8.2 - Privilege Escalation

 8.2 - Privilege escalation 

 

Key Terms: 

    • KerberoastingAn offline brute force attack to crack a Kerberos ticket to reveal the service account password in plain text. 
    • DLL hijacking – Loading a malicious DLL in the application directory so that when the application executes, it will choose the malicious DLL. 
    • cPasswordsThe attribute that stores passwords in a Windows group policy preference item. 
    • Security account manager (SAM) database – A database that authenticates local and remote users. In Windows, this database stores user passwords as an LM or NTLM hash. 
    • Local security authority subsystem service (LSASS) - A Windows service that performs the system’s security protocol. 

 

cPasswords 

cPasswords is the attribute that stores passwords in a Windows group policy preference item. It is easily exploited because Microsoft publishes the public key used for the encryption of the account credentials in the group policy preferences. These preferences allow domain admins access to create and deploy whatever they want in any local user or local admin accounts. 

 

Kerberoasting 

Kerberos is a protective protocol that allows authentication over an unsecure network using tickets or service principle names called SPNs. Kerberos can be exploited because any authorised user can log into an active directory domain and request a service ticket or TGS. An encrypted ticket is returned, and an offline brute-force attack can crack the ticket to reveal the service account password. 

 

Credentials in LSASS 

The LSASS is a file in a Windows directory that performs security protocols. It verifies user logins, creates access tokens, and handles password changes. This file is susceptible to viruses and trojans. The vulnerability risk level is high for this file as it is a critical component for authority domain authentication, active directory management, and the initial security authentication. 

 

SAM Database Vulnerabilities 

A security account manager (SAM) database stores user passwords in windows as an LM or NTLM hash. This database is used to authenticate local and remote users. It also stores the administrator recovery account information. The SAM file can't be copied but it is possible to dump the hashed passwords to an offsite location which can then be decrypted. 

 

Unattended Installation Risks 

When files are left installing unattended, they leave a file named “unattended” on the workstation. This file is an XML file which contains configuration settings used during the installation including the settings which determine whether the account is an admin account. 

 

DLL Hijacking 

DLL hijacking happens during the installation of an application. When Windows applications are loading to an external DLL library, they usually search the application directory they were loaded from before attempting a path. If an attacker installs a malicious DLL in the application directory before the application is installed, the malicious DLL will be ran allowing the hacker to gain remote access. 

 

Tools 

    • Trinity rescue kit – This kit helps with repair and recovery operations of Windows machines. It can reset passwords, perform malware scans, run disk cleanup, and fix bugs. 
    • Kali Linux 
    • Ultimate Boot CD 
    • ERD CommanderSoftware designed to fix bugs that occur during or after reboots. 
    • OphcrackUsed for Windows password cracking. 

 

Countermeasures 

Users should only be given privileges they absolutely need. This prevents escalation if the hacker gains access to a lower-level account. Encryptions should always be used no matter what along with multi-factor authentication. Scanning OS and app coding should be done regularly to quickly fix bugs. Systems should be kept up-to-date and monitored for suspicious activity. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

Mobile device/application management (MDM/MAM)

  Mobile device/a pplication management     What is mobile device management (MDM)?   Mobile device management (MDM) is a service that allows an organisation to remotely control mobile devices. The devices are often manage d to enforce policies and harden security on the device.     What is mobile a pplication management (MAM)?   Mobile a pplication management (MAM) is a service that allows an organisation to remotely manage applications on a mobile device. This is usually used on personal devices where employees are still using them for work. Policies still need to be enforced, however because it is a personal device, the company cannot remotely manage the whole device.     Why do companies use MDM/MAM?   Companies use mobile management services to enforce policies on devices used for work related purposes, especially with access to sensitive data. By using MDM, the company can monitor activity on the device and flag suspicious acce...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more