Privilege Escalation in Windows and Linux Systems

Privilege escalation attacks are malicious tactics used by attackers to gain unauthorized access and elevated privileges in a system. These attacks exploit vulnerabilities in operating systems and web applications, allowing attackers to move deeper into a network to access high-value assets. This content delves into vertical and horizontal privilege escalation techniques in Windows and Linux environments, covering topics such as credential exploitation, privilege techniques, and steps attackers take to escalate privileges.

• Privilege Escalation
• Windows
• Linux
• Cybersecurity
• Attack Vectors

maka_40 Follow

Uploaded on Sep 20, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. UNIT-IV PRIVILEGE ESCALATION IN WINDOWS & LINUX 08/02/2023 FOP ON EL-VI EHS

2. UNIT-IV PRIVILEGE ESCALATION IN WINDOWS & LINUX

3. CONTENTS CO MAPPED: CO4 Introduction Windows Privileges. Horizontal vs. Vertical Privilege Escalation. Different Privilege Escalation in windows and Linux. Windows Privilege Techniques- Windows Authentication Bypass, Privacy Policy Settings. Access Token Manipulation, DLL Search Order Hijacking. Content build to understand the Privilege Escalation Attack Vectors- Credential Exploitation. basic and advanced features of Vulnerabilities and Exploits, Misconfigurations, Malware, Social Engineering. privilege in windows and Linux environments Linux Privilege Escalation- Introduction. BL: Level 1: Knowledge Linux File Permission Level2: Understand Sudo Bypass, NFS, Passwords on Files. Kernel Exploits, LXD Linux Container. 3 08/02/2023 FOP ON EL-VI EHS

4. What is Privilege Escalation A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws, or oversights in operating systems or web applications. This is closely related to lateral movement tactics by which a cyberattack moves deeper into a network in search of high-value assets. The result is an internal or external use with unauthorized system privileges. 4 08/02/2023 FOP ON EL-VI EHS

5. Step-by-Step Path to Privilege Escalation Example of the steps an attacker will take 5 08/02/2023 FOP ON EL-VI EHS

6. Privilege Escalation Type Vertical Privilege Escalation Horizontal Privilege Escalation 6 08/02/2023 FOP ON EL-VI EHS

7. Vertical Privilege Escalation Vertical privilege escalation sometimes referred to as privilege elevation, is when an attacker compromises a user account that has limited permissions on a system. They then look for ways to increase their privileges using the same account. For example, they might add the compromised account to the local administrator group. 7 08/02/2023 FOP ON EL-VI EHS

8. Horizontal Privilege Escalation Horizontal privilege escalation, the more common method, is when an attacker gains access to another credential on the network with higher privileges than the initial one used to gain their foothold. With higher-level privileges, an attacker can move freely around the network without detection. 8 08/02/2023 FOP ON EL-VI EHS

9. Windows Privilege Escalation Techniques Bypass User Account Control DLL Search Order Hijacking Access Token Manipulation 9 08/02/2023 FOP ON EL-VI EHS

10. Bypass User Account Control Attack description The Windows user account control (UAC) mechanism creates a distinction between regular users and administrators. It limits all applications to standard user permissions unless specifically authorized by an administrator, to prevent malware from compromising the operating system. However, if UAC protection is not at the highest level, some Windows programs can escalate privileges, or execute COM objects with administrative privileges. 10 08/02/2023 FOP ON EL-VI EHS

11. Bypass User Account Control Mitigation Review IT systems and ensure UAC protection is set to the highest level, or if this is not possible, apply other security measures. Regularly review which accounts are a local administrator group on sensitive systems and remove regular users who should not have administrative rights. 11 08/02/2023 FOP ON EL-VI EHS

12. Bypass User Account Control 12 08/02/2023 FOP ON EL-VI EHS

13. DLL Search order Hijacking Attack description Attackers can perform DLLpreloading . This involves planting a malicious DLL with the same name as a legitimate DLL, in a location that is searched by the system before the legitimate DLL. Often this will be the current working directory, or in some cases attackers may remotely set the working directory to an external file volume. The system finds the DLL in the working folder, thinking it is the legitimate DLL and executes it. 13 08/02/2023 FOP ON EL-VI EHS

14. DLL Search order Hijacking Techniques There are several other ways to achieve DLL search order hijacking: Replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction Performing search order DLL hijacking on a vulnerable program that has a higher privilege level, causing the attacker s DLL to run at the same privilege level. This can be used to elevate privileges from user to administrator, or from administrator to SYSTEM. Covering the attack by loading the legitimate DLLS together with the malicious DLLs, so that systems appear to run as usual. 14 08/02/2023 FOP ON EL-VI EHS

15. DLL Search order Hijacking Mitigation Here are several ways to prevent a DLL search order hijack: Disallow loading of remote DLLs Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions Use auditing tools such as Power Sploit to detect DLL search order hijacking vulnerabilities and correct them Identify and block software executed through search order hijacking, using whitelisting tools like AppLocker. 15 08/02/2023 FOP ON EL-VI EHS

16. Access Token Manipulation Attack description Windows uses access tokens to determine the owners of running processes. When a process tries to perform a task that requires privileges, the system checks who owns the process to see if they have sufficient permissions. Access token manipulation involves fooling the system into believing that the running process belongs to someone other than the user who started the process, granting the process the permissions of the other user. 16 08/02/2023 FOP ON EL-VI EHS

17. Privilege Escalation Attack Chain 17 08/02/2023 FOP ON EL-VI EHS

18. Privilege Escalation Attack Vectors Credential Exploitation Vulnerabilities and Exploits Misconfigurations Social Engineering 18 08/02/2023 FOP ON EL-VI EHS

19. Linux Privilege Escalation What Is Enumeration? In Linux systems, attackers use a process called enumeration to identify weaknesses that may allow privilege escalation. Enumeration involves: Using Google searches, port scanning, and direct interaction with a system to learn more about it and see how it responds to inputs. Seeing if compilers, or high-level programming languages like Perl or Python, are available, which can allow an attacker to run exploit code. 19 08/02/2023 FOP ON EL-VI EHS

20. Linux Privilege Escalation Identifying software components, such as web servers and their versions. Retrieving data from key system directories such as /etc, /proc, ipconfig, lsof, netstat and uname. The exploitation of Linux privilege can be done in two ways: Kernel exploits or by exploiting SUDO rights. 20 08/02/2023 FOP ON EL-VI EHS

21. Kernal Exploit From time to time, vulnerabilities are discovered in the Linux kernel. Attackers can exploit these vulnerabilities to gain root access to a Linux system, and once the system is infected with the exploit, there is no way to defend against it. Attackers go through the following steps: 1.Learn about the vulnerabilities 2.Develop or acquire exploit code 3.Transfer the exploit onto the target 4.Execute the exploit on the target 21 08/02/2023 FOP ON EL-VI EHS

22. Exploiting SUDO Rights Attack description SUDO is a Linux program that lets users run programs with the security privileges of another user. Older versions would run as the superuser (SU) by default. Attackers can try to compromise a user who has SUDO access to a system, and if successful, they gain root privileges. A common scenario is administrators granting access to some users to perform supposedly harmless SUDO commands, such as find . However, the find command container parameters enable command execution, and so if attackers compromise that user s account, they can execute commands with root privileges. 22 08/02/2023 FOP ON EL-VI EHS

23. Password on Files Linux Privilege Escalation Writable password file The /etc/passwd file is used in Linux operating systems to store user information such as user hashes, groups, home directories, and more. If improper file permissions are used for this file, this could allow attackers to escalate privileges to root. Passwd File & Format The passwd file used to store user hashes although it no longer does, as these are now stored in the /etc/shadow file. The reason why this was changed is that some of the information stored in the passwd file has to be world-readable for the operating system to operate correctly, so hashes were moved to the shadow file which is normally only accessible by the root. The file uses the following format to store information: 23 08/02/2023 FOP ON EL-VI EHS

24. Password on Files Each line of the passwd file is made of the following elements: 1.Username: Used for authentication 2.Password: This is where the hash used to be, it has now been replaced with an x to indicate it is stored in the /etc/shadow file. 3.User ID (UID): Every user has a unique user ID used to identify them. 4.Group ID (GID): Every group has a unique user ID used to identify them. 5.User ID Info: This is used to add comments or additional information about the user . 6.Home directory: The directory used when the user logs in. 7.Shell: The shell or binary used by the user(sh, bash, ash, csh etc.) 24 08/02/2023 FOP ON EL-VI EHS

25. What is LXD? LXD is a next-generation system container and virtual machine manager. It offers a unified user experience around full Linux systems running inside containers or virtual machines. LXD is image-based and provides images for a wide number of Linux distributions. It provides flexibility and scalability for various use cases, with support for different storage backends and network types and the option to install on hardware ranging from an individual laptop or cloud instance to a full server rack. 25 08/02/2023 FOP ON EL-VI EHS

26. Linux File Permission Read (r) Write (w) Execute (x) 26 08/02/2023 FOP ON EL-VI EHS

27. NFS NFS allows a system to share directories and files with others over a network. By using NFS, users, and programs can access files on remote systems almost as if they were local files. Installation At a terminal prompt enter the following command to install the NFS Server: sudo apt install nfs-kernel-server To start the NFS server, you can run the following command at a terminal prompt: sudo systemctl start nfs-kernel-server.service 27 08/02/2023 FOP ON EL-VI EHS

28. Books and Web References E-Book: Basics of Hacking and Penetration Testing: Made Easy by Patrick Engebreston Web References https://assets.ctfassets.net/kvf8rpi09wgk/5Yy2CMOxlE7eLlsTzFZ333/e65 6ff09a94ff0b63106de8d300903ac/CEH_Notes.pdf https://sec-consult.com/blog/detail/windows-privilege-escalation-an- approach-for-penetration-testers/ 28 08/02/2023 FOP ON EL-VI EHS