Re: priviledge escalation techniques

[miguel.dilaj () pharma novartis com]

Hi Dan,

Let's suppose a Windows environment. I don't know if this is your case.

The first, obvious step, is to check what kind of physical access the 
insiders have to their workstations.
If they can boot to alternate media (floppy, CDROM, USB) there are several 
possibilities, for example:

1) boot to NTFSDOS Pro, that allows NTFS write access, and change some exe 
that usually runs as system (the antivirus is a good candidate) by a copy 
of cmd.exe, then when the program is executed, a nice CLI starts with 
SYSTEM privileges... then you can install software (for example a sniffer, 
more at the bottom of the email).

2) boot to Knoppix or any other live-linux-on-CD distribution, there 
you've all the tools you need, and you can install additional ones (to 
RAM) from the Internet

3) the one I've chosen, similar to (1) above. I've XP with the 
Accessibility Tools installed by default. They monitor some keys, and if 
for example you press SHIFT 5 times a popup appears where you can activate 
and configure the accessibility tools. The program responsible for that is 
sethc.exe, and the guys at Micro$oft comit the cardinal mistake of not 
making IT check if SHIFT was pressed 5 times, but to include that in some 
other part of the OS (kernel? ;-)
So if you press SHIFT 5 times, sethc.exe is executed, but doesn't matter 
WHAT IS sethc.exe
You guess that, I replaced sethc.exe by a copy of cmd.exe
If I press that BEFORE login, a CLI as SYSTEM is started, I can launch 
compmgmt.msc and add myself to the local administrators group (please note 
that if you start it AFTER login, a CLI is started as your user).

Now let's suppose that you manage to use your own tools, by any of the 
methods above.
You can launch a sniffer, gather login credentials, and crack them using 
the password cracking program you like more.
If the network is switched, perhaps you need an ARP poisoning tool. It's 
very unlikely that your switch is configured to avoid that (I still have 
to see one in a real environment!).
You can also launch a program to intercept SMB logins (like SMBproxy and 
similar tools) and act as the user who's logging in without even the need 
to crack his/her password.

Is the above useful? It'll depend... if the administrators have the bad 
idea of logging in into the servers over the network, perhaps you can 
gather their credentials or abuse their own login. Otherwise you'll get 
access as different users...

If the network is composed of Linux/UNIX machines, you can still sniff 
passwords for unencrypted services (telnet, pop3, ftp, etc.) in the hope 
you can find something useful.

And of course there's still the possibility of using a local xploit for an 
unpatched vulnerability to raise your privileges to 
admin/system/root/whatever...

IT Security is nice ;-)

Solutions:
1) don't use any services that send information in cleartext
2) remove all physical access that allows booting to alternate media
3) configure your switches (if you can, it's not possible for all 
switches) in such a way that you can fool an ARP poisoning attempt. Be 
sure that you are not vulnerable to a DoS!
4) investigate packet signing in Windows networks, to fool SMBproxy and 
similar man-in-the-middle tools
5) investigate tools to detect sniffers (i.e. NIC in promiscuous mode)
6) have a lot of luck. It's almost impossible to deter a skilled insider 
in most company's setup
Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG







Dan Rogers <pentestguy () gmail com>
16/01/2005 15:58
Please respond to Dan Rogers

 
        To:     pen-test () securityfocus com
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        priviledge escalation techniques


Hi List,

I have been asked to test the network security of my organisation from
an internal perspective. My boss has not been particularly specific in
his requirements (other than asking that I don't break any operational
infrastructure) so I can approach the problem from whichever way I
deem most appropriate.

I suspect the first thing I will attempt is privilege escalation
techniques from a workstation with a domain user account to see if I
can install my own software/toolset. Can anyone suggest any good
whitepapers or tools that I can use to get a head start?

I intend to follow this up by scanning/targeting critical parts of our
infrastructure - domain controllers, mail servers, routers etc.
However, I am interested to know what other people would do when given
free reign to identify internal weaknesses - so how should I approach
this? This is not an 'audit' exercise, as I will not be given access
to server/infrastructure configurations.

Any advise on this appreciated.

Dan