24C3 - 1.01

24th Chaos Communication Congress
Volldampf voraus!

Luke Jennings
Day Day 4 (2007-12-30)
Room Saal 1
Start time 16:00
Duration 01:00
ID 2235
Event type lecture
Track Hacking
Language en

One Token to Rule Them All

Post-Exploitation Fun in Windows Environments

The defense techniques employed by large software manufacturers are getting better. This is particularly true of Microsoft who have improved the security of the software they make tremendously since their Trustworthy Computing initiative. Gone are the days of being able to penetrate any Microsoft system by firing off the RPC-DCOM exploit. The consequence of this is that post-exploitation has become increasingly important in order to "squeeze all the juice" out of every compromised system. Windows access tokens are integral to Microsoft's concept of single sign-on in an active directory environment. Compromising a system that has privileged tokens can allow for both local and domain privilege escalation.

This talk aims to demonstrate just how devastating attacks of this form can be and introduces a new, open-source tool for penetration testers that provides powerful post-exploitation options for abusing tokens found residing on compromised systems. The functionality of this tool is also provided as a Meterpreter module for the Metasploit Framework to allow its use to be combined with the existing power of Metasploit. In addition, a complete methodology will be given for its use in penetration testing. This will include identifying tokens that can be used to access an otherwise secure target and then locating other systems that may house those tokens. A new vulnerability will also be revealed that appears to have been silently patched by Microsoft. The impact of this vulnerability is that privileged tokens can be found on systems long after the corresponding users have logged off.

The talk will focus on introducing the audience to the concept of windows access tokens and how they are utilised within windows with a particular focus on their importance within windows forest/domain environments. The talk will then move on to demonstrate how their functionality can be abused for powerful post-exploitation options, culminating in a live demo of my tool being used to escalate privileges significantly after system compromises both locally and across a domain. Interesting, important and unexpected nuances of how these tokens behave will then be discussed to demonstrate how risk could be unknowingly exposed even by those who think they already have a grasp of these issues.

The talk will then move focus towards the advantages of combining these techniques with the existing post-exploitation focussed meterpreter, which comes with the metasploit framework. Another live demo will then be given, showing how these techniques can be utilised from within a meterpreter session after having exploited a system with metasploit.

The focus of the talk will then be shifted again to discuss how systems housing tokens with desirable privileges can be located on large networks, such that penetration attempts can be focussed on these. A live demo will be given of how this can achieved with my tool and then it will be discussed how these techniques can be incorporated into standard penetration testing methodologies such that it will often be possible to expose gaping holes in networks that would have otherwise been considered relatively secure.

Finally, defence strategies will be dicussed in order for the audience to understand how best to defend themselves against these attacks.

Archived page - Impressum/Datenschutz