RID HIJACKING: Maintaining Access on Windows Machines. Sebastin - - PowerPoint PPT Presentation

RID HIJACKING:

Maintaining Access on Windows Machines. Sebastián Castro

sebastian.castro@csl.com.co @r4wd3r r4wd3r Rome, Italy 2018

C:\> net user r4wd3r

Username Username r4wd3r r4wd3r Fu Full ll Us User er na name me Sebastián Sebastián Castro Castro Comment Comment Infosec Infosec nerd, nerd, xpltdev xpltdev, win sec, op

• pera si

singer User’s comment Terrible Terrible at MS Paint at MS Paint :( :( Country/region Country/region code code Colombia Colombia Account Account active active No No First lo logon 1993/05/03 1993/05/03 23:56 23:56 User pr profile Technical Technical & Research & Research Lead Lead <at> CS CSL La Labs Work di directory https://csl.com.co https://csl.com.co

Agenda

0x01.

• 01. Exposing the RID Hijacking Attack.

0x02.

• 02. A Windows Logon Story.
• 0x03. Hijacking the RID.

0x04

• 04. Demo.

0x05.

• 05. Conclusions.

Agenda

0x01.

• 01. Exposing the RID Hijacking Attack.

0x02.

• 02. A Windows Logon Story.
• 0x03. Hijacking the RID.

0x04

• 04. Demo.

0x05.

• 05. Conclusions.

Not Not reli liable able on

• n Doma

main Cont ntrollers rollers (yet et). ).

• A new persist

rsistence ence technique that affects ALL LL Windows Systems since NT

• NT. (Haven’t tried this on Windows 95 nor Phone ).
• A stealthy way to maintain access by only

ly usi sing ng OS OS resou sources rces.

• A method which takes advantage of imp

mporta

• rtant

nt secur curity ity iss ssues ues found at the Windows Security Architecture.

What is RID Hijacking?

What does it do?

This technique hij hijacks acks the the RID RID

• f

any existing existing user user accou count nt on the victim host and assigns it to anoth

• ther

er one

• ne.

RID HIJACKING

SID D <Gue uest st Account count> ====== ======= ===== ======= ======= ======= ======= ======= ======= ======= ===== S-1-5-219 19665 653972 972-290 9088577 857710-50945 0945598 9845-501 501 SID D <Gue uest st hijack jacked Adm dmin inist strator ator> ====== ======= ===== ======= ======= ======= ======= ======= ======= ====== === S-1-5-219 19665 653972 972-290 9088577 857710-50945 0945598 9845-500 500

What does it do?

0x01

• 01. Assigns the privileges of the hijac

ijacked ked account to the hijac ijacker ker

• ne, even if the hijacke

acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending

• n

machine’s configuration), and

• btain

authorized access as the hijacke acked user. 0x03

• 03. Permits to register any operation executed on the event log as

the hijacke acked user, despite of being logged on as the hijacke acker one.

What does it do?

0x01

• 01. Assigns the privileges of the hijac

ijacked ked account to the hijac ijacker ker

• ne, even if the hijacke

acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending

• n

machine’s configuration), and

• btain

authorized access as the hijacke acked user. 0x03

• 03. Permits to register any operation executed on the event log as

the hijacke acked user, despite of being logged on as the hijacke acker one.

What does it do?

0x01

• 01. Assigns the privileges of the hijac

ijacked ked account to the hijac ijacker ker

• ne, even if the hijacke

acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending

• n

machine’s configuration), and

• btain

authorized access as the hijacke acked user. 0x03

• 03. Permits to register any operation executed on the event log as

the hijacke acked user, despite of being logged on as the hijacke acker one.

How does it look like?

whoami net user Guest writing on System32 folder

Agenda

0x01.

• 01. Exposing the RID Hijacking Attack.

0x02.

• 02. A Windows Logon Story.
• 0x03. Hijacking the RID.

0x04

• 04. Demo.

0x05.

• 05. Conclusions.

A Windows Logon Story…

A Windows Logon Story…

A Windows Logon Story…

A Windows Logon Story…

A Windows Logon Story…

Windows Security Architecture

Winlogon

winlogon.exe

LSA Server

lsasrv.dll

SAM Server

samsrv.dll

HKLM\SAM

AD Services

ntdsa.dll MSV1_0.dll

kerberos.dll

AD DB LSA DB

HKLM\SECURITY

KDC

Kdcsvc.dll

Others

Local Security Authority Subsystem <LSASS>

Winlogon

winlogon.exe

LSA Server

lsasrv.dll

SAM Server

samsrv.dll

HKLM\SAM

MSV1_0.dll

Local Security Authority Subsystem <LSASS>

LSA DB

HKLM\SECURITY

Windows Security Architecture

Quick Logon Overview

WINLOGON & LSASS

User: Administrator Pass: iamgreen

OK!

ACCESS TOKEN

User: Administrator S-1-5-…-500 Group1: Everyone S-1-1-0 Group2: Administrators S-1-5-32-544 Privileges:

• …
• …

File_X’s DACL

READ: Everyone S-1-1-0 WRITE: Administrators S-1-5-32-544

..... SRM SRM

Security Identifiers <SID>

S-1-5-21-397955417-62688126-188441444-1010

Literal prefix Identifier Authority Sub Authority Indicating this class of ID Three Sub Authorities for Uniqueness

Relative ID

1010

Authentication

Hi! ADMIN

here. Pass: ilovegreen

Authentication Steps

• 0x01. WINLOGON Initialization.
• 0x02. WINLOGON calls LOGONUI (using CPs).
• 0x03. WINLOGON creates an unique LOGON SID.
• 0x04. WINLOGON calls LSASS and prepares a handle for an

Authentication Package.

Authentication Packages

List: HKLM\SYSTEM\CurrentControlSet\Control\Lsa For interactive logons:

• <MSV1_0.dll>:

Standalone Authentication.

• <Kerberos.dll>:

Domain Kerberos Authentication.

Kerbero rberos s authen thenti ticat ation

• n pack

ckage ge will ll be be ignore nored by by now now. .

Authentication Steps

• 0x05. WINLOGON sends logon info to the MSV1_0 calling

LsaLogonUser. Logon Info: Username/Password. LOGON SID.

MSV1_0 V1_0 is is also so used ed on

• n doma

main in-mem ember er compute mputers rs when en are e disconn sconnec ected ed of

• f the

the networ twork.

Authentication Steps

• 0x06. MSV1_0 sends username and hashed password to the

SAMSRV.

• 0x07. SAMSRV queries on the SAM database with the logon

data, retrieving some security info.

MSV1_0.dll Samsrv.dll HKLM\SAM

Authentication Steps

• 0x08. MSV1_0 checks the information obtained from the

SAMSRV response.

• 0x09. If OK, MSV1_0 generates a LUID for the session.
• 0x0A. MSV1_0 sends the login information (including LUID)

to LSASS.

All All the the data ta sent nt will ll be be used ed for for the the furthe rther acce cess toke ken n creatio tion.

Authorization

HELLO 500. Creating your

Access token

Access Token

Object used by the SRM to identify the security context of a process. LSASS creates an initial access token for every user which logs on. Child processes inherit a copy of the token of their creator.

Proces

• cesses

es in a user’s sessio ssion will ll be be execut ecuted using ing the the same me acce cess toke ken. n.

Authorization Steps

• 0x0B. LSASS checks the LSA database for

the user’s allowed access.

Authorization Steps

• 0x0B. LSASS checks the LSA database for

the user’s allowed access.

• 0x0C. LSASS adds the Groups, SIDs and

privileges to the access token.

Authorization Steps

• 0x0B. LSASS checks the LSA database for

the user’s allowed access.

• 0x0C. LSASS adds the Groups, SIDs and

privileges to the access token.

• 0x0D. LSASS formally creates a primary

access token.

Authorization

WELCOME ADMIN

Here’s your

Access token

ACCESS GRANTED TOKEN

Authorization

Agenda

0x01.

• 01. Exposing the RID Hijacking Attack.

0x02.

• 02. A Windows Authorization Story.
• 0x03. Hijacking the RID.

0x04

• 04. Demo.

0x05.

• 05. Conclusions.

Understanding the attack

How is the user identified by the system after being successfully authenticated?

Understanding the attack

How is the user identified by the system after being successfully authenticated?

S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500

Understanding the attack

How is the user identified by the system after being successfully authenticated? How does the system associate an username with his SID?

S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500

Understanding the attack

How is the user identified by the system after being successfully authenticated? How does the system associate an username with his SID?

S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500 Using ing the the Sams msrv.dll rv.dll black ack magic gic :) :)

Remembering…

• 0x06. MSV1_0 sents username and hashed password to the

SAMSRV.

• 0x07. SAMSRV queries on the SAM database with the logon

data, retrieving some security info.

MSV1_0.dll Samsrv.dll HKLM\SAM

Remembering…

• 0x06. MSV1_0 sents username and hashed password to the

SAMSRV.

• 0x07. SAMSRV queries on the SAM database with the logon

data, retrieving some security info.

MSV1_0.dll Samsrv.dll HKLM\SAM

How is the username associated with the SID? What security info is retrieved?

Samsrv.dll and SAM

SAMSRV looks for the username at the SAM database.

HKLM\SAM\SAM\Domains\Account\Users\Names

Samsrv.dll and SAM

SAMSRV looks for the username at the SAM database. Each key contains a REG_BINARY value.

HKLM\SAM\SAM\Domains\Account\Users\Names

Samsrv.dll and SAM

SAMSRV looks for the username at the SAM database. Each key contains a REG_BINARY value. The REG_BINARY has as Type the RID of the account.

HKLM\SAM\SAM\Domains\Account\Users\Names

Samsrv.dll and MSV1_0.dll

SAMSRV looks for the key associated with the RID.

HKLM\SAM\SAM\Domains\Account\Users

SAMSRV looks for the key associated with the RID. SAMSRV grabs all the data stored in the referenced key.

HKLM\SAM\SAM\Domains\Account\Users

Samsrv.dll and MSV1_0.dll

Samsrv.dll and MSV1_0.dll

SAMSRV looks for the key associated with the RID. SAMSRV grabs all the data stored in the referenced key. MSV1_0.dll receives back all the data from SAMSRV.

MSV1_0.dll Samsrv.dll

Understanding the attack

Why does the SAM store only the RID?

Understanding the attack

Why does the SAM store only the RID?

S-1-5-219665397 196653972-290885771 908857710-509455984 094559845-500 500

Consistent sistent for for all all local al users rs SIDs SIDs Relativ ative

Understanding the attack

S-1-5-219665397 196653972-290885771 908857710-509455984 094559845-500 500

Consistent sistent for for all all local al users rs SIDs SIDs Relativ ative

Why does the SAM store only the RID? What info is retrieved from the SAM?

Understanding the attack

S-1-5-219665397 196653972-290885771 908857710-509455984 094559845-500 500

Consistent sistent for for all all local al users rs SIDs SIDs Relativ ative

Why does the SAM store only the RID? What info is retrieved from the SAM?

Password’s Hash. sh. Accoun

• unt stat

atus s (Act ctive: ive: Y/N) N). Some acco count nt rest stric ictions ions.

A A copy copy of

• f the

the user’s RID. RID.

Login as Guest

Hi! GUEST

here. Pass: redgirl

Login as Guest

MSV1_0.dll Samsrv.dll HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Login as Guest

MSV1_0.dll Samsrv.dll HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Username:

Guest

Login as Guest

MSV1_0.dll Samsrv.dll HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Username:

Guest

0x1F5

Login as Guest

MSV1_0.dll Samsrv.dll HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Username:

Guest

0x1F5

HKLM\SAM\SAM\Domains \Account\Users\0…1F5

Login as Guest

MSV1_0.dll Samsrv.dll HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Username:

Guest

0x1F5

HKLM\SAM\SAM\Domains \Account\Users\0…1F5

A85666C6540692E19 E23AEEDAB77E108

Restrictions

RID Copy:

0x1F5

Login as Guest

MSV1_0.dll Samsrv.dll HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Username:

Guest

0x1F5

HKLM\SAM\SAM\Domains \Account\Users\0…1F5

A85666C6540692E19 E23AEEDAB77E108

Restrictions

RID Copy:

0x1F5

A85666C6540692E19 E23AEEDAB77E108

Restrictions

RID Copy:

0x1F5

Login as Guest (Case 1)

GET OUTTA HERE!!!

Login as Guest (Case 1)

GET OUTTA HERE!!!

GUEST Account <0x1F5> cannot log on to this machine.

Login as Guest (Case 2)

WELCOME 501

Here’s your

Access token

Login as Guest (Case 2)

Not but could be better!

What if…?

What would happen if the RID COPY is changed to another value?

What if…?

What would happen if the RID COPY is changed to another value?

RID(Administrator) = 500

500d = 0x1F4

MSV1_0.dll Corrupted HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Login as Guest (the comeback)

Samsrv.dll

MSV1_0.dll Corrupted HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Login as Guest (the comeback)

Samsrv.dll

Username:

Guest

MSV1_0.dll Corrupted HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Login as Guest (the comeback)

Samsrv.dll

Username:

Guest

0x1F5

MSV1_0.dll Corrupted HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Login as Guest (the comeback)

Samsrv.dll

Username:

Guest

0x1F5

HKLM\SAM\SAM\Domains \Account\Users\0…1F5

MSV1_0.dll Corrupted HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Login as Guest (the comeback)

Samsrv.dll

Username:

Guest

0x1F5

HKLM\SAM\SAM\Domains \Account\Users\0…1F5

A85666C6540692E19 E23AEEDAB77E108

Restrictions

RID Copy:

0x1F4

MSV1_0.dll Corrupted HKLM\SAM

Guest

A85666C6540692E19 E23AEEDAB77E108

Login as Guest (the comeback)

Samsrv.dll

Username:

Guest

0x1F5

HKLM\SAM\SAM\Domains \Account\Users\0…1F5

A85666C6540692E19 E23AEEDAB77E108

Restrictions

RID Copy:

0x1F4

A85666C6540692E19 E23AEEDAB77E108

Restrictions

RID Copy:

0x1F4 Logon Process continues…

MSV1_0.dll

MSV1_0 checks the account restrictions provided from SAMSRV. If allowed, then compares: SAMSRV response password hash VS User entered hashed password

A85666C6540692E19 E23AEEDAB77E108

Restrictions

RID Copy:

0x1F4

Login as Guest (the comeback)

MSV1_0.dll

MSV1_0 checks the account restrictions provided from SAMSRV. If allowed, then compares: SAMSRV response password hash VS User entered hashed password

A85666C6540692E19 E23AEEDAB77E108

Restrictions

RID Copy:

0x1F4

Login as Guest (the comeback)

Hash will be the same

LSASS MSV1_0.dll

Password: OK

RID: 0x1F4

LUID

Login as Guest (the comeback)

LSASS MSV1_0.dll

Password: OK

RID: 0x1F4

LUID

Login as Guest (the comeback)

Token source Impersonation type Token ID Authentication ID Modified ID Expiration Time Session ID Flags Logon session (LUID) Mandatory Policy Administrators Default DACL

SID-1-5-………-500

Group 1 SID … Group n SID Restricted SID 1 … Restricted SID n Privilege 1 … Privilege n

Creates the Access Token with RID 500

LSASS MSV1_0.dll

Password: OK

RID: 0x1F4

LUID

Login as Guest (the comeback)

Token source Impersonation type Token ID Authentication ID Modified ID Expiration Time Session ID Flags Logon session (LUID) Mandatory Policy Administrators Default DACL

SID-1-5-………-500

Group 1 SID … Group n SID Restricted SID 1 … Restricted SID n Privilege 1 … Privilege n

Creates the Access Token with RID 500

Before After

RID HIJACKING

Login as Guest

WELCOME guest

Here’s your

Access token

Login as Guest

ACCESS GRANTED TOKEN

SECURITY CURITY ISSUES SUES

• 0x01. SAMSRV does not check if the RID associated

with the user is consistent to the RID COPY.

SECURITY CURITY ISSUES SUES

• 0x01. SAMSRV does not check if the RID associated

with the user is consistent to the RID COPY.

• 0x02. LSASS does not corroborate the RID with the

username before creating the access token.

SECURITY CURITY ISSUES SUES

• 0x01. SAMSRV does not check if the RID associated

with the user is consistent to the RID COPY.

• 0x02. LSASS does not corroborate the RID with the

username before creating the access token.

• 0x03. LSASS never looks for RID inconsistencies

during the user’s session.

Agenda

0x01.

• 01. Exposing the RID Hijacking Attack.

0x02.

• 02. A Windows Authorization Story.
• 0x03. Hijacking the RID.

0x04

• 04. Demo.

0x05.

• 05. Conclusions.

Demonstration

Windows 10 VICTIM Kali Linux ATTACKER 192.168.68.3 192.168.68.4

Interactive PsExec RDP Guest Unprivileged

USER

Agenda

0x01.

• 01. Exposing the RID Hijacking Attack.

0x02.

• 02. A Windows Authorization Story.
• 0x03. Hijacking the RID.

0x04

• 04. Demo.

0x05.

• 05. Conclusions.

Conclusions

References

1. http://csl.com.co/rid-hijacking/ 2. Russinovich, Mark. Solomon, David A. Ionescu, Alex. “Windows Internals”. 6th Edition. 3. Scambray, Joel. McClure, Stuart. “Hacking Exposed: Windows Security Secrets & Solutions”. 3rd Edition. 4. https://technet.microsoft.com/pt-pt/library/cc780332(v=ws.10).aspx 5. https://docs.microsoft.com/en-us/windows-server/security/windows- authentication/credentials-processes-in-windows-authentication