rid hijacking
play

RID HIJACKING: Maintaining Access on Windows Machines. Sebastin - PowerPoint PPT Presentation

Sep 24, 2022 •203 likes •1.06k views

RID HIJACKING: Maintaining Access on Windows Machines. Sebastin Castro sebastian.castro@csl.com.co Rome, Italy @r4wd3r 2018 r4wd3r C:\> net user r4wd3r Username Username r4wd3r r4wd3r Fu Full ll Us User er na name me

  1. RID HIJACKING: Maintaining Access on Windows Machines. Sebastián Castro sebastian.castro@csl.com.co Rome, Italy @r4wd3r 2018 r4wd3r

  2. C:\> net user r4wd3r Username Username r4wd3r r4wd3r Fu Full ll Us User er na name me Sebastián Sebastián Castro Castro Comment Comment Infosec Infosec nerd, nerd, xpltdev xpltdev, win sec, op opera si singer User’s comment Terrible Terrible at MS Paint at MS Paint :( :( Country/region Country/region code code Colombia Colombia Account Account active active No No First lo logon 1993/05/03 1993/05/03 23:56 23:56 User pr profile Technical Technical & Research & Research Lead Lead <at> CS CSL La Labs Work di directory https://csl.com.co https://csl.com.co

  3. Agenda 0x01. 01. Exposing the RID Hijacking Attack. 0x02. 02. A Windows Logon Story. 0x03. Hijacking the RID. 0x04 04. Demo. 0x05. 05. Conclusions.

  4. Agenda 0x01. 01. Exposing the RID Hijacking Attack. 0x02. 02. A Windows Logon Story. 0x03. Hijacking the RID. 0x04 04. Demo. 0x05. 05. Conclusions.

  5. What is RID Hijacking? • A new persist rsistence ence technique that affects ALL LL Windows Systems NT. ( Haven’t tried this on Windows 95 nor Phone  ). since NT • A stealthy way to maintain access by only ly usi sing ng OS OS resou sources rces. • A method which takes advantage of imp mporta ortant nt secur curity ity iss ssues ues found at the Windows Security Architecture. Not Not reli liable able on on Doma main Cont ntrollers rollers (yet et). ).

  6. What does it do? This technique hij hijacks acks the the RID RID of any existing existing user user accou count nt on the victim host and assigns it to anoth other er one one. SID D <Gue uest st Account count> ====== ======= ===== ======= ======= ======= ======= ======= ======= ======= ===== S-1-5-219 19665 653972 972-290 9088577 857710-50945 0945598 9845-501 501 RID HIJACKING SID D <Gue uest st hijack jacked Adm dmin inist strator ator> ====== ======= ===== ======= ======= ======= ======= ======= ======= ====== === S-1-5-219 19665 653972 972-290 9088577 857710-50945 0945598 9845-500 500

  7. What does it do? 0x01 01. Assigns the privileges of the hijac ijacked ked account to the hijac ijacker ker one, even if the hijacke acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending on machine’s configuration), and obtain authorized access as the hijacke acked user. 0x03 03. Permits to register any operation executed on the event log as the hijacke acked user, despite of being logged on as the hijacke acker one.

  8. What does it do? 0x01 01. Assigns the privileges of the hijac ijacked ked account to the hijac ijacker ker one, even if the hijacke acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending on machine’s configuration), and obtain authorized access as the hijacke acked user. 0x03 03. Permits to register any operation executed on the event log as the hijacke acked user, despite of being logged on as the hijacke acker one.

  9. What does it do? 0x01 01. Assigns the privileges of the hijac ijacked ked account to the hijac ijacker ker one, even if the hijacke acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending on machine’s configuration), and obtain authorized access as the hijacke acked user. 0x03 03. Permits to register any operation executed on the event log as the hijacke acked user, despite of being logged on as the hijacke acker one.

  10. How does it look like? whoami net user Guest writing on System32 folder

  11. Agenda 0x01. 01. Exposing the RID Hijacking Attack. 0x02. 02. A Windows Logon Story. 0x03. Hijacking the RID. 0x04 04. Demo. 0x05. 05. Conclusions.

  12. A Windows Logon Story …

  13. A Windows Logon Story …

  14. A Windows Logon Story …

  15. A Windows Logon Story …

  16. A Windows Logon Story …

  17. Windows Security Architecture Local Security Authority Subsystem <LSASS> MSV1_0.dll SAM Winlogon Server kerberos.dll HKLM\SAM winlogon.exe samsrv.dll LSA Server KDC lsasrv.dll Kdcsvc.dll AD Services ntdsa.dll AD DB Others LSA DB HKLM\SECURITY

  18. Windows Security Architecture Local Security Authority Subsystem <LSASS> MSV1_0.dll SAM Winlogon Server HKLM\SAM winlogon.exe samsrv.dll LSA Server lsasrv.dll LSA DB HKLM\SECURITY

  19. Quick Logon Overview User: Administrator Pass : iamgreen WINLOGON & LSASS OK! ACCESS TOKEN User: Administrator S-1-5- … -500 File_X’s DACL Group1: Everyone S-1-1-0 READ: Everyone S-1-1-0 Group2: Administrators S-1-5-32-544 SRM SRM WRITE: Administrators S-1-5-32-544 ..... Privileges: - … - …

  20. Security Identifiers <SID> Literal Three Sub Authorities for Uniqueness prefix 1010 S-1-5-21-397955417-62688126-188441444-1010 Relative Identifier Sub Authority Indicating Authority this class of ID ID

  21. Authentication Hi! ADMIN here. Pass: ilovegreen

  22. Authentication Steps 0x01. WINLOGON Initialization. 0x02. WINLOGON calls LOGONUI (using CPs). 0x03. WINLOGON creates an unique LOGON SID. 0x04. WINLOGON calls LSASS and prepares a handle for an Authentication Package.

  23. Authentication Packages List: HKLM\SYSTEM\CurrentControlSet\Control\Lsa For interactive logons: • <MSV1_0.dll>: Standalone Authentication. • <Kerberos.dll>: Domain Kerberos Authentication. Kerbero rberos s authen thenti ticat ation on pack ckage ge will ll be be ignore nored by by now now. .

  24. Authentication Steps 0x05. WINLOGON sends logon info to the MSV1_0 calling LsaLogonUser. Logon Info: Username/Password. LOGON SID. MSV1_0 V1_0 is is also so used ed on on doma main in-mem ember er compute mputers rs when en are e disconn sconnec ected ed of of the the networ twork.

  25. Authentication Steps 0x06. MSV1_0 sends username and hashed password to the SAMSRV. 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. Samsrv.dll MSV1_0.dll HKLM\SAM

  26. Authentication Steps 0x08. MSV1_0 checks the information obtained from the SAMSRV response. 0x09. If OK, MSV1_0 generates a LUID for the session. 0x0A. MSV1_0 sends the login information (including LUID) to LSASS. All All the the data ta sent nt will ll be be used ed for for the the furthe rther acce cess toke ken n creatio tion.

  27. Authorization HELLO 500 . Creating your Access token

  28. Access Token Object used by the SRM to identify the security context of a process. LSASS creates an initial access token for every user which logs on. Child processes inherit a copy of the token of their creator. Proces ocesses es in a user’s sessio ssion will ll be be execut ecuted using ing the the same me acce cess toke ken. n.

  29. Authorization Steps 0x0B. LSASS checks the LSA database for the user’s allowed access.

  30. Authorization Steps 0x0B. LSASS checks the LSA database for the user’s allowed access. 0x0C. LSASS adds the Groups, SIDs and privileges to the access token.

  31. Authorization Steps 0x0B. LSASS checks the LSA database for the user’s allowed access. 0x0C. LSASS adds the Groups, SIDs and privileges to the access token. 0x0D. LSASS formally creates a primary access token.

  32. Authorization WELCOME ADMIN Here’s your Access token

  33. Authorization ACCESS GRANTED TOKEN

  34. Agenda 0x01. 01. Exposing the RID Hijacking Attack. 0x02. 02. A Windows Authorization Story. 0x03. Hijacking the RID. 0x04 04. Demo. 0x05. 05. Conclusions.

  35. Understanding the attack How is the user identified by the system after being successfully authenticated?

  36. Understanding the attack How is the user identified by the system after being successfully authenticated? S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500

  37. Understanding the attack How is the user identified by the system after being successfully authenticated? S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500 How does the system associate an username with his SID?

  38. Understanding the attack How is the user identified by the system after being successfully authenticated? S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500 How does the system associate an username with his SID? Using ing the the Sams msrv.dll rv.dll black ack magic gic :) :)

  39. Remembering … 0x06. MSV1_0 sents username and hashed password to the SAMSRV. 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. Samsrv.dll MSV1_0.dll HKLM\SAM

  40. Remembering … 0x06. MSV1_0 sents username and hashed password to the How is the username associated SAMSRV. with the SID? 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. What security info is retrieved? Samsrv.dll MSV1_0.dll HKLM\SAM

  41. Samsrv.dll and SAM HKLM\SAM\SAM\Domains\Account\Users\Names SAMSRV looks for the username at the SAM database.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

1 .NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend PowerShell 2 MALWARE UNICORN Senior or Malware Researcher @ Endgame, Inc. Wo Works s as s a a Mal alware are Re Researc archer r at at

1.04k views • 47 slides
JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love hacking JavaScript let : let { let :[x=1]}=[alert(1)] I love breaking browsers @garethheyes History of JSON hijacking Array constructor attack

630 views • 44 slides
Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18 th 2014 Goals of the Assignment Understand how BGP path hijacking aGacks might happen in

322 views • 11 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala

Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala

Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek Andy Archer, Allan Aquino, Andreas Pitsillidis (UCSD), Stefan Savage (UCSD) Hijacking is a pervasive problem

318 views • 27 slides
Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we detect BGP IP hijacking by probing the at risk subnets to detect suspect change to hosts and subnets. 2 Intro Fingerprinting Avoiding

795 views • 31 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of

THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of

Principal Consultant Nick Harbour nick.harbour@mandiant.com ick.harbour@mandiant.com @ THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of Persistence Techniques Overview of Persistence

153 views • 14 slides
A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis, Xinyang Zhang Presented by: Tony Z.C Huang, Adapted from slides by Hitesh Ballani Prefix Hijacking/ Interception Internet AS CIA AS U Owning

873 views • 38 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org Center for Applied Internet Data Analysis University of California, San Diego Joint work with: Pavlos Sermpezis, Vasileios Kotronis, Petros

375 views • 23 slides
Content Distribution Networks explicit transparent (hijacking connections) Outline

Content Distribution Networks explicit transparent (hijacking connections) Outline

Design Space Caching Content Distribution Networks explicit transparent (hijacking connections) Outline Replication Implementation Techniques server farms Hashing Schemes Redirection Strategies geographically

237 views • 6 slides
An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin

An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin

An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin Ahmad Jonas, Md. Shohrab Hossain, Risul Islam, Husnu S. Narman , Mohammed Atiquzzaman Outlines Motivation Problem Contributions Results

1.03k views • 25 slides
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2 Trends in Memory Errors* * Victor van der Veen,

517 views • 39 slides
Biology and Politics: Is Rhetoric Hijacking Science? Marianne J. Legato, M.D. Professor Emerita

Biology and Politics: Is Rhetoric Hijacking Science? Marianne J. Legato, M.D. Professor Emerita

Biology and Politics: Is Rhetoric Hijacking Science? Marianne J. Legato, M.D. Professor Emerita of Clinical Medicine Columbia University College of Physicians &amp; Surgeons Politically Correct: Men and women are identical except for their

204 views • 6 slides
ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof.

ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof.

ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof. Xenofontas Dimitropoulos) FORTH, Greece ERC Networking Symposium, SIGCOMM 2018 The ERC history of ARTEMIS ERC NetVolution project 2014

200 views • 17 slides
CSE 232A Graduate Database Systems Arun Kumar Review Discussion 1 Review Question Which

CSE 232A Graduate Database Systems Arun Kumar Review Discussion 1 Review Question Which

CSE 232A Graduate Database Systems Arun Kumar Review Discussion 1 Review Question Which of the following parallelism paradigms is making a comeback in the cloud-native RDBMS setting thanks to faster networks? A Shared-disk B

314 views • 6 slides
New Resources for a New Age Brad Blickstein David Cambria Recent Headlines 1992 GC Plan

New Resources for a New Age Brad Blickstein David Cambria Recent Headlines 1992 GC Plan

New Resources for a New Age Brad Blickstein David Cambria Recent Headlines 1992 GC Plan Few Hires But Still Say More Work Coming In-House How to Control Litigation Costs Pressure Rising for Early Settlement; Bad Times are Good

301 views • 29 slides
Who Will Win It? An In-game Win Probability Model for Football Pieter Robberechts , Jan Van

Who Will Win It? An In-game Win Probability Model for Football Pieter Robberechts , Jan Van

Who Will Win It? An In-game Win Probability Model for Football Pieter Robberechts , Jan Van Haaren and Jesse Davis &quot; Belgium stuns Japan with exceptional comeback NyTimes How exceptional was this comeback? We need an in-game win

489 views • 24 slides
Delivering an Upfront Patient Cost Experience Andrew Hardings event on May 12 was packed

Delivering an Upfront Patient Cost Experience Andrew Hardings event on May 12 was packed

Another chance to watch Delivering an Upfront Patient Cost Experience Andrew Hardings event on May 12 was packed with information on many subjects. Andrew sent links to the webinar so you can watch it at your leisure, as well as his

493 views • 20 slides
Career Comeback Networking Event Tips on Returning to Work March 6, 2014 TP @ Tian Pouw

Career Comeback Networking Event Tips on Returning to Work March 6, 2014 TP @ Tian Pouw

Career Comeback Networking Event Tips on Returning to Work March 6, 2014 TP @ Tian Pouw Individual activity 0 100 Motivation to make a career comeback ? 0 100 Concern in making a comeback ? (Capability / Readiness / Fit / Opportunity)

621 views • 29 slides
Second Quarter 2011 Investor Call Terry Turner, President and CEO Harold Carpenter, EVP and CFO

Second Quarter 2011 Investor Call Terry Turner, President and CEO Harold Carpenter, EVP and CFO

Second Quarter 2011 Investor Call Terry Turner, President and CEO Harold Carpenter, EVP and CFO Harvey White, Chief Credit Officer July 20, 2011 Safe Harbor Statements Forward-looking statements Certain of the statements in this presentation

933 views • 55 slides
Computer Architecture Summer 2020 Multicore Dan Sorin and Tyler Bletsch Duke University

Computer Architecture Summer 2020 Multicore Dan Sorin and Tyler Bletsch Duke University

ECE/CS 250 Computer Architecture Summer 2020 Multicore Dan Sorin and Tyler Bletsch Duke University Multicore and Multithreaded Processors Why multicore? Thread-level parallelism Multithreaded cores Multiprocessors Design

748 views • 42 slides
The Future of ASIC Design(ers) Steve Golson Trilobyte Systems Phone: +1.978.369.9669 Email:

The Future of ASIC Design(ers) Steve Golson Trilobyte Systems Phone: +1.978.369.9669 Email:

TRILOBYTE 1 SYSTEMS The Future of ASIC Design(ers) Steve Golson Trilobyte Systems Phone: +1.978.369.9669 Email: sgolson@trilobyte.com Web: http://www.trilobyte.com 2 Outline Past Present Future 3 The ASIC Designers Lament

856 views • 38 slides

More recommend