DLL Hijacking 56
DLL Hijacking 57
DLL Hijacking 58
Windows Enumeration Script/Tool •Windows Privsec Check - https://github.com/pentestmonkey/windows-privesc-check 59
Hot Potato •Researched and Developed by Stephen Breen @ FoxGlove Security •Combined 3 vulnerabilities to perform Privilege Escalation •NetBIOS Name Services (NBNS) Spoofing •Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack •HTTP-> SMB Relay 60
NBNS Spoofing •Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • NetBIOS broadcast •Anyone can respond to the NetBIOS Broadcast ☺ 61
WPAD Man in the Middle • WPAD is enabled by default • IE will automatically look up http://WPAD/wpad.dat for proxy settings 62
NTLM Authentication •Challenge – Response •3 Types of Messages •Negotiation •Challenge •Authentication 63
SMB -> SMB Relay •15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticated for (2) 64
SMB -> SMB Relay •MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay •Doesn’t stop cross protocol attack HTTP -> SMB Relay ☺ 65
HTTP-> SMB Relay •NTLM is part of Integrated Windows Authentication •IE supports Integrated Windows Authentication (NTLM Authentication) •Automatic Logon is enabled by default for Intranet Zone •Localhost is part of Intranet Zone ☺ 66
Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response ☺ 67
DEMO 68
More stuff •Pass The Hash •Mimikatz – Scraping cleartext credentials in Windows LSASS subsystem memory for logged on users 69
Summary •Non-exhaustive list of privilege escalation techniques •More awareness has to be raised for Sysadmin and developers 70
Tools • LinEnum - http://www.rebootuser.com/?p=1758 • LinuxPrivChecker - www.securitysift.com/download/linuxprivchecker.py • Windows-privesc-check - https://github.com/pentestmonkey/windows-privesc-check • Hot Potato - https://github.com/foxglovesec/Potato • Mimikatz - https://github.com/gentilkiwi/mimikatz (Available on Metasploit and Powerspoits) • Powersploits - https://github.com/PowerShellMafia/PowerSploit • PowerOPS (Run Powershell commands without Powershell.exe ) – https://github.com/fdiskyou/PowerOPS 71
Reference • http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-privilege-escalation-nus-greyhats • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ • http://www.dankalia.com/tutor/01005/0100501004.htm • http://netsec.ws/?p=309 • http://www.fuzzysecurity.com/tutorials/16.html • https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf • http://toshellandback.com/2015/11/24/ms-priv-esc/ • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://squirtle.googlecode.com/files/NTLM%20is%20Dead%20-%20DefCon%2016.pdf 72

Recommended

Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 

Recommended

Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 

More Related Content

What's hot

Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 

What's hot (20)

Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 

Similar to 1000 to 0

Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open SourceMichael Ducy
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 

Similar to 1000 to 0 (20)

Server hardening
Server hardeningServer hardening
Server hardening
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
5. centos security
5. centos security5. centos security
5. centos security
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Security tools
Security toolsSecurity tools
Security tools
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 

1000 to 0

  • 2. Who am I •Pen tester from Singapore •Started learning about security since 15 and still learning •Want to learn: Reverse Engineering, Kernel Debugging & Exploit 2
  • 3. What I am not talking about •How to use Kernel exploit 3
  • 4. What I am talking •How to find typical misconfigurations made by Sysadmins and Developers •How to capitalize on the misconfigurations to gain super user privileges 4
  • 5. Why am I talking about this? •Running limited shell is not fun •Running kernel exploit is a high risk activity •Kernel exploits are rare •Kernel vulnerabilities usually get patched very quickly 5
  • 7. SUID/SGID •Set User ID Bit / Set Group ID Bit •Enable users to execute file with file owner/group’s permission •Improve security by not assigning permissions for sensitive files to every user -rwsr-xr-x 1 root root 48920 Nov 13 00:58 /usr/bin/passwd 7
  • 8. SUID/SGID What if Buffer Overflow Exists? Command Injection Exists? Interactive Shell Exists? 8
  • 11. SUID/SGID Find all SUID/SGID files find / -perm /u=s,g=s -type f -exec ls -la {} + 2> /dev/null 11
  • 12. sudo •Enable users to run command with privilege of another user •Commonly found in scripts to run privileged commands without password authentication 12
  • 15. sudo 15 VMware vRealize Appliance Source: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus
  • 16. sudo 16 VMWare vRealize Appliance Source: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus
  • 17. Weak Folder/File Permission •Reveal sensitive information in history or configuration files •Enable modification of important files or scripts executed by Init or Cron job 17
  • 18. Weak Folder/File Permission •Look out for • Home Directory (.rhosts, .ssh/authorized_keys, .bashrc, .*_history) • Config files (httpd.conf, my.cnf, config.inc.php, sshd.config) • Source codes (.php, .c, .cpp, .pl, .py) • Init (/etc/rc.*) and Cron job (/etc/cron.*/, /var/spool/cron/) • Scripts executed by Init or Cron job 18
  • 20. Weak Folder/File Permission World Readable Files/Folders find / -perm /o+r -exec ls -la {} + 2>/dev/null World Writeable Files/Folder find / -perm /o+w -exec ls -la {} + 2>/dev/null Search for ‘password’ in conf files find / -name *.conf -type f -exec grep -Hn password {} + 2>/dev/null 20
  • 21. PATH •Environment variable for Shell to search for executable •Meant for convenience however could be abused for Relative Path commands 21
  • 22. PATH Assume this is a complex app that allows an authenticated user to view log SUID Enabled 22
  • 25. Symbolic Link Attack •Symbolic link a.k.a soft link points to another file by filename •Able to link any files regardless of the existence of target file •Race Condition •User with write access 25
  • 26. Symbolic Link Attack Cron Job runs this Program to ensure foo is always Writable 26
  • 27. Symbolic Link Attack User has write access for /tmp to create symlink foo User has NO write access to /etc/cron.d/john YET 27
  • 28. Symbolic Link Attack After Cron Job executed the Program User has write access to /etc/cron.d/john 28
  • 29. Symbolic Link Attack Source: https://packetstormsecurity.com/files/133692/Ubuntu-Security-Notice-USN-2744-1.html 29
  • 30. Linux Enumeration Scripts •LinEnum - http://www.rebootuser.com/?p=1758 •LinuxPrivChecker - www.securitysift.com/download/linuxprivchecker.py 30
  • 33. Weak Folder/File Permission The vulnerability is due to incorrect installation and permissions settings on binary files during the MSE physical or virtual appliance install procedure. An attacker could exploit this vulnerability by logging into the device and escalating their privileges. A successful exploit could allow the attacker to acquire root-level privileges and take full control of the device. Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-privmse 33
  • 34. Weak Folder/File Permission Get list of Services not in System32 for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> services.txt Get Permissions for /f eol^=^"^ delims^=^" %a in (services.txt) do cmd.exe /c icacls "%a" >> permissions.txt Source: http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/ 34
  • 35. Weak Service Permission •Well known vulnerability for Windows XP SP1 and Windows 2003 Server •MS06-011 - Upnphost, SCardSvr, SSDPSRV, DnsCache, and DHCP services Source: http://www.fuzzysecurity.com/tutorials/16.html 35
  • 36. Weak Service Permission •sc config upnphost binpath=“ “ Source: http://www.fuzzysecurity.com/tutorials/16.html 36
  • 37. Weak Service Permission Get permissions on Services accesschk.exe –uwcqv “Authenticated Users” * accesschk.exe –uwcqv “Users”|”Everyone”|”Any Other Group” * Source: http://www.fuzzysecurity.com/tutorials/16.html 37
  • 38. Weak Registry Permission •Services registered on the System are stored in the Registry • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices •Weak Registry Permission enables non-privilege user to modify the Service’s configurations 38
  • 39. Unquoted Service Paths DisplayName Name PathName hMailServer hMailServer C:ServerMail ServerhMailServerBinhMailServer.exe RunAsService Mobile Broadband HL Service Mobile Broadband HL Service "C:ProgramDataMobileBrServmbbservice.exe" VMware Tools VMTools "C:Program FilesVMwareVMware Toolsvmtoolsd.exe" 39
  • 40. Unquoted Service Paths •Unquoted Service Paths with Space(s) lead to ambiguous binary executions •Windows will attempt to execute a Path ending with the first space onwards •Number of attempted execution = Number of Space + 1 40
  • 41. Unquoted Service Paths C:Program FilesService Dirbinary name.exe 1) C:Program.exe 2) C:Program FilesService.exe 3) C:Program FilesService Dirbinary.exe 4) C:Program FilesService Dirbinary name.exe 41
  • 42. Unquoted Service Paths •Look out for services installed in C:*Folder* •“Authenticated Users” has Modify Permission for C:*Folder* inherited from C: Permissions (except for folders created by Windows) 42
  • 44. Unquoted Service Paths The hMailServer service is now registered in Windows with a quoted path, to prevent the service from being vulnerable to "Unquoted service path". Unquoted service paths would allow a user with access to the server where hMailServer runs, but with less privileges than hMailServer, to gain the privileges of hMailServer by creating a new executable and placing it in C:ProgramFileshMailServerhMailserver.exe. Not Right! 44
  • 45. Unquoted Service Paths C:ServerMail ServerhmailServerBinhMailServer.exe RunAsService 45
  • 46. Unquoted Service Paths Mail.exe is a reverse shell 46
  • 48. Unquoted Service Paths Find all Unquoted Service Paths wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v """ Quick Exploit Use Metasploit - exploit/windows/local/trusted_service_path 48
  • 49. DLL Hijacking •Dynamic Link Libraries (DLL) •Shared Library Concept – allows application to reuse code in DLL •Hijacking happens when an application loads an attacker’s DLL instead of the intended DLL 49
  • 50. DLL Hijacking •Loading non-existent DLL •Loading DLL without fully qualified path 50
  • 51. DLL Hijacking •Windows 32 bits DLL Search Order with SafeDllSearchMode Enabled 1. Directory from which application is loaded 2. Windows 32bit System Directory (C:WindowsSystem32) 3. Windows 16 bits System Directory (C:WindowsSystem) 4. Windows Directory (C:Windows) 5. Current Directory 6. Directories listed in %PATH% 51
  • 52. DLL Hijacking •CVE-2016-2855: Huawei Mobile Broadband HL Service Local Privilege Escalation •The Huawei Mobile Broadband HL Service 22.001.25.00.03 and earlier uses a weak ACL for the MobileBrServ program data directory, which allows local users to gain SYSTEM privileges by modifying VERSION.dll. 52
  • 55. DLL Hijacking Used ExportsToC++ to generate all Export functions from C:WindowsSystem32version.dll 55
  • 59. Windows Enumeration Script/Tool •Windows Privsec Check - https://github.com/pentestmonkey/windows-privesc-check 59
  • 60. Hot Potato •Researched and Developed by Stephen Breen @ FoxGlove Security •Combined 3 vulnerabilities to perform Privilege Escalation •NetBIOS Name Services (NBNS) Spoofing •Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack •HTTP-> SMB Relay 60
  • 61. NBNS Spoofing •Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • NetBIOS broadcast •Anyone can respond to the NetBIOS Broadcast ☺ 61
  • 62. WPAD Man in the Middle • WPAD is enabled by default • IE will automatically look up http://WPAD/wpad.dat for proxy settings 62
  • 63. NTLM Authentication •Challenge – Response •3 Types of Messages •Negotiation •Challenge •Authentication 63
  • 64. SMB -> SMB Relay •15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticated for (2) 64
  • 65. SMB -> SMB Relay •MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay •Doesn’t stop cross protocol attack HTTP -> SMB Relay ☺ 65
  • 66. HTTP-> SMB Relay •NTLM is part of Integrated Windows Authentication •IE supports Integrated Windows Authentication (NTLM Authentication) •Automatic Logon is enabled by default for Intranet Zone •Localhost is part of Intranet Zone ☺ 66
  • 67. Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response ☺ 67
  • 69. More stuff •Pass The Hash •Mimikatz – Scraping cleartext credentials in Windows LSASS subsystem memory for logged on users 69
  • 70. Summary •Non-exhaustive list of privilege escalation techniques •More awareness has to be raised for Sysadmin and developers 70
  • 71. Tools • LinEnum - http://www.rebootuser.com/?p=1758 • LinuxPrivChecker - www.securitysift.com/download/linuxprivchecker.py • Windows-privesc-check - https://github.com/pentestmonkey/windows-privesc-check • Hot Potato - https://github.com/foxglovesec/Potato • Mimikatz - https://github.com/gentilkiwi/mimikatz (Available on Metasploit and Powerspoits) • Powersploits - https://github.com/PowerShellMafia/PowerSploit • PowerOPS (Run Powershell commands without Powershell.exe ) – https://github.com/fdiskyou/PowerOPS 71
  • 72. Reference • http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-privilege-escalation-nus-greyhats • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ • http://www.dankalia.com/tutor/01005/0100501004.htm • http://netsec.ws/?p=309 • http://www.fuzzysecurity.com/tutorials/16.html • https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf • http://toshellandback.com/2015/11/24/ms-priv-esc/ • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://squirtle.googlecode.com/files/NTLM%20is%20Dead%20-%20DefCon%2016.pdf 72