Ethical Hacking and Penetration Testing Guide
Bypassing User Access Control
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Bypassing User Access Control
- Impersonating the Token
|
Bypassing User Access Control
User access control (UAC) is a security feature that was introduced from Windows Vista and onward. The purpose of introducing UAC was to prevent malware from compromising the sys- tem. It accomplishes this by assigning normal user privileges to an application even if a user has administrator privileges. The application then has to be approved by an administrator for it to make changes to your computer. The UAC can be configured easily depending upon the operating system you are using; all you need to do is search for the keyword “ uac ” using the search box. The default level of UAC is level 3, which is when it will notify when programs try to make changes to your computer. Here is how the interface looks inside Windows 7: If we try to use the “ getsystem ” technique in any of the operating systems with UAC enabled, it will fail by default. Luckily, we already have a postexploitation module in Metasploit named “ bypassuac ”, which could help us bypass user access control to escalate our privileges. Postexploitation ◾ 239 So for the sake of demonstration we assume that you have a meterpreter session on a Windows 7 machine. From our current meterpreter session we will run the following command: meterpreter> run post/windows/escalate/bypassuac Now we will try to use the “ getsystem ” command again, and it will escalate our privileges. We will use “ getuid ” to check our privileges and the “ sysinfo ” command for meterpreter to display information about the current system. Impersonating the Token The concept of an access token is very similar to the concept of a cookie that is used to authenti- cate a user on a particular website. When a user is authenticated on a Windows machine an access token is assigned, which contains information about login details, user privileges, etc. The access tokens for Windows are of two types: Primary token—The primary token can be associated with a process and is created within the operating system using privileged methods. Impersonation token—An impersonation token can let a process act as another user; it can only be associated with threads. This is the type of token that we will be abusing for our privilege escalation process. We can use a valid impersonation token of a specific user, say, administrator, to impersonate that user without any authentication. Incognito is a meterpreter module that can help us with this task. We can load it by using the following command: use incognito 240 ◾ Ethical Hacking and Penetration Testing Guide Next, we would run the “ help ” command to see all the options; this will load up the meterpreter help menu, but you will also see Incognito commands along with their description at the bottom: Before impersonating a token we need to take a look at the available tokens. To see all the available tokens, we use the list _ tokens command followed by a –u parameter (which lists the tokens available under a current user context). With SYSTEM-level privileges you can see the list of all tokens, but with administrator or lower privileges you cannot. list_tokens –u As we can see, we have the administrator token available, which looks interesting; so let’s try to impersonate this token and escalate our privileges. The command for impersonating is as follows: meterpreter> impersonate_token ABDUL-CB7402ACD\\Administrator Note that we have added an additional backslash, “\” before “Administrator” for it to execute properly. |