Windows UAC&Privileges&Credentials

  1. A MUST SEE: summary of credential manipulating tools
    1. https://docs.google.com/spreadsheets/d/1e_QKvVml3kt6-KrlqaH6vJ6T8g4CgXmHgSjJZMoLsLA/edit#gid=0
  2. Mimikatz – the best tool in our days for credentials manipulation
    1. https://github.com/gentilkiwi/mimikatz
    2. https://www.offensive-security.com/metasploit-unleashed/mimikatz/
  3. Chml, regil – tools to change integrity level of files and registry keys
    1. http://www.minasi.com/apps/
  4. Registry key allowing to define programs that will automatically run in compatability mode as admin: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    1. http://stackoverflow.com/questions/11868392/run-jar-file-without-admin-rights
  5. If windows credentials store has the local admin credentials in it then even without knowing the password you can use it to run a command as the admin by running: “RUNAS /savecred /user:administrator “command to run” ”
    1. http://www.sevenforums.com/tutorials/193743-elevated-program-shortcut-create-standard-user.html
  6. Windows UAC uses blacklist on file names to detect installation files
    1. http://stackoverflow.com/questions/9190962/launch4j-executable-with-specific-name-triggers-windows-uac
  7. Pressing ctrl+shift when openning a program, opens it as administrator if you have the rights for it.
    1. Point 18 here: http://blogs.msdn.com/b/tims/archive/2009/01/12/the-bumper-list-of-windows-7-secrets.aspx
  8. Bypass uac from the cmd using makecab and wusa or injecting code into microsoft signed process and running IFileOperation COM object from the injected code to bypass uac. Running this COM object, as well as some other COM objects, from a microsoft signed process makes them run autoelevated and allows to bypass UAC by using this COM object to write file to arbitrary location. Using this to write malicious dll to system directories to exploit dll loading order hijacking on an autoelevated executable. Its explained in one of the techniques below.
    1. http://www.greyhathacker.net/?p=796
  9. List of autoelevated COM objects that might be used to bypass UAC:
    1. https://rstforums.com/forum/95785-autoelevated-com-objects-list-win7-win10.rst
  10. List of autoelevated binaries that might be used to bypass UAC (wusa.exe can be used by extracting .cab file to arbitrary location, printui might also be used by saving to file or printing to file to arbitrary location):
    1. http://withinwindows.com/blog/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries
  11. Psexec UAC bypass.”If your current user is a domain user and your domain user is a local administrator on another system, you can get past UAC. Here’s how this works:You may use your token to interact with another system as an administrator (remote UAC is off for domain accounts). This means you may copy an executable to that other system and schedule it to run. If you get access to another system this way, you may repeat the same process to regain access to your current system with full rights.You may use the Metasploit Framework’s exploit/windows/local/current_user_psexec to do this.”
    1. https://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass
    2. Remote UAC is off for domain accounts:
      1. http://www.teamshatter.com/topics/general/team-shatter-exclusive/connecting-remotely-with-administrative-privileges-under-uac/
      2. https://support.microsoft.com/en-us/kb/951016
  12. Bypass UAC using shimming and iscsicli.exe
    1. http://lupwa.org/bleen/2015/02/12/malware-using-appcompat-for-automatic-uac-elevation-continued/
    2. http://blog.jpcert.or.jp/2015/02/
  13. Elavate yourself using the user
    1. http://www.room362.com/blog/2012/01/03/uac-user-assisted-compromise/
    2. exploit/windows/local/ask metasploit module implements it
  14. UAC bypass: Inject code into microsoft signed process and use the injected code to create an instance of the IFileOperation COM object. When the COM object is used from microsoft signed process, it gets auto-elevated and bypasses UAC. The IFileOperation object allows to write files to arbitrary locations bypassing UAC. There are microsoft signed files in the c:\windows directory that get autoelevated when run. They can be found by searching the word autoelevate in the contents of the executables in the c:\windows directory. The file writing can turn into code execution using dll search order hijacking. A malicious dll is written to a directory containing an autoelevated executable that uses a dll with the same name and then by executing the executable, the dll gets loaded by the executable and runs in high integrity level as desired.”The Metasploit Framework module: exploit/windows/local/bypassuac_inject, compiles the UAC bypass logic into a reflective DLL. It spawns a Microsoft-signed program and injects the UAC bypass logic directly into it. The only thing that needs to touch disk is the CRYPTBASE.dll file.”
    1. http://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/
    2. https://github.com/rapid7/metasploit-framework/tree/master/external/source/exploits/bypassuac
    3. http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
  15. Bypassing windows 7 64 bit+ drivers signature varification by exploiting vulnerability in an old legitimate signed driver. This technique can also be used to bypass UAC by exploiting vulnerability in an autoelevated process or in a running high integrity process
    1. http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3322
  16. Amazing tool implementing a lot of UAC bypass techniques:”Run executable from command line with following keys (watch debug ouput with dbgview or similar for more info):
    • 1 – Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
    • 2 – Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
    • 3 – Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10.0.10240;
    • 4* – Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600 [See Important Note];
    • 5** – ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10.0.100136;
    • 6 – Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
    • 7** – Wusa method, tweaked to work from Windows 7 up to 10.0.10136;
    • 8 – Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
    • 9** – Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10.0.10136;
    • 10 – Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10.0.10240;
    • 11* – WinNT/Gootkit second method based on the memory patching from MS “Fix it” patch shim (and as side effect – arbitrary dll injection), works from Windows 7 up to 8.1.9600 [See Important Note];
    • 12 – Windows 10 sysprep method, abusing different dll dependency added in Windows 10 (works up to 10.0.10240).”
    1. https://github.com/hfiref0x/UACME
    2. http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
  17. Overview of credentials storing algorithms and credentials sending protocols and comparison between different hash dumping tools such as: metasploit hashdump module, pwdump7, gsecdump. And between attack tools such as: pshtoolkit, msvctl, metasploit psexec module, smbshell, JoMo-Kun (JMK).
    1. http://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283?show=pass-the-hash-attacks-tools-mitigation-33283&cat=testing
  18. “Extracting NTLM hash from NTLM handshake. To conclude, earlier versions of NTLM (everything before NTLMv2) use DES as the way to “sign” challenges. Nowadays we have tools to bruteforce DES (like Moxie’s cloudcracker) so we can break the NTLM handshake and extract the hash by watching traffic.1. Why do we care? because we can extract NTLM hash from remote, without admin privileges on the computer. We just need to be MITM or make the other side try to authenticate against us.
    2. Make the other side try to authenticate against us? Why not simply use NTLM relay? It’s possible, but NTLM relay is less convenient because we need the other side to be online for reuse. Obtaining NTLM hash is much more powerful and persistent.”

    1. http://markgamache.blogspot.co.il/2013/01/ntlm-challenge-response-is-100-broken.html
  19. Incognito – tool allowing to impersonate other users by using their windows token
    1. http://www.spylogic.net/2008/09/finally-a-use-for-incognito/
    2. http://carnal0wnage.attackresearch.com/2008/05/token-passing-with-incognito.html
    3. https://labs.mwrinfosecurity.com/blog/2012/07/18/incognito-v2-0-released/
  20. Powershell script to read SAM file, or any other locked file, by obtaining a handle to C volume directly and reading the SAM file sectors. This method might evade antivirus detection. “Rather than attempting to read files using the Win32 API (which enforces things such as read handle locks, SACL, DACL, etc.), the author wrote a tool that obtains a read handle to the C volume (something an administrator account can do). This gives him the ability to read the raw bytes of the entire volume. The tool then parses the NTFS structures on the C volume, determines where on the volume the bytes for a particular file reside, scans to the location and copies the files bytes. This allows the tool to get access to files even though LSASS has the file locked, and doesn’t require starting the Volume Shadow Copy service (which might look suspicious if it isn’t normally used).”
    1. https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/
    2. http://www.josho.org/blog/blog/2013/03/07/samex/
    3. https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy
  21. Dumping SAM file hashs by using volume shadow copy or by injecting into lsass and dumping from memory
    1. http://bernardodamele.blogspot.co.il/2011/12/dump-windows-password-hashes.html
  22. Using volume shadow copy to dump domain hashs
    1. http://www.room362.com/blog/2013/06/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
  23. Using volume shadow copy from python
    1. https://pen-testing.sans.org/blog/pen-testing/2013/04/12/using-volume-shadow-copies-from-python
  24. Passthehash attack on ntlm uses hashed passwords which usually you need an admin to get them (from sam file or memory). On the other hand NTLM-RELAY is another attack which doesn’t need admin! If someone, lets call him A, connects to you with NTLM (or you use dns spoofing/arp spoofing to get his traffic), you can use NTLM-RELAY to connect to smb, http and other services that have ntlm-authentication with the credentials of the user of A. What you could do is to relay the credentials to connect back to the user A computer (for example to his admin$) and then if he is a local admin then you control his pc. In 2008 microsoft released patch that fixed relay back to A pc. However, from around 2000 still to this day the general ntlm-relay attack is NOT fixed. So in conclusion, if you don’t have admin and you want to get the permissions/power/authorization of some other, maybe stronger, user then just use NTLM-RELAY. In a lan that uses NTLM combining this with arp-spoofing you can ALWAYS GET CONTROL OF ALL OF THE LAN basically by just waiting for admins to connect somewhere and arp spoof them and then ntlm-relay them.
    1. Metaspploit module to do this attack http://webstersprodigy.net/2012/07/22/metasploit-generic-ntlm-relay-module/
    2. Video explaining what I wrote above http://www.youtube.com/watch?v=N08r6cBfCVs
    3. Usual ntlm-relay tools relay http to http or http to smb and here is a tool able to relay a wider range of protocols like mssql and ldap and rdp and more https://github.com/urbanesec/ZackAttack
  25. Pages 34-35, in the following link, are a MUST-READ because they descrive all the places where users credentials are saved when user logs on and it is also noted if those credentials can be used to logon as the user or not, once you obtained them.
    Interesting stuff: 1)You can steal the credentials of any user which has a windows service running under his credentials. 2)When smart-card is used for logon then the smart-card is only used for the first authentication, the rest of the work uses SSO which uses NTHASH. If the user is defined as smart-card required then the first logon generates a random NTHASH and from that moment this NTHASH can be used to authenticate as the user, without using the user smart-card. If the user is not smart-card required then his NTHASH is generated from his password. To change the NTHASH, if the user got a password, it is enough to change the password, and if the user uses smart-card and doesnt have a password then the way to change the NTHASH is to turn on and off the smart-card required flag of the user. 3)Most logons such as runas,RDP and so on, leave your credentials in the memory of the computer you logon on to and those credentials can be used to steal your identity. 4)In kerberos delegation instead of stealing the NTHASH, the TGT can be stolen and thus the situation is as bad as in NTLM.

    1. http://www.microsoft.com/en-us/download/details.aspx?id=36036
  26. Attacks on kerberos
    1. http://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf
    2. http://www.infoworld.com/article/2626810/data-security/don-t-count-on-kerberos-to-thwart-pass-the-hash-attacks.html
  27. WCE – a tool that allows: 1)get cleartext passwords which are saved in the ram of lsass process. 2)get ntlm hashs from memory. 3)steale kerberos tickets and use them to connect to another computer 4)do pass-the-hash attack
    1. http://www.ampliasecurity.com/research/wcefaq.html
  28. Script that knows to search if there is a computer in the network which has a domain admin logged-on on it
    1. https://github.com/nccgroup/easyda
  29. Breaks passwords and uses silver ticket to get priveleges. Also shows using setspn to find spn of services running under a user instead of under a machine
    1. http://www.irongeek.com/i.php?page=videos/derbycon4/t120-attacking-microsoft-kerberos-kicking-the-guard-dog-of-hades-tim-medin
    2. Set of scripts used for attacking kerberos https://github.com/nidem/kerberoast
  30. Exploiting ms14-068 (kerberos bug allowing to change your ticket priveleges to any priveleges you want) and running meterpreter from powershell
    1. https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
  31. “CVE-2014-1812 Actions such as adding a local user or configuring mapped drives or printers, when performed on a domain controller may require a password to be specified. If these preferences are then applied to the other systems in the domain, that password alsohas to be pushed down to those systems as well. Windows accomplishes this by transmitting an XML configuration file with all of the parameters inside. In order to prevent cleartext passwords from being transmitted over the network, the password is encrypted with AES 256 encryption and then Base64-encoded before it is stored in the XML file. The configuration file which contains the encrypted password is located on the domain controller in a subfolder of the “SYSVOL” directory. The name of the file depends on the action being applied through group policy. Some of the more common files are groups.xml, printers.xml, and drives.xml. ”
    1. https://www.securestate.com/blog/2012/09/13/how-to-pwn-systems-through-group-policy-preferences
    2. https://dirteam.com/sander/2014/05/23/security-thoughts-passwords-in-group-policy-preferences-cve-2014-1812/
    3. Technical info: http://esec-pentest.sogeti.com/post/Exploiting-Windows-2008-Group-Policy-Preferences
    4. Powershell script to extract the passwords: http://obscuresecurity.blogspot.co.il/2013/07/get-gpppassword.html https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1#L33

One thought on “Windows UAC&Privileges&Credentials

Leave a comment