Spring Training 2017 - Windows Breakout and Privilege Escalation
From BruCON 2017
Windows Breakout and Privilege Escalation
This course, which was previously delivered at large conference such as DEFCON 24, will provide attendees with the required knowledge to perform post-exploitation actions on locked down Windows machines. Tools, tips and techniques will be shared to break out of restrictive execution environments and escalate privileges from a low level user to SYSTEM on modern Windows operating systems. Contrary to common perception, Windows machines can be really well locked down if they are configured with care. As such, attackers will need to dig deep in order to break out of restrictive environments and escalate privileges.
This training aims to provide hands-on knowledge which can be directly applied against locked down environments in the field. The breakout portion covered fundamental techniques to circumvent applications deployed through Terminal Services and Citrix or environments locked down through the use of Software Restriction Policies (SRPs), Applocker and Group Policy. The privilege escalation portion will show how to take advantage of security fails, configuration issues and weak permissions. The focus of this portion is on manual identification, analysis and exploitation. Automated tools can assist in this process; however a solid understanding of the various types of vulnerabilities is essential when attacking real-world systems. The requisite techniques for this course will be demonstrated on a modern 64-bit Windows 10 Enterprise platform.
The course is broken down into three portions, all of which will have real-world examples that attendees can get their hands dirty with in order to solidify the theory.
The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix, or in environments which have been locked down through AppLocker and Group Policy. Topics covered will include:
- Abusing intended application functionality
- Bypassing folder path / type restrictions
- File protocol handlers
- Evading black / white lists.
The Windows privilege escalation portion of the training aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to Administrator or SYSTEM level privileges. Automated tools, such as Meterpreter's "getsystem", have their place in this process; however, reliance on automation breeds weakness. Topics covered will include:
- Enumeration of the target machine
- Identification of common and uncommon configuration weaknesses
- Permission analysis
- Analysis of Windows privilege escalation vulnerabilities
The UAC bypass section of the training will cover the techniques used to get around User Access Control and obtain full administrative privileges from medium integrity level privileges. UAC restricts administrators’ rights when elevated privileges are not required and is present on most modern Windows machines by default. Topics covered will include:
- Anatomy of the UAC “security mechanism”
- Analysis of UAC bypass techniques
- Taking advantage of Auto-Elevate
- Taking advantage of Elevated File Operations
- Finding your own UAC 0-days
This beginner to intermediate courses requires basic familiarity with the Windows OS; the course is intended for those with an interest in this area. It is not restricted to any job role or experience.
Attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free.
It is recommended that attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL:
“A great workshop ! I found it very useful and helpful and learnt some new enumeration methods that I had not thought of.”
“The workshop covered some common issues within Windows services and applications that would allow one to escalate their privileges on Windows machines. The class went really fast, however thankfully they added notes into the material that they released in case anyone fell behind so it was pretty easy to catch up… this had to be one of the better talks that I attended and I hope Francesco decides to continue it in the future as I think it helped quite a lot of people out.”
Jason Cook, Senior Security Consultant at Context is a CREST certified simulated attack specialist who has led many high profile red team and scenario based attack projects for Context's global clients. Jason is one of Context’s most senior consultants and has been with the company since 2010; he has extensive experience in performing Unix, Linux and Windows based operating system configuration reviews, infrastructure security assessments, and network device and firewall configuration reviews. Jason has also been involved in security research, including bespoke protocol analysis of software used throughout the industry.
Francesco Mifsud, Security Consultant at Context developed this training course; by combining his knowledge of Windows privilege escalation techniques with the attack scenarios he encountered as part of his work at Context he has made a uniquely realistic and relevant training course that has already met with widespread success and acclaim. After trialling the course at the London BSides, his training was accepted by DEFCON 24 in Las Vegas in the spring of '16. Francesco’s consultancy work includes web application penetration tests, vulnerability assessments and internal and external infrastructure tests. He regularly leads engagements and has worked within a wide variety of business sectors including banking, telecommunications and retail.
Wed. 19 - 21 April 2017 (09:00 - 17:00) (3-day)