RID HIJACKING: Maintaining Access on Windows Machines. Sebastián Castro sebastian.castro@csl.com.co Rome, Italy @r4wd3r 2018 r4wd3r
C:\> net user r4wd3r Username Username r4wd3r r4wd3r Fu Full ll Us User er na name me Sebastián Sebastián Castro Castro Comment Comment Infosec Infosec nerd, nerd, xpltdev xpltdev, win sec, op opera si singer User’s comment Terrible Terrible at MS Paint at MS Paint :( :( Country/region Country/region code code Colombia Colombia Account Account active active No No First lo logon 1993/05/03 1993/05/03 23:56 23:56 User pr profile Technical Technical & Research & Research Lead Lead <at> CS CSL La Labs Work di directory https://csl.com.co https://csl.com.co
Agenda 0x01. 01. Exposing the RID Hijacking Attack. 0x02. 02. A Windows Logon Story. 0x03. Hijacking the RID. 0x04 04. Demo. 0x05. 05. Conclusions.
Agenda 0x01. 01. Exposing the RID Hijacking Attack. 0x02. 02. A Windows Logon Story. 0x03. Hijacking the RID. 0x04 04. Demo. 0x05. 05. Conclusions.
What is RID Hijacking? • A new persist rsistence ence technique that affects ALL LL Windows Systems NT. ( Haven’t tried this on Windows 95 nor Phone ). since NT • A stealthy way to maintain access by only ly usi sing ng OS OS resou sources rces. • A method which takes advantage of imp mporta ortant nt secur curity ity iss ssues ues found at the Windows Security Architecture. Not Not reli liable able on on Doma main Cont ntrollers rollers (yet et). ).
What does it do? This technique hij hijacks acks the the RID RID of any existing existing user user accou count nt on the victim host and assigns it to anoth other er one one. SID D <Gue uest st Account count> ====== ======= ===== ======= ======= ======= ======= ======= ======= ======= ===== S-1-5-219 19665 653972 972-290 9088577 857710-50945 0945598 9845-501 501 RID HIJACKING SID D <Gue uest st hijack jacked Adm dmin inist strator ator> ====== ======= ===== ======= ======= ======= ======= ======= ======= ====== === S-1-5-219 19665 653972 972-290 9088577 857710-50945 0945598 9845-500 500
What does it do? 0x01 01. Assigns the privileges of the hijac ijacked ked account to the hijac ijacker ker one, even if the hijacke acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending on machine’s configuration), and obtain authorized access as the hijacke acked user. 0x03 03. Permits to register any operation executed on the event log as the hijacke acked user, despite of being logged on as the hijacke acker one.
What does it do? 0x01 01. Assigns the privileges of the hijac ijacked ked account to the hijac ijacker ker one, even if the hijacke acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending on machine’s configuration), and obtain authorized access as the hijacke acked user. 0x03 03. Permits to register any operation executed on the event log as the hijacke acked user, despite of being logged on as the hijacke acker one.
What does it do? 0x01 01. Assigns the privileges of the hijac ijacked ked account to the hijac ijacker ker one, even if the hijacke acked account is disable abled. 0x02 02. Allows to authenticate with the hijacker hijacker account credentials (also remotely, depending on machine’s configuration), and obtain authorized access as the hijacke acked user. 0x03 03. Permits to register any operation executed on the event log as the hijacke acked user, despite of being logged on as the hijacke acker one.
How does it look like? whoami net user Guest writing on System32 folder
Agenda 0x01. 01. Exposing the RID Hijacking Attack. 0x02. 02. A Windows Logon Story. 0x03. Hijacking the RID. 0x04 04. Demo. 0x05. 05. Conclusions.
A Windows Logon Story …
A Windows Logon Story …
A Windows Logon Story …
A Windows Logon Story …
A Windows Logon Story …
Windows Security Architecture Local Security Authority Subsystem <LSASS> MSV1_0.dll SAM Winlogon Server kerberos.dll HKLM\SAM winlogon.exe samsrv.dll LSA Server KDC lsasrv.dll Kdcsvc.dll AD Services ntdsa.dll AD DB Others LSA DB HKLM\SECURITY
Windows Security Architecture Local Security Authority Subsystem <LSASS> MSV1_0.dll SAM Winlogon Server HKLM\SAM winlogon.exe samsrv.dll LSA Server lsasrv.dll LSA DB HKLM\SECURITY
Quick Logon Overview User: Administrator Pass : iamgreen WINLOGON & LSASS OK! ACCESS TOKEN User: Administrator S-1-5- … -500 File_X’s DACL Group1: Everyone S-1-1-0 READ: Everyone S-1-1-0 Group2: Administrators S-1-5-32-544 SRM SRM WRITE: Administrators S-1-5-32-544 ..... Privileges: - … - …
Security Identifiers <SID> Literal Three Sub Authorities for Uniqueness prefix 1010 S-1-5-21-397955417-62688126-188441444-1010 Relative Identifier Sub Authority Indicating Authority this class of ID ID
Authentication Hi! ADMIN here. Pass: ilovegreen
Authentication Steps 0x01. WINLOGON Initialization. 0x02. WINLOGON calls LOGONUI (using CPs). 0x03. WINLOGON creates an unique LOGON SID. 0x04. WINLOGON calls LSASS and prepares a handle for an Authentication Package.
Authentication Packages List: HKLM\SYSTEM\CurrentControlSet\Control\Lsa For interactive logons: • <MSV1_0.dll>: Standalone Authentication. • <Kerberos.dll>: Domain Kerberos Authentication. Kerbero rberos s authen thenti ticat ation on pack ckage ge will ll be be ignore nored by by now now. .
Authentication Steps 0x05. WINLOGON sends logon info to the MSV1_0 calling LsaLogonUser. Logon Info: Username/Password. LOGON SID. MSV1_0 V1_0 is is also so used ed on on doma main in-mem ember er compute mputers rs when en are e disconn sconnec ected ed of of the the networ twork.
Authentication Steps 0x06. MSV1_0 sends username and hashed password to the SAMSRV. 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. Samsrv.dll MSV1_0.dll HKLM\SAM
Authentication Steps 0x08. MSV1_0 checks the information obtained from the SAMSRV response. 0x09. If OK, MSV1_0 generates a LUID for the session. 0x0A. MSV1_0 sends the login information (including LUID) to LSASS. All All the the data ta sent nt will ll be be used ed for for the the furthe rther acce cess toke ken n creatio tion.
Authorization HELLO 500 . Creating your Access token
Access Token Object used by the SRM to identify the security context of a process. LSASS creates an initial access token for every user which logs on. Child processes inherit a copy of the token of their creator. Proces ocesses es in a user’s sessio ssion will ll be be execut ecuted using ing the the same me acce cess toke ken. n.
Authorization Steps 0x0B. LSASS checks the LSA database for the user’s allowed access.
Authorization Steps 0x0B. LSASS checks the LSA database for the user’s allowed access. 0x0C. LSASS adds the Groups, SIDs and privileges to the access token.
Authorization Steps 0x0B. LSASS checks the LSA database for the user’s allowed access. 0x0C. LSASS adds the Groups, SIDs and privileges to the access token. 0x0D. LSASS formally creates a primary access token.
Authorization WELCOME ADMIN Here’s your Access token
Authorization ACCESS GRANTED TOKEN
Agenda 0x01. 01. Exposing the RID Hijacking Attack. 0x02. 02. A Windows Authorization Story. 0x03. Hijacking the RID. 0x04 04. Demo. 0x05. 05. Conclusions.
Understanding the attack How is the user identified by the system after being successfully authenticated?
Understanding the attack How is the user identified by the system after being successfully authenticated? S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500
Understanding the attack How is the user identified by the system after being successfully authenticated? S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500 How does the system associate an username with his SID?
Understanding the attack How is the user identified by the system after being successfully authenticated? S-1-5-2196653 19665397 972-290885 908857710 7710-509 09455984 4559845-500 500 How does the system associate an username with his SID? Using ing the the Sams msrv.dll rv.dll black ack magic gic :) :)
Remembering … 0x06. MSV1_0 sents username and hashed password to the SAMSRV. 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. Samsrv.dll MSV1_0.dll HKLM\SAM
Remembering … 0x06. MSV1_0 sents username and hashed password to the How is the username associated SAMSRV. with the SID? 0x07. SAMSRV queries on the SAM database with the logon data, retrieving some security info. What security info is retrieved? Samsrv.dll MSV1_0.dll HKLM\SAM
Samsrv.dll and SAM HKLM\SAM\SAM\Domains\Account\Users\Names SAMSRV looks for the username at the SAM database.
Recommend
More recommend