Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: priviledge escalation techniques

from [miguel . dilaj] Network Security [Permanent Link]
Subject: Re: priviledge escalation techniques
Date: Mon, 17 Jan 2005 21:54:24 +0000 
Hi jnf!

Good question, I used a tool to write to NTFS volumes, as mentioned in 
point (1) of my post. This was probably not clear in my original post, 
sorry.
And answering another good question you made off-list:


What is the point then?
If you can write to anything on the fs, why not just skip the middle mand
and write a new sam file or just add a new program to run on boot in the
registry/etc. what do you gain by adding extra steps?


Your options are perfectly valid, but much more detectable (IMHO).
With the option of changing sethc.exe you are not running anything extra, 
you are not modifying the SAM (that can count as evidence against you in 
case of problems), and you don't even need to crack passwords.
It's just a CLI as SYSTEM on request ;-)
But as you pointed, the possibilities are endless.
Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
We need YOU at www.oissg.org!






lists <lists@innocence-lost.net>
17/01/2005 19:19

 
        To:     Miguel Dilaj/PH/Novartis@PH
        cc:     pen-test@securityfocus.com
        Subject:        Re: priviledge escalation techniques




3) the one I've chosen, similar to (1) above. I've XP with the
Accessibility Tools installed by default. They monitor some keys, and if
for example you press SHIFT 5 times a popup appears where you can 

activate

and configure the accessibility tools. The program responsible for that 

is

sethc.exe, and the guys at Micro$oft comit the cardinal mistake of not
making IT check if SHIFT was pressed 5 times, but to include that in 

some

other part of the OS (kernel? ;-)
So if you press SHIFT 5 times, sethc.exe is executed, but doesn't matter
WHAT IS sethc.exe
You guess that, I replaced sethc.exe by a copy of cmd.exe
If I press that BEFORE login, a CLI as SYSTEM is started, I can launch
compmgmt.msc and add myself to the local administrators group (please 

note

that if you start it AFTER login, a CLI is started as your user).



How do you suppose one gets write access to sethc.exe without admin privs
in the first place? I cannot overwrite my sethc.exe, nor can I change the
system Path variables, and it gets prepended to my path before user
variables do- are you sure you didn't test this while logged in as an
admin?

jnf
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Windows based DoS Tools?, Faisal Khan
Next by Date:  Re: priviledge escalation techniques, miguel . dilaj
Previous by Thread:  RE: priviledge escalation techniques, John Cobb
Next by Thread:  Re: priviledge escalation techniques, miguel . dilaj
Indexes:  [Date] [Thread] [Top] [All Lists]