'link/security'에 해당되는 글 13건
- 2022.09.02 NtCreateToken
- 2021.02.15 Access Tokens
- 2021.02.02 Token modification
- 2019.02.19 How to Check Access Rights
- 2016.05.26 SubInACL
- 2013.10.22 How to determine physical machine
- 2013.10.04 Enable empty password runAs
- 2013.09.27 How to validate user credentials on Microsoft operating systems
- 2013.09.25 Windows Security Collection
- 2013.09.17 Windows Privilege Escalation
NtCreateToken
Return Codes
- STATUS_SUCCESS - Indicates the operation was successful.
- STATUS_INVALID_OWNER - Indicates the ID provided to be assigned
as the default owner of the token does not have an attribute
indicating it may be assigned as an owner. - STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided
via the PrimaryGroup parameter was not among those assigned
to the token in the Groups parameter. - STATUS_BAD_IMPERSONATION_LEVEL - Indicates no impersonation level
was provided when attempting to create a token of type
TokenImpersonation.
Abusing Token Privileges For LPE
Abusing Token Privileges For LPE
Abusing Token Privileges For LPE EDB-ID: 42556 CVE: N/A Date: 2017-08-28
www.exploit-db.com
creating-windows-access-tokens
GitHub - decoder-it/CreateTokenExample
Creating Windows Access Tokens
Some time ago I was playing with the STOPZilla exploit which is very interesting and educational because it shows how you can abuse from an arbitrary write from the userland into the kernel. In thi…
decoder.cloud
GUI-Based RunAsEx
An ultimate tool that lets you RunAs... (With support for non-Pwd, WTS, fake privilege, fake user groups, etc...)
www.codeproject.com
Understanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Finding alternatives to winlogon.exe to steal SYSTEM access tokens from. Presented at HushCon 2019
www.slideshare.net
Understanding and Defending Against Access Token Theft
Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe
A dive into Windows processes, access tokens, SACLs, WinAPI and access token manipulation.
posts.specterops.io
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading …
www.slideshare.net
Stealing Tokens In Kernel Mode With A Malicious Driver
Stealing Tokens In Kernel Mode With A Malicious Driver - SolomonSklash.io
Stealing Tokens In Kernel Mode With A Malicious Driver Introduction I’ve recently been working on expanding my knowledge of Windows kernel concepts and kernel mode programming. In the process, I wrote a malicious driver that could steal the token of one
www.solomonsklash.io
Token Abuse for Privilege Escalation in Kernel
Token Abuse for Privilege Escalation in Kernel
www.ired.team
How to Check Access Rights of files
You can apply this logic by using GetNamedSecurityInfo function to another object type.
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.
Using system manufacture name
CMD : SYSTEMINFO
WMI
http://msdn.microsoft.com/en-us/library/windows/desktop/aa389762%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa390418%28v=vs.85%29.aspx
Registry
http://www.rohitab.com/discuss/topic/35915-win32-api-to-get-system-information/
#include <windows.h>#include <commctrl.h>#include <shlwapi.h>UINT GetComputerManufacturer(LPSTR lpBuffer, UINT uSize){ HKEY hkData; HANDLE hHeap; LPSTR lpString = NULL; LPBYTE lpData = NULL; DWORD dwType = 0, dwSize = 0; UINT uIndex, uStart, uEnd, uString, uLength, uState = 0; LONG lErr; if((lErr = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\mssmbios\\Data"), 0, KEY_QUERY_VALUE, &hkData)) != ERROR_SUCCESS){ SetLastError(lErr); return 0; } if((lErr = RegQueryValueEx(hkData, TEXT("SMBiosData"), NULL, &dwType, NULL, &dwSize)) == ERROR_SUCCESS){ if(dwSize == 0 || dwType != REG_BINARY) lErr = ERROR_BADKEY; else{ hHeap = GetProcessHeap(); lpData = (LPBYTE)HeapAlloc(hHeap, 0, dwSize); if(!lpData) lErr = ERROR_NOT_ENOUGH_MEMORY; else lErr = RegQueryValueEx(hkData, TEXT("SMBiosData"), NULL, NULL, lpData, &dwSize); } } RegCloseKey(hkData); if(lErr == ERROR_SUCCESS){ uIndex = 8 + *(WORD *)(lpData + 6); uEnd = 8 + *(WORD *)(lpData + 4); while(lpData[uIndex] != 0x7F && uIndex < uEnd){ uIndex += lpData[(uStart = uIndex) + 1]; uString = 1; do{ if(lpData[uStart] == 0x01 && uState == 0){ if( lpData[uStart + 4] == uString || lpData[uStart + 5] == uString || lpData[uStart + 6] == uString){ lpString = (LPSTR)(lpData + uIndex); if(!StrCmpI(lpString, "System manufacturer")){ lpString = NULL; uState++; } } }else if(lpData[uStart] == 0x02 && uState == 1){ if( lpData[uStart + 4] == uString || lpData[uStart + 5] == uString || lpData[uStart + 6] == uString) lpString = (LPSTR)(lpData + uIndex); }else if(lpData[uStart] == 0x03 && uString == 1){ switch(lpData[uStart + 5]) { default: lpString = "(Other)"; break; case 0x02: lpString = "(Unknown)"; break; case 0x03: lpString = "(Desktop)"; break; case 0x04: lpString = "(Low Profile Desktop)"; break; case 0x06: lpString = "(Mini Tower)"; break; case 0x07: lpString = "(Tower)"; break; case 0x08: lpString = "(Portable)"; break; case 0x09: lpString = "(Laptop)"; break; case 0x0A: lpString = "(Notebook)"; break; case 0x0E: lpString = "(Sub Notebook)"; break; } } if(lpString != NULL){ uLength = strlen(lpString) + 1; if(uSize > uLength + 1) lpBuffer += wsprintf(lpBuffer, "%s ", lpString); uSize -= uLength; lpString = NULL; } uString++; while(lpData[uIndex++]); }while(lpData[uIndex] && uIndex < uEnd); uIndex++; } } if(lpData) HeapFree(hHeap, 0, lpData); SetLastError(lErr); return uSize;}int APIENTRY WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmdLine, int nShowCmd){ TCHAR szBuffer[128]; szBuffer[0] = 0; InitCommonControls(); if(GetComputerManufacturer(szBuffer, 128) < 0) wsprintf(szBuffer, "Failed: %d", GetLastError()); MessageBox(HWND_DESKTOP, szBuffer, TEXT("Manufacturer"), MB_OK); return 0;}http://superuser.com/questions/342680/enable-password-blank-run-as-on-home-premium
How to Enable Remote Login via Blank Passwords using Local Security Policy or Group Policy Editor
Security Policies -> Local Securities -> Security Options (for user using Group Policy Editor or GPEdit.msc, expand Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options). Locate Accounts: Limit local account use of blank passwords to console logon only policy, and set its value to Disabled.
How to Configure Blank Passwords Allowed for Remote Log On via Registry
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000000
How to validate user credentials on Microsoft operating systems
http://support.microsoft.com/kb/180548/en-us
Using LogonUser API , but there are problem in Windows NT , Windows 2000
http://technet.microsoft.com/en-us/library/cc784886(v=ws.10).aspx
- Logon and Authentication Technologies
- Authorization and Access Control Technologies
- Data Security Technologies
- PKI Technologies
- Trust Technologies
Part1 :Local Administrator Privileges
Part2 : Domain Admin Privileges
https://www.netspi.com/blog/entryid/113/windows-privilege-escalation-part-2-domain-admin-privileges
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
Prev
Rss Feed