5.2 Escalating Privileges

Privilege Escalation

  • An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privileges.
  • Attacker performs privilege escalation attack which takes advantages of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
  • These privileges allows attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc.
  • Types of Privilege Escalation:
    • Vertical Privilege Escalation:
      • Refers to gaining higher privileges than the existing
    • Horizontal Privilege Escalation:
      • Refers to acquiring the same level of privileges that already has been granted but assuming the identify of another user with the similar privileges.
  • User -> Admin:
    1. passwd (區網獲取AD gpp)
    2. vulnerability
    3. Weak permission: Service, File
    4. DLL Hijacking
  • Admin -> Others/System:
    1. PtH
    2. Install Service (sc)
    3. (Access) Token Kidnapping
    4. Process Hijacking (RunFromProcess)
      • 其中1, 3, 4無log

Privilege Escalation Using DLL Hijacking

  • Most Windows applications do not use the fully qualified path when loading an external DLL library instead they search directory from which they have been loaded first.
  • If attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL.

Resetting Passwords Using Command Prompt

  • If attacker succeeds in gaining administrative privileges, he/she can reset the passwords of any other non-administrative accounts using command prompt.
  • Open the command prompt, type net user command and press Enter to list out all the user accounts on target system.
  • Now type net user useraccountname * and press Enter, useraccountname is account name from list.
  • Type the new password to reset the password for specific account.

Privilege Escalation Tool: Active@ Password Changer

  • Active@ Password Changer resets local administrator and user passwords.


Privilege Escalation Tools (重要)

  • Offline NT Password & Registry Editor

Linux: chntpw

How to Defend Against Privilege Escalation

  • Restrict the interactive logon privileges.
  • Use encryption technique to protect sensitive data.
  • Run users and applications on the least privileges.
  • Reduce the amount of code that runs with particular privilege.
  • Implement multi-factor authentication and authorization.
  • Perform debugging using bounds checkers and stress tests.
  • Run services as unprivileged accounts.
  • Test operating system and application coding errors and bugs thoroughly.
  • Implement a privilege separation methodology to limit the scope of programming errors and bugs.
  • Path the systems regularly.


results matching ""

    No results matching ""