1 / 11

Access Tokens and Exploits

Learn how to successfully exploit access tokens, escalate privileges, and gain cross-domain access. Explore the security implications of Windows access tokens and discover effective post-exploit actions. This guide provides valuable insights for penetration testers.

ereed
Download Presentation

Access Tokens and Exploits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CS460 Cyber Security Lab Spring '10 Access Tokens and Exploits Cyber Security Spring 2010

  2. Cyber Security Spring 2010 Post-Exploit Actions • Successfully exploit a process • Escalate privilege locally • Gain access across domain • Can leverage knowledge of access tokens to do both • Security Implications of Windows Access Tokens – A Penetration Tester’s Guide, by Luke Jennings • http://labs.mwrinfosecurity.com/files/Publications/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf

  3. Cyber Security Spring 2010 Remember Access Tokens • Kernel object that contains the security relevant information about a process/thread • SID, privileges, integrity level, etc. • Token per process • Potentially impersonation token per thread • Impersonation token • Delegation token

  4. Cyber Security Spring 2010 Access Token

  5. Cyber Security Spring 2010 Local Escalation Administrator Network Service Administrator Exploited Service Client Process

  6. Cyber Security Spring 2010 Local Escalation • Older versions of windows did not require SeImpersonation privilege • Could have even lower privilege services exploited or set up by attacker • Can perform access checks under Impersonation token • Cannot delegate to other processes

  7. Cyber Security Spring 2010 Domain Escalation Domain Admin Network Service Domain Admin Exploited Service Client Process Sensitive Server Domain Admin Domain Admin Laptop Sensitive Service

  8. Cyber Security Spring 2010 Domain Escalation • The Sensitive server isn't misconfigured • Weakest link in entire domain could cause domain-wide exploit • One unpatched test server visited by high privilege user could be problematic

  9. Cyber Security Spring 2010 Lingering Tokens • Bug before Windows 2003 sp1 • Tokens linger after user logs off. Stay until reboot • Reported as impersonation tokens but work fine for delegation • Terminal service • Tokens stay if you close window instead of logging off

  10. Cyber Security Spring 2010 Incognito Pen Test Tool • Find all available tokens • List all handles • Determine which handles point to tokens • Enumerate all attributes of the tokens • Users, privileges, impersonation levels

  11. Cyber Security Spring 2010 Lessons • Consider how security elements can be misused • In a multi-machine environment (i.e., a domain), the security of the entire system must be considered

More Related