SlideShare a Scribd company logo

PowerUp - Automating Windows Privilege Escalation

Download as PPTX, PDF
Will Schroeder
Will Schroeder

This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.

Related slideshows

Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
1 of 17
PowerUp - Automating Windows Privilege Escalation
$ whoami  Security researcher and pentester/red teamer for the Adaptive Threat Division of Veris Group  Co-founder of the Veil-Framework #avlol  www.veil-framework.com  Shmoocon ‘14: AV Evasion with the Veil Framework  co-wrote Veil-Evasion, wrote Veil-Catapult and Veil- PowerView  BSides Austin ‘14: Wielding a Cortana  BSides Boston ’14: Pwnstaller 1.0  Defcon ’14 (accepted): Post-Exploitation 2.0
tl;dr  Why powershell?  Why build this?  Windows Service Vulnerabilities  PowerUp  service enumeration  service abuse  misc. methods  Demo  Questions
Why Powershell?  Really need to say anything?  Whitelisted, trusted execution, full .NET capabilities, can refrain from touching disk, etc. etc. etc.  Use it, yo’  PowerSploit  Posh-SecMod  Veil-Powerview  Nishang
Why build this?  On a recent assessment, had to escalate privileges on a locked down workstation  Kernel exploits wouldn’t work, so fell back to vulnerable services  Service binary had improper permissions  Replacing the .exe and bouncing the box = no privs to local admin  More or less did everything manually, wanted something a bit easier
PowerUp - Automating Windows Privilege Escalation
Trusted Path Escalation  Metasploit module: trusted_service_path.rb  If a path is unquoted and has a space, there is ambiguity for the Windows API on how to interpret the final path  I.E. C:ToolsCustom Toolsprogram.exe will be interpreted as C:ToolsCustom.exe first, then C:ToolsCustom Toolsprogram.exe  If you have write access to the base path, money!
Vulnerable Service Permissions  Also a Metasploit module: service_permissions.rb  Check if the current user can modify the service itself  Replace the binary path for the service with something like “net user john password /add” and bounce the service to add the user  Repeat with “net localgroup administrators john /add”  Can be done by hand with accesschk.exe and SC
Vulnerable EXE Permissions  Check the permissions for each executable associated with running processes  If you can write to the executable path for a service, replace the binary with something that adds a local admin (or pops a Meterpreter shell)  If you can’t bounce the service, bounce the box  This is how we ended up escalating in the field
PowerUp - Automating Windows Privilege Escalation
PowerUp  Implements methods to easily enumerate and abuse misconfigured Windows services for the purposes of privilege escalation  Have started to implement additional common Windows privesc vectors  .dll hijacking, AlwaysInstallElevated, etc.  http://www.harmj0y.net/blog/powershell/powerup/  https://github.com/HarmJ0y/PowerUp
Service Enumeration  Get-ServiceUnquoted will find all services with unquoted paths and a space in the full path name  Get-ServicePerms enumerates all services the current user has modification rights to  Get-ServiceEXEPerms checks all associated service executables and returns any paths the user has write access to
Service Abuse  Invoke-ServiceUserAdd enables/stops a service, reconfigures it to create a user and add them to the local admins, restarts, etc.  Write-UserAddServiceBinary generates a precompiled C# service binary and binary patches in the service name, username/password and group to add a user to  Can easily write the binary out to any unquoted paths  Write-ServiceEXE writes a service binary out to a given service path, backing up the original .exe
Misc. Checks I  Invoke-FindDLLHijack is a (kind of) port of Mandiant’s FindDLLHijack code  Checks each running process and its loaded modules, and returns all hijackable locations, i.e. any base “exe path + loaded module name” that doesn’t exist  Invoke-FindPathDLLHijack finds potentially hijackable service .DLL locations from %PATH%  Check out http://www.greyhathacker.net/?p=738 for more information
Misc. Checks II  Get-RegAlwaysInstallElevated checks if the AlwaysInstallElevated registry key is enabled  Write-UserAddMSI can then write out a MSI installer that prompts for a local admin to add  Get-UnattendedInstallFiles finds unattended .xml install files that may have leftover credentials  Get-RegAutoLogon extracts any auto logon credentials from the Windows registry  Invoke-AllChecks will run all current privesc checks
Demo
Questions?  Contact me:  @harmj0y  will@harmj0y.net  Read more:  http://www.harmj0y.net/blog/powershell/powerup/  Get PowerUp  https://github.com/HarmJ0y/PowerUp  Being integrated into Nishang

More Related Content

PowerUp - Automating Windows Privilege Escalation

  • 2. $ whoami  Security researcher and pentester/red teamer for the Adaptive Threat Division of Veris Group  Co-founder of the Veil-Framework #avlol  www.veil-framework.com  Shmoocon ‘14: AV Evasion with the Veil Framework  co-wrote Veil-Evasion, wrote Veil-Catapult and Veil- PowerView  BSides Austin ‘14: Wielding a Cortana  BSides Boston ’14: Pwnstaller 1.0  Defcon ’14 (accepted): Post-Exploitation 2.0
  • 3. tl;dr  Why powershell?  Why build this?  Windows Service Vulnerabilities  PowerUp  service enumeration  service abuse  misc. methods  Demo  Questions
  • 4. Why Powershell?  Really need to say anything?  Whitelisted, trusted execution, full .NET capabilities, can refrain from touching disk, etc. etc. etc.  Use it, yo’  PowerSploit  Posh-SecMod  Veil-Powerview  Nishang
  • 5. Why build this?  On a recent assessment, had to escalate privileges on a locked down workstation  Kernel exploits wouldn’t work, so fell back to vulnerable services  Service binary had improper permissions  Replacing the .exe and bouncing the box = no privs to local admin  More or less did everything manually, wanted something a bit easier
  • 7. Trusted Path Escalation  Metasploit module: trusted_service_path.rb  If a path is unquoted and has a space, there is ambiguity for the Windows API on how to interpret the final path  I.E. C:ToolsCustom Toolsprogram.exe will be interpreted as C:ToolsCustom.exe first, then C:ToolsCustom Toolsprogram.exe  If you have write access to the base path, money!
  • 8. Vulnerable Service Permissions  Also a Metasploit module: service_permissions.rb  Check if the current user can modify the service itself  Replace the binary path for the service with something like “net user john password /add” and bounce the service to add the user  Repeat with “net localgroup administrators john /add”  Can be done by hand with accesschk.exe and SC
  • 9. Vulnerable EXE Permissions  Check the permissions for each executable associated with running processes  If you can write to the executable path for a service, replace the binary with something that adds a local admin (or pops a Meterpreter shell)  If you can’t bounce the service, bounce the box  This is how we ended up escalating in the field
  • 11. PowerUp  Implements methods to easily enumerate and abuse misconfigured Windows services for the purposes of privilege escalation  Have started to implement additional common Windows privesc vectors  .dll hijacking, AlwaysInstallElevated, etc.  http://www.harmj0y.net/blog/powershell/powerup/  https://github.com/HarmJ0y/PowerUp
  • 12. Service Enumeration  Get-ServiceUnquoted will find all services with unquoted paths and a space in the full path name  Get-ServicePerms enumerates all services the current user has modification rights to  Get-ServiceEXEPerms checks all associated service executables and returns any paths the user has write access to
  • 13. Service Abuse  Invoke-ServiceUserAdd enables/stops a service, reconfigures it to create a user and add them to the local admins, restarts, etc.  Write-UserAddServiceBinary generates a precompiled C# service binary and binary patches in the service name, username/password and group to add a user to  Can easily write the binary out to any unquoted paths  Write-ServiceEXE writes a service binary out to a given service path, backing up the original .exe
  • 14. Misc. Checks I  Invoke-FindDLLHijack is a (kind of) port of Mandiant’s FindDLLHijack code  Checks each running process and its loaded modules, and returns all hijackable locations, i.e. any base “exe path + loaded module name” that doesn’t exist  Invoke-FindPathDLLHijack finds potentially hijackable service .DLL locations from %PATH%  Check out http://www.greyhathacker.net/?p=738 for more information
  • 15. Misc. Checks II  Get-RegAlwaysInstallElevated checks if the AlwaysInstallElevated registry key is enabled  Write-UserAddMSI can then write out a MSI installer that prompts for a local admin to add  Get-UnattendedInstallFiles finds unattended .xml install files that may have leftover credentials  Get-RegAutoLogon extracts any auto logon credentials from the Windows registry  Invoke-AllChecks will run all current privesc checks
  • 16. Demo
  • 17. Questions?  Contact me:  @harmj0y  will@harmj0y.net  Read more:  http://www.harmj0y.net/blog/powershell/powerup/  Get PowerUp  https://github.com/HarmJ0y/PowerUp  Being integrated into Nishang