Shulou(Shulou.com)06/02 Report--

This article shows you what is Windows Rid hijacking technology, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

Hello, everyone. What I want to share with you today is a module about the post-infiltration phase in the Msf framework. What's interesting about this module is that it is completely invisible to some extent. Developers call this technology Windows Rid hijacking.

one。 Introduction to Modul

First of all, let's take a brief look at the core of the technology-RID. Windows uses the Security account Manager (SAM) to store security descriptors for local users and built-in accounts. As described in how the Security Supervisor works (link https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779144(v=ws.10)), each account has a designated RID to identify it. Unlike domain controllers, Windows workstations and servers store most of their data in the HKLM\ SAM\ SAM\ Domains\ Account\ Users key, which requires access to System.

Sometimes maintaining access in some environments can be tricky, especially when it is impossible to perform things such as creating or adding a user to an administrator group, dumping a user's credentials or hash, deploying a persistent shell, or anything that might trigger an alert to the victim. Persistent access can only be achieved by using system resources, so what could be more convenient?

The rid hijacking module in msf implements this. The Rid_Hijack module, which is about the post-penetration phase used to maintain permissions, will create an entry on the target system by modifying some properties of the existing account. It will change the account properties by setting a relative identifier (RID), which should be owned by an existing account on the target machine. Taking advantage of some flaws in Windows local user management integrity, the module will allow authentication using a known account credential, such as the GUEST account, and access with the privileges of another existing account, such as the Administrator account, even if the Administrator account is disabled. The module is named post/windows/manage/rid_hijack in MSF. If it is not downloaded, you can go to rapid7's github warehouse and download it. After starting Msfconsole in the corresponding directory, type "reload_all" and then use it in msf. Links are as follows: https://github.com/rapid7/metasploit-framework/pull/9595

The Rid hijacking module automatically associates the attacker with any existing accounts of the victim. It is quite normal after the module executes, because the hashdump and wmic commands load the user information and other processes that run before the lsass.exe module executes. On the other hand, when anyone logs in to the machine, privileges are obtained by using the registry key modified by the module. This module does not change the RID of users in all registry keys in which it resides, but only in one registry key that causes integrity problems to be exploited. This means that it will not change the RID in all system data from one to another (for example, in your case, from 501 to 500), which is why this attack is completely covert.

two。 Vulnerability affects version

Windows XP,2003. (32 bit)

Windows 8.1Professional Edition. (64 bit)

Windows 10. (64 bit)

Windows Server 2012. (64 bit)

This module has not been tested, but may be applicable to other versions of Windows (x86 and x64)

three。 Loophole recurrence

This module works by establishing a meterpreter session on the Windows victim. It will attempt to view permissions (and obtain them if needed) and modify the registry key associated with the specified account. The IP:192.168.192.128 operating system of the target plane is win7 64 bit. (the test account 5ecurity itself is a normal permission)

The utilization of this module is based on getting the meterpreter session of the target system, so you need to get the meterpreter session of the target system first.

Load the mimikatz module included in msf, which is used to grab the plaintext password in the target system.

The password for crawling the general account 5ecurity through the wgigest command is 5ecurity. Then load the main utilization module in our article.

Enter Show options to get the required configuration parameters. Brief description of: GETSYSTEM: if true, an attempt is made to obtain SYSTEM permissions for the target system. GUEST_ACCOUNT: if true, the target system user account will be used as the attacker's account. RID: the RID to be assigned to the attacker's account. This value should be owned by an existing account with the intention of being hijacked. The default setting is 500. USERNAME: once set, it will be used as a valid user account and treated as an attacker account. If the parameter GUEST_ACCOUNT is specified, it will be ignored. PASSWORD: once set, it sets the account password to this value. We configure the parameters that need to be configured one by one, and specify the session id of the meterpreter session to the Rid hijacking module.

Running the module, you can see that the module runs smoothly.

Then we can find some magical places by logging in to the 5ecurity account we crawled.

Do some other command operations to determine your permissions.

A 5ecurity account with normal permissions successfully writes under the system32 directory. Complete Rid hijacking.

What is the above content of Windows Rid hijacking technology? have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.