SlideShare une entreprise Scribd logo

Well, that escalated quickly! - a penetration tester's approach to privilege escalation

DefCamp
DefCamp

Khalil Bijjou in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Technologie
1  sur  36
Télécharger pour lire hors ligne
© 2017 SEC Consult | All rights reserved © 2018 SEC Consult | All rights reserved © fotolia 62904980 Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou | Confidentiality Class: Public Well, that escalated quickly! - A penetration tester's approach to privilege escalation
© 2018 SEC Consult | All rights reserved • Usually, attackers gain low privileged access to a system • High privileges are required to be fully operative • Escalating privileges is an important and complex aspect of a penetration test • Little literature that profoundly deals with privilege escalation has been identified Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 2 Escalating Privileges – Why?
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 3 Main Goals • Impart in-depth knowledge of the theory and practice of different privilege escalation attacks and concepts • Provide penetration testers with a practical and systematic privilege escalation approach
© 2018 SEC Consult | All rights reserved Windows Basics 4Title: SEC Consult // who we are. | Responsible: U. Fleck | Version / Date: V1.0/2018-04 | Confidentiality Class: public
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 5 Overview • Windows is the de-facto standard operating system for company desktops and holds a total desktop market share of over 80% • Windows Server is often used in company networks • Contains a number of different components and (security) mechanisms • On a local Windows system, Administrator and SYSTEM are the highest privileges
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 6 Registry • Composed of keys and values • Keys included in other keys are called sub-keys • Highest level keys are called root keys • Stores • boot and system information • systemwide software settings • the security database and • per-user configuration settings • Protected by an ACL
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 7 Processes • A process contains a set of resources used when executing the instance of the program: • an executable program mapped into the process’ private virtual address space • a security context (called access token) which includes identification of the user, security groups, privileges, etc. • a process ID • one or more threads of execution
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 8 Jobs & Threads • Jobs are groups of processes • Threads are entities within a process
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 9 Services • Used to start processes at system startup • Run in the context of a user • Mostly non-interactive users • Usually in context of SYSTEM user • Consist of at least one executable file
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 10 Service Accounts Name Privileges Attributes Local System Account Can enable all privileges -> Highest privileges possible • Also referred to as SYSTEM account. • Core Windows components run under the Local System Account. Network Service Account High privileges Is used by services that authenticate themselves to network services. Local Service Account Same as Network Service Account -> but can not be used for authenticating to network services
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 11 Startup Programs & Scheduled Tasks • Similar to services • Loading of an executable file at startup that runs under a certain user
© 2018 SEC Consult | All rights reserved Privilege Escalation - Methods and Techniques 12Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 13 Overview • Some techniques may be applicable to several Windows components due to their similar design • Attack trees will give an overview of different techniques for exploiting a certain component or mechanism
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 14 Insecure Services
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 15 Insecure Services - Weak Executable File Permissions • Service’s executable or configuration file with weak permissions • Can be modified by a low privileged user → Exploit: Replace or modify file and trigger a restart of the service
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 16 Insecure Services – Unquoted Service Paths • File paths that are not embedded within double quotes and contain white spaces are possibly vulnerable • Windows tries to execute a file where the first white space is located → Exploit: If write permissions to C: are given, a malicious Program.exe can be created and will be executed upon restart of the service C:Program.exe C:Program FilesWavesMaxxAudioWavesSysSvc64.exe
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 17 Insecure Services – DLL Hijacking • Applications that try to load a missing DLL file and use relative file paths may be prone to DLL Hijacking • Windows tries to find the missing DLL file in the following directories: → Exploit: if write permissions to one of the above folders is granted, a malicious DLL file can be placed • The directory from which the application is loaded • C:WindowsSystem32 • C:WindowsSystem • C:Windows • The current working directory • Directories in the system PATH environment variable • Directories in the user PATH environment variable
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 18 Insecure Startup Programs
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 19 Insecure Scheduled Tasks
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 20 Outdated Software • Companies can not always deploy patches in a timely manner • Successful kernel exploits result in SYSTEM privileges → Exploit: applications that run as high privileged processes result in privilege escalation
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 21 Weak Passwords • Users may use weak passwords: • Wordlist • Brute force attacks • Plaintext passwords in files: ▪ C:unattend.xml ▪ C:WindowsPantherUnattend.xml ▪ C:WindowsPantherUnattendUnattend.xml ▪ C:Windowssystem32sysprep* ▪ … • Plaintext passwords in registry: ▪ HKLMSoftwareMicrosoftWindows NTWinLogon ▪ …
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 22 Insufficient Physical Access Protection • An attacker with physical access to a system has more attack vectors: • Unencrypted disks can be attacked by replacing manipulating Windows startup functions • The same attack can be applied to encrypted disks that do not require a token for decryption after successfully extracting the decryption key from memory • Attacks against CPU micro controller are possible
© 2018 SEC Consult | All rights reserved Privilege Escalation Approach 23Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 24 Overview
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 25 Phase 1: General Information Gathering • Systems have different Windows versions, service packs, CPU architectures, purposes, network configurations, etc. • Goal is to have a good overview of the system
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 26 Phase 2: Method and Technique Iteration • Privilege escalation methods and techniques are iterated through in this phase • These can be ordered accordingly to the penetration test’s objective • Every iteration consists of four steps
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 27 Steps of Phase 2 • [Step 1] Information Gathering: ▪ Check whether system is vulnerable to the method • [Step 2] Research and Development: ▪ Gather information about available exploits and customize to target system ▪ A test environment can be set-up ▪ Possible security mechanisms have to be considered ▪ Very important as possibly only one attempt is given
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 28 Steps of Phase 2 • [Step 3] Exploitation: ▪ Test the exploit developed in step 2. ▪ Sometimes the previous steps have to be repeated • [Step 4] Post-Exploitation ▪ Document the previous steps ▪ In case monitoring systems are in place, identify whether the attack has been detected
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 29 Phase 3: Reporting • Any vulnerability should be reported, independent of whether it was exploitable or not • Passwords and sensitive data should be censored • If evidence of a previous compromise has been found, the customer should be informed right away • Exploits, added users and other modifications should be documented
© 2018 SEC Consult | All rights reserved Tools 30Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 31 Tools Name Link Metasploit https://github.com/rapid7/metasploit-framework PowerSploit https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc BeRoot https://github.com/AlessandroZ/BeRoot Windows-Exploit-Suggester https://github.com/GDSSecurity/Windows-Exploit-Suggester
© 2018 SEC Consult | All rights reserved Conclusion 32Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
© 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 33 Conclusion • Learnt things about • Windows • Privilege escalation concepts • An approach for penetration testers • Tools that can be used • The content can be used by system administrators and architects to improve their systems’ security • Windows systems: • offer a great number of security mechanisms • allow a granular configuration of privileges and access rights • are patched typically fast
© 2018 SEC Consult | All rights reserved Q&A Session 34Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou P.S.: We are in need of curious and smart people! --> (k.bijjou@sec-consult.com)
© 2018 SEC Consult | All rights reserved 35Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou Khalil Bijjou k.bijjou@sec-consult.com +41 79 896 73 08 SEC Consult (Schweiz) AG Turbinenstrasse 28 8005 Zürich, Schweiz www.sec-consult.com Any further questions? Don‘t hesitate to contact me.
© 2018 SEC Consult | All rights reserved 36Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou Portfolio • Vulnerability Lab • Security Consulting • ISMS Consulting • Trainings • … Career • Curiosity and enthusiasm for security • Participate in bleeding edge technology projects • Permanent Learning https://www.sec-consult.com • Security Consulting since 02’ • Advisories: severe vulnerabilities in popular products found • International Team • Different Locations

Recommandé

7. Security Operations
7. Security Operations7. Security Operations
7. Security OperationsSam Bowne
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementSam Bowne
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)Sam Bowne
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
CNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingCNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingSam Bowne
 
CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)Sam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 

Recommandé

7. Security Operations
7. Security Operations7. Security Operations
7. Security OperationsSam Bowne
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementSam Bowne
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)Sam Bowne
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
CNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingCNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingSam Bowne
 
CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)Sam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecuritySam Bowne
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Derek Banks
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
5 infrastructure security
5 infrastructure security5 infrastructure security
5 infrastructure securityLen Bass
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxmohedkhadar60
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 

Contenu connexe

Tendances

CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecuritySam Bowne
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Derek Banks
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
5 infrastructure security
5 infrastructure security5 infrastructure security
5 infrastructure securityLen Bass
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 

Tendances (20)

CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
5 infrastructure security
5 infrastructure security5 infrastructure security
5 infrastructure security
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 

Similaire à Well, that escalated quickly! - a penetration tester's approach to privilege escalation

CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxmohedkhadar60
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Kill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin RightsKill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin RightsScriptLogic
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Centrify Customer Success Webinar - Expert Hour for Privilege Management
Centrify Customer Success Webinar - Expert Hour for Privilege ManagementCentrify Customer Success Webinar - Expert Hour for Privilege Management
Centrify Customer Success Webinar - Expert Hour for Privilege ManagementCentrify Support
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CloudIDSummit
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
Shrinking the container_zurich_july_2018
Shrinking the container_zurich_july_2018Shrinking the container_zurich_july_2018
Shrinking the container_zurich_july_2018Ewan Slater
 
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Cloudera, Inc.
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerTom Keetch
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Jayesh Naik
 
Application hardening
Application hardeningApplication hardening
Application hardeningJayesh Naik
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Compuware
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 

Similaire à Well, that escalated quickly! - a penetration tester's approach to privilege escalation (20)

CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptx
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Kill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin RightsKill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin Rights
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Centrify Customer Success Webinar - Expert Hour for Privilege Management
Centrify Customer Success Webinar - Expert Hour for Privilege ManagementCentrify Customer Success Webinar - Expert Hour for Privilege Management
Centrify Customer Success Webinar - Expert Hour for Privilege Management
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
 
Shrinking the container_zurich_july_2018
Shrinking the container_zurich_july_2018Shrinking the container_zurich_july_2018
Shrinking the container_zurich_july_2018
 
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
 
Application hardening
Application hardeningApplication hardening
Application hardening
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The Basics
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast Detecting Insider Threats with Multi-layered Security Webcast
Detecting Insider Threats with Multi-layered Security Webcast
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 

Plus de DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

Plus de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Dernier

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Dernier (20)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Well, that escalated quickly! - a penetration tester's approach to privilege escalation

  • 1. © 2017 SEC Consult | All rights reserved © 2018 SEC Consult | All rights reserved © fotolia 62904980 Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou | Confidentiality Class: Public Well, that escalated quickly! - A penetration tester's approach to privilege escalation
  • 2. © 2018 SEC Consult | All rights reserved • Usually, attackers gain low privileged access to a system • High privileges are required to be fully operative • Escalating privileges is an important and complex aspect of a penetration test • Little literature that profoundly deals with privilege escalation has been identified Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 2 Escalating Privileges – Why?
  • 3. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 3 Main Goals • Impart in-depth knowledge of the theory and practice of different privilege escalation attacks and concepts • Provide penetration testers with a practical and systematic privilege escalation approach
  • 4. © 2018 SEC Consult | All rights reserved Windows Basics 4Title: SEC Consult // who we are. | Responsible: U. Fleck | Version / Date: V1.0/2018-04 | Confidentiality Class: public
  • 5. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 5 Overview • Windows is the de-facto standard operating system for company desktops and holds a total desktop market share of over 80% • Windows Server is often used in company networks • Contains a number of different components and (security) mechanisms • On a local Windows system, Administrator and SYSTEM are the highest privileges
  • 6. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 6 Registry • Composed of keys and values • Keys included in other keys are called sub-keys • Highest level keys are called root keys • Stores • boot and system information • systemwide software settings • the security database and • per-user configuration settings • Protected by an ACL
  • 7. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 7 Processes • A process contains a set of resources used when executing the instance of the program: • an executable program mapped into the process’ private virtual address space • a security context (called access token) which includes identification of the user, security groups, privileges, etc. • a process ID • one or more threads of execution
  • 8. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 8 Jobs & Threads • Jobs are groups of processes • Threads are entities within a process
  • 9. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 9 Services • Used to start processes at system startup • Run in the context of a user • Mostly non-interactive users • Usually in context of SYSTEM user • Consist of at least one executable file
  • 10. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 10 Service Accounts Name Privileges Attributes Local System Account Can enable all privileges -> Highest privileges possible • Also referred to as SYSTEM account. • Core Windows components run under the Local System Account. Network Service Account High privileges Is used by services that authenticate themselves to network services. Local Service Account Same as Network Service Account -> but can not be used for authenticating to network services
  • 11. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 11 Startup Programs & Scheduled Tasks • Similar to services • Loading of an executable file at startup that runs under a certain user
  • 12. © 2018 SEC Consult | All rights reserved Privilege Escalation - Methods and Techniques 12Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  • 13. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 13 Overview • Some techniques may be applicable to several Windows components due to their similar design • Attack trees will give an overview of different techniques for exploiting a certain component or mechanism
  • 14. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 14 Insecure Services
  • 15. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 15 Insecure Services - Weak Executable File Permissions • Service’s executable or configuration file with weak permissions • Can be modified by a low privileged user → Exploit: Replace or modify file and trigger a restart of the service
  • 16. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 16 Insecure Services – Unquoted Service Paths • File paths that are not embedded within double quotes and contain white spaces are possibly vulnerable • Windows tries to execute a file where the first white space is located → Exploit: If write permissions to C: are given, a malicious Program.exe can be created and will be executed upon restart of the service C:Program.exe C:Program FilesWavesMaxxAudioWavesSysSvc64.exe
  • 17. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 17 Insecure Services – DLL Hijacking • Applications that try to load a missing DLL file and use relative file paths may be prone to DLL Hijacking • Windows tries to find the missing DLL file in the following directories: → Exploit: if write permissions to one of the above folders is granted, a malicious DLL file can be placed • The directory from which the application is loaded • C:WindowsSystem32 • C:WindowsSystem • C:Windows • The current working directory • Directories in the system PATH environment variable • Directories in the user PATH environment variable
  • 18. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 18 Insecure Startup Programs
  • 19. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 19 Insecure Scheduled Tasks
  • 20. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 20 Outdated Software • Companies can not always deploy patches in a timely manner • Successful kernel exploits result in SYSTEM privileges → Exploit: applications that run as high privileged processes result in privilege escalation
  • 21. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 21 Weak Passwords • Users may use weak passwords: • Wordlist • Brute force attacks • Plaintext passwords in files: ▪ C:unattend.xml ▪ C:WindowsPantherUnattend.xml ▪ C:WindowsPantherUnattendUnattend.xml ▪ C:Windowssystem32sysprep* ▪ … • Plaintext passwords in registry: ▪ HKLMSoftwareMicrosoftWindows NTWinLogon ▪ …
  • 22. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 22 Insufficient Physical Access Protection • An attacker with physical access to a system has more attack vectors: • Unencrypted disks can be attacked by replacing manipulating Windows startup functions • The same attack can be applied to encrypted disks that do not require a token for decryption after successfully extracting the decryption key from memory • Attacks against CPU micro controller are possible
  • 23. © 2018 SEC Consult | All rights reserved Privilege Escalation Approach 23Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  • 24. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 24 Overview
  • 25. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 25 Phase 1: General Information Gathering • Systems have different Windows versions, service packs, CPU architectures, purposes, network configurations, etc. • Goal is to have a good overview of the system
  • 26. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 26 Phase 2: Method and Technique Iteration • Privilege escalation methods and techniques are iterated through in this phase • These can be ordered accordingly to the penetration test’s objective • Every iteration consists of four steps
  • 27. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 27 Steps of Phase 2 • [Step 1] Information Gathering: ▪ Check whether system is vulnerable to the method • [Step 2] Research and Development: ▪ Gather information about available exploits and customize to target system ▪ A test environment can be set-up ▪ Possible security mechanisms have to be considered ▪ Very important as possibly only one attempt is given
  • 28. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 28 Steps of Phase 2 • [Step 3] Exploitation: ▪ Test the exploit developed in step 2. ▪ Sometimes the previous steps have to be repeated • [Step 4] Post-Exploitation ▪ Document the previous steps ▪ In case monitoring systems are in place, identify whether the attack has been detected
  • 29. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 29 Phase 3: Reporting • Any vulnerability should be reported, independent of whether it was exploitable or not • Passwords and sensitive data should be censored • If evidence of a previous compromise has been found, the customer should be informed right away • Exploits, added users and other modifications should be documented
  • 30. © 2018 SEC Consult | All rights reserved Tools 30Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  • 31. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 31 Tools Name Link Metasploit https://github.com/rapid7/metasploit-framework PowerSploit https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc BeRoot https://github.com/AlessandroZ/BeRoot Windows-Exploit-Suggester https://github.com/GDSSecurity/Windows-Exploit-Suggester
  • 32. © 2018 SEC Consult | All rights reserved Conclusion 32Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou
  • 33. © 2018 SEC Consult | All rights reserved Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou 33 Conclusion • Learnt things about • Windows • Privilege escalation concepts • An approach for penetration testers • Tools that can be used • The content can be used by system administrators and architects to improve their systems’ security • Windows systems: • offer a great number of security mechanisms • allow a granular configuration of privileges and access rights • are patched typically fast
  • 34. © 2018 SEC Consult | All rights reserved Q&A Session 34Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou P.S.: We are in need of curious and smart people! --> (k.bijjou@sec-consult.com)
  • 35. © 2018 SEC Consult | All rights reserved 35Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou Khalil Bijjou k.bijjou@sec-consult.com +41 79 896 73 08 SEC Consult (Schweiz) AG Turbinenstrasse 28 8005 Zürich, Schweiz www.sec-consult.com Any further questions? Don‘t hesitate to contact me.
  • 36. © 2018 SEC Consult | All rights reserved 36Title: Well, that escalated quickly! - a penetration tester's approach to privilege escalation | Author: Khalil Bijjou Portfolio • Vulnerability Lab • Security Consulting • ISMS Consulting • Trainings • … Career • Curiosity and enthusiasm for security • Participate in bleeding edge technology projects • Permanent Learning https://www.sec-consult.com • Security Consulting since 02’ • Advisories: severe vulnerabilities in popular products found • International Team • Different Locations