Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 371 pages and one asset modified

Browse source
This commit is contained in:
CPol 2020-08-30 21:17:43 +00:00 committed by gitbook-bot
parent 978bb001f5
commit 7dd4709434
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
7 changed files with 122 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
.gitbook/assets/image (352).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 41 KiB

3
SUMMARY.md
View file

@ -41,6 +41,7 @@
* [Checklist - Local Windows Privilege Escalation](windows/checklist-windows-privilege-escalation.md)
* [Windows Local Privilege Escalation](windows/windows-local-privilege-escalation/README.md)
* [Access Tokens](windows/windows-local-privilege-escalation/access-tokens.md)
* [ACLs - DACLs/SACLs/ACEs](windows/windows-local-privilege-escalation/acls-dacls-sacls-aces.md)
* [Dll Hijacking](windows/windows-local-privilege-escalation/dll-hijacking.md)
* [From High Integrity to SYSTEM with Name Pipes](windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md)
@ -91,7 +92,7 @@
* [Stealing Credentials](windows/stealing-credentials/README.md)
* [Credentials Protections](windows/stealing-credentials/credentials-protections.md)
* [Mimikatz](windows/stealing-credentials/credentials-mimikatz.md)
* [Authentication, Credentials, Token privileges, UAC and EFS](windows/credentials.md)
* [Authentication, Credentials, UAC and EFS](windows/credentials.md)
* [Basic CMD for Pentesters](windows/basic-cmd-for-pentesters.md)
* [Basic PowerShell for Pentesters](windows/basic-powershell-for-pentesters/README.md)
* [PowerView](windows/basic-powershell-for-pentesters/powerview.md)

4
windows/basic-cmd-for-pentesters.md
View file

@ -116,6 +116,10 @@ net user /add [username] [password] #Create user
#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe
```
### Groups

56
windows/credentials.md
View file

@ -1,4 +1,4 @@
# Authentication, Credentials, Token privileges, UAC and EFS
# Authentication, Credentials, UAC and EFS
## Security Support Provider Interface \(SSPI\)
@ -56,60 +56,6 @@ It is the database of the Active Directory. It is only present in Domain Control
Allows browsers and other Windows applications to save credentials.
## Process Privileges
**Privileges:**
* Operations on the system:
* loading device drivers
* system shutdown
* timezone change
* ...
* Assigned to user/group
**Access Rights:**
* Access to securable objects
* files/dirs,pipes, registry keys, Windows services, printers, jobs, network shares, access tokens, desktops,...
* Assignedto object's ACL
## Access Tokens
Learn more about tokens in this tutorials: [https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa](https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa) and [https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)
It is used to describe the security context of a process or a thread.
When a user logins, he is given an access token, and when the user creates a process, an access token derivated from the one of the user is assigned. The token contains information like the SID of the uses, the groups of the user, the privileges assigned to the user and its groups...
You can see this information executing `whoami /all` or using _Process Explorer_ from Sysinternals.
When a local administrator logins, two access tokens are created: One with admin rights and other one with normal rights \(Default one\), and to execute a process as administrator the UAC is involved.
The access token has also a reference of the logon sessions inside the LSASS, this is useful if the process needs to access some objects of the network.
You can see the current logon sessions executing as administrator the binary _logonsessions_ of Sysinternals.
You can create a new logon session with new credentials that will be used only in the network:
```text
runas /user:domain\username /netonly cmd.exe
```
### Types of tokens
There are 2 types of tokens:
* **Primary**: **Default** security information of the process or thread.
* **Impersonation**: Allows the process to **act on behalf of another user**. For example, on a client server architecture if the client wants to access some files in the shared folder, the server need a copy of the user token to check if it has sufficient permissions.
#### Impersonate Tokens
Using the _**incognito**_ **module** of metasploit if you have enough privileges you can easily **list** and **impersonate** other **tokens**. This could be useful to perform **actions as if you where the other user**. You could also **escalate privileges** with this technique.
### Token Privileges
Learn which [**token privileges can be abused to escalate privileges in this page**](windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md).
Take a look to [**all the possible token privileges and some definitions on this page**](https://github.com/gtworek/Priv2Admin).
## UAC
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user. When, the administrator executes some process **as administrator**, a **UAC elevation** is performed and if it is successfully completed, the privileged token is used to create the process.

6
windows/windows-local-privilege-escalation/README.md
View file

@ -6,6 +6,12 @@ If you want to **know** about my **latest modifications**/**additions**, **join
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
## Access Tokens
**If you don't know what are Windows Access Tokens, read the following page before continuing:**
{% page-ref page="access-tokens.md" %}
## ACLs - DACLs/SACLs/ACEs
**If you don't know what is any of the acronyms used in the heading of this section, read the following page before continuing**:

105
windows/windows-local-privilege-escalation/access-tokens.md Normal file
View file

@ -0,0 +1,105 @@
# Access Tokens
## Access Tokens
Each **user logged** onto the system **holds an access token with security information** for that logon session. The system creates an access token when the user logs on. **Every process executed** on behalf of the user **has a copy of the access token**. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID \(Security Identifier\) that identifies the current logon session.
You can see this information executing `whoami /all`
```text
whoami /all
USER INFORMATION
----------------
User Name SID
===================== ============================================
desktop-rgfrdxl\cpolo S-1-5-21-3359511372-53430657-2078432294-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============================================================================================================= ==================================================
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MicrosoftAccount\cpolop@outlook.com User S-1-11-96-3623454863-58364-18864-2661722203-1597581903-3158937479-2778085403-3651782251-2842230462-2314292098 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cloud Account Authentication Well-known group S-1-5-64-36 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
```
or using _Process Explorer_ from Sysinternals \(select process and access"Security" tab\):
![](../../.gitbook/assets/image%20%28352%29.png)
### Local administrator
When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** \(non-administrator\) **rights is used**. When this user tries to **execute** anything **as administrator** \("Run as Administrator" for example\) the **UAC** will be used to ask for permission.
If you want to [**learn more about the UAC read this page**](../credentials.md#uac)**.**
### Credentials user impersonation
If you have **valid credentials of any other user**, you can **create** a **new logon session** with those credentials :
```text
runas /user:domain\username cmd.exe
```
The **access token** has also a **reference** of the logon sessions inside the **LSASS**, this is useful if the process needs to access some objects of the network.
You can launch a process that **uses different credentials for accessing network services** using:
```text
runas /user:domain\username /netonly cmd.exe
```
This is useful if you have useful credentials to access objects in the network but those credentials aren't valid inside the current host as they are only going to be used in the network \(in the current host your current user privileges will be used\).
### Types of tokens
There are two types of tokens available:
* **Primary token**: Primary tokens can only be **associated to processes**, and they represent a process's security subject. The creation of primary tokens and their association to processes are both privileged operations, requiring two different privileges in the name of privilege separation - the typical scenario sees the authentication service creating the token, and a logon service associating it to the user's operating system shell. Processes initially inherit a copy of the parent process's primary token.
* **Impersonation token**: Impersonation is a security concept implemented in Windows NT that **allows** a server application to **temporarily** "**be**" **the client** in terms of access to secure objects. Impersonation has **four possible levels**:
* **anonymous**, giving the server the access of an anonymous/unidentified user
* **identification**, letting the server inspect the client's identity but not use that identity to access objects
* **impersonation**, letting the server act on behalf of the client
* **delegation**, same as impersonation but extended to remote systems to which the server connects \(through the preservation of credentials\).
The client can choose the maximum impersonation level \(if any\) available to the server as a connection parameter. Delegation and impersonation are privileged operations \(impersonation initially was not, but historical carelessness in the implementation of client APIs failing to restrict the default level to "identification", letting an unprivileged server impersonate an unwilling privileged client, called for it\). **Impersonation tokens can only be associated to threads**, and they represent a client process's security subject. Impersonation tokens are usually created and associated to the current thread implicitly, by IPC mechanisms such as DCE RPC, DDE and named pipes.
#### Impersonate Tokens
Using the _**incognito**_ **module** of metasploit if you have enough privileges you can easily **list** and **impersonate** other **tokens**. This could be useful to perform **actions as if you where the other user**. You could also **escalate privileges** with this technique.
### Token Privileges
Learn which [**token privileges can be abused to escalate privileges in this page**](privilege-escalation-abusing-tokens.md).
Take a look to [**all the possible token privileges and some definitions on this external page**](https://github.com/gtworek/Priv2Admin).
## References
Learn more about tokens in this tutorials: [https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa](https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa) and [https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)

4
windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
View file

@ -2,6 +2,10 @@
## Tokens
If you **don't know what are Windows Access Tokens** read this page before continuing:
{% page-ref page="access-tokens.md" %}
**Maybe you could be able to escalate privileges abusing the tokens you already have**
### SeImpersonatePrivilege \(3.1.1\)