SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of "Spring Training 2017 - Windows Breakout and Privilege Escalation"

Difference between revisions of "Spring Training 2017 - Windows Breakout and Privilege Escalation"

From BruCON 2017

Jump to: navigation, search
(Trainers Biography)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=Windows Breakout and Privilege Escalation=
 
=Windows Breakout and Privilege Escalation=
This training will provide the required knowledge to perform post-exploitation actions on locked down Windows machines. Tools, tips and techniques will be shared to break out of restrictive execution environments and escalate privileges from a low level user to SYSTEM on modern Windows operating systems. Contrary to common perception, Windows machines can be really well locked down if they are configured with care. As such, attackers will need to dig deep in order to break out of restrictive environments and escalate privileges.
+
This course, which was previously delivered at large conference such as DEFCON 24, will provide attendees with the required knowledge to perform post-exploitation actions on locked down Windows machines. Tools, tips and techniques will be shared to break out of restrictive execution environments and escalate privileges from a low level user to SYSTEM on modern Windows operating systems. Contrary to common perception, Windows machines can be really well locked down if they are configured with care. As such, attackers will need to dig deep in order to break out of restrictive environments and escalate privileges.  
  
 
===Course Description===
 
===Course Description===
The training provides attendees with the required knowledge to perform post-exploitation actions on locked down Windows machines and escalate privileges from a low level user to SYSTEM. These techniques were demonstrated on a modern 64-bit Windows 10 Enterprise platform.
 
  
The breakout portion covered fundamental techniques to circumvent applications deployed through Terminal Services and Citrix or environments locked down through the use of Software Restriction Policies (SRPs), Applocker and Group Policy.
+
This training aims to provide hands-on knowledge which can be directly applied against locked down environments in the field. The breakout portion covered fundamental techniques to circumvent applications deployed through Terminal Services and Citrix or environments locked down through the use of Software Restriction Policies (SRPs), Applocker and Group Policy.  
 
+
The privilege escalation portion will show how to take advantage of security fails, configuration issues and weak permissions. The focus of this portion is on manual identification, analysis and exploitation. Automated tools can assist in this process; however a solid understanding of the various types of vulnerabilities is essential when attacking real-world systems.
The privilege escalation portion showed how to take advantage of security fails, configuration issues and weak permissions. The focus of this portion was on manual identification, analysis and exploitation. Automated tools can assist in this process, however a solid understanding of the various types of vulnerabilities is essential when attacking real-world systems.
+
The requisite techniques for this course will be demonstrated on a modern 64-bit Windows 10 Enterprise platform.  
  
 
= Course contents =
 
= Course contents =
The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix, or in environments which have been locked down through AppLocker and Group Policy. Topics covered will include:
+
The course is broken down into three portions, all of which will have real-world examples that attendees can get their hands dirty with in order to solidify the theory.  
 
 
*Abusing intended application functionality
 
* Bypassing folder path / type restrictions
 
* File protocol handlers
 
* Evading black / white lists.
 
 
 
The Windows privilege escalation portion of the training aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to Administrator or SYSTEM level privileges. Automated tools, such as Meterpreter's "getsystem", have their place in this process; however, reliance on automation breeds weakness. Topics covered will include:
 
  
* Enumeration of the target machine
+
The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix, or in environments which have been locked down through AppLocker and Group Policy. Topics covered will include:
* Identification of common and uncommon configuration weaknesses
+
* Abusing intended application functionality
* Permission analysis
+
* Bypassing folder path / type restrictions
* Analysis of Windows privilege escalation vulnerabilities
+
* File protocol handlers
 +
* Evading black / white lists.
  
The UAC bypass section of the training will cover the techniques used to get around User Access Control and obtain full administrative privileges from medium integrity level privileges. UAC restricts administrators’ rights when elevated privileges are not required and is present on most modern Windows machines by default. Topics covered will include:
+
The Windows privilege escalation portion of the training aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to Administrator or SYSTEM level privileges. Automated tools, such as Meterpreter's "getsystem", have their place in this process; however, reliance on automation breeds weakness. Topics covered will include:  
 +
* Enumeration of the target machine
 +
* Identification of common and uncommon configuration weaknesses
 +
* Permission analysis
 +
* Analysis of Windows privilege escalation vulnerabilities
  
* Anatomy of the UAC “security mechanism”
+
The UAC bypass section of the training will cover the techniques used to get around User Access Control and obtain full administrative privileges from medium integrity level privileges. UAC restricts administrators’ rights when elevated privileges are not required and is present on most modern Windows machines by default. Topics covered will include:
* Analysis of UAC bypass techniques
+
* Anatomy of the UAC “security mechanism”  
* Taking advantage of Auto-Elevate
+
* Analysis of UAC bypass techniques  
* Taking advantage of Elevated File Operations
+
* Taking advantage of Auto-Elevate  
 +
* Taking advantage of Elevated File Operations  
 
* Finding your own UAC 0-days
 
* Finding your own UAC 0-days
 
All three portions of the workshop will have real-world examples that attendees can get their hands dirty with in order to solidify the theory. This workshop aims to provide hands-on knowledge which can be directly applied against locked down environments in the field.
 
  
 
= Requirements =  
 
= Requirements =  
There are no special requirements to attend the training except interest in the material.
+
This beginner to intermediate courses requires basic familiarity with the Windows OS; the course is intended for those with an interest in this area. It is not restricted to any job role or experience.
  
 
= Hardware/software Requirements =
 
= Hardware/software Requirements =
Attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free.
+
Attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free.  
  
It is recommended that attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL:
+
It is recommended that attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL:  
  
 
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
 
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
 +
 +
=Testimonials=
 +
 +
''“A great workshop ! I found it very useful and helpful and learnt some new enumeration methods that I had not thought of.”''
 +
 +
 +
''“The workshop covered some common issues within Windows services and applications that would allow one to escalate their privileges on Windows machines. The class went really fast, however thankfully they added notes into the material that they released in case anyone fell behind so it was pretty easy to catch up… this had to be one of the better talks that I attended and I hope Francesco decides to continue it in the future as I think it helped quite a lot of people out.”''
  
 
=Trainers Biography=
 
=Trainers Biography=
[[File:Jason.Cook.png|thumb|75px]]  
+
[[File:Jason_Cook.jpg|thumb|75px]]  
Jason is a CREST certified simulated attack specialist who has lead many high profile red team and scenario based attack scenarios for Context's global clients. As part of his role he keeps the internal simulated attack and privilege escalation toolkit within Context at the forefront, continuously updating the exploits, methodologies and attack methods to incorporate the newest research and code.
+
Jason Cook, Senior Security Consultant at Context is a CREST certified simulated attack specialist who has led many high profile red team and scenario based attack projects for Context's global clients. Jason is one of Context’s most senior consultants and has been with the company since 2010; he has extensive experience in performing Unix, Linux and Windows based operating system configuration reviews, infrastructure security assessments, and network device and firewall configuration reviews. Jason has also been involved in security research, including bespoke protocol analysis of software used throughout the industry.  
  
  
Line 55: Line 58:
  
 
[[File:Francesco.Mifsud.png|thumb|75px]]  
 
[[File:Francesco.Mifsud.png|thumb|75px]]  
Francesco developed the training course; by combining his knowledge of Windows privilege escalation techniques with the attack scenarios he encountered as part of his work at Context he has made a uniquely realistic and relevant training course that has already met with widespread success and acclaim. After trialing the course at the London BSides, his training was accepted by DEFCON Las Vegas in the Spring of '16. At Context he works as a general Consultant and Internal Windows Attack specialist.
+
Francesco Mifsud, Security Consultant at Context developed this training course; by combining his knowledge of Windows privilege escalation techniques with the attack scenarios he encountered as part of his work at Context he has made a uniquely realistic and relevant training course that has already met with widespread success and acclaim. After trialling the course at the London BSides, his training was accepted by DEFCON 24 in Las Vegas in the spring of '16.  
 +
Francesco’s consultancy work includes web application penetration tests, vulnerability assessments and internal and external infrastructure tests. He regularly leads engagements and has worked within a wide variety of business sectors including banking, telecommunications and retail.  
  
 
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/ctxis @CTXIS]  
 
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/ctxis @CTXIS]  

Latest revision as of 16:20, 20 February 2017

Windows Breakout and Privilege Escalation

This course, which was previously delivered at large conference such as DEFCON 24, will provide attendees with the required knowledge to perform post-exploitation actions on locked down Windows machines. Tools, tips and techniques will be shared to break out of restrictive execution environments and escalate privileges from a low level user to SYSTEM on modern Windows operating systems. Contrary to common perception, Windows machines can be really well locked down if they are configured with care. As such, attackers will need to dig deep in order to break out of restrictive environments and escalate privileges.

Course Description

This training aims to provide hands-on knowledge which can be directly applied against locked down environments in the field. The breakout portion covered fundamental techniques to circumvent applications deployed through Terminal Services and Citrix or environments locked down through the use of Software Restriction Policies (SRPs), Applocker and Group Policy. The privilege escalation portion will show how to take advantage of security fails, configuration issues and weak permissions. The focus of this portion is on manual identification, analysis and exploitation. Automated tools can assist in this process; however a solid understanding of the various types of vulnerabilities is essential when attacking real-world systems. The requisite techniques for this course will be demonstrated on a modern 64-bit Windows 10 Enterprise platform.

Course contents

The course is broken down into three portions, all of which will have real-world examples that attendees can get their hands dirty with in order to solidify the theory.

The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix, or in environments which have been locked down through AppLocker and Group Policy. Topics covered will include:

  • Abusing intended application functionality
  • Bypassing folder path / type restrictions
  • File protocol handlers
  • Evading black / white lists.

The Windows privilege escalation portion of the training aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to Administrator or SYSTEM level privileges. Automated tools, such as Meterpreter's "getsystem", have their place in this process; however, reliance on automation breeds weakness. Topics covered will include:

  • Enumeration of the target machine
  • Identification of common and uncommon configuration weaknesses
  • Permission analysis
  • Analysis of Windows privilege escalation vulnerabilities

The UAC bypass section of the training will cover the techniques used to get around User Access Control and obtain full administrative privileges from medium integrity level privileges. UAC restricts administrators’ rights when elevated privileges are not required and is present on most modern Windows machines by default. Topics covered will include:

  • Anatomy of the UAC “security mechanism”
  • Analysis of UAC bypass techniques
  • Taking advantage of Auto-Elevate
  • Taking advantage of Elevated File Operations
  • Finding your own UAC 0-days

Requirements

This beginner to intermediate courses requires basic familiarity with the Windows OS; the course is intended for those with an interest in this area. It is not restricted to any job role or experience.

Hardware/software Requirements

Attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free.

It is recommended that attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Testimonials

“A great workshop ! I found it very useful and helpful and learnt some new enumeration methods that I had not thought of.”


“The workshop covered some common issues within Windows services and applications that would allow one to escalate their privileges on Windows machines. The class went really fast, however thankfully they added notes into the material that they released in case anyone fell behind so it was pretty easy to catch up… this had to be one of the better talks that I attended and I hope Francesco decides to continue it in the future as I think it helped quite a lot of people out.”

Trainers Biography

Jason Cook.jpg

Jason Cook, Senior Security Consultant at Context is a CREST certified simulated attack specialist who has led many high profile red team and scenario based attack projects for Context's global clients. Jason is one of Context’s most senior consultants and has been with the company since 2010; he has extensive experience in performing Unix, Linux and Windows based operating system configuration reviews, infrastructure security assessments, and network device and firewall configuration reviews. Jason has also been involved in security research, including bespoke protocol analysis of software used throughout the industry.




Francesco.Mifsud.png

Francesco Mifsud, Security Consultant at Context developed this training course; by combining his knowledge of Windows privilege escalation techniques with the attack scenarios he encountered as part of his work at Context he has made a uniquely realistic and relevant training course that has already met with widespread success and acclaim. After trialling the course at the London BSides, his training was accepted by DEFCON 24 in Las Vegas in the spring of '16. Francesco’s consultancy work includes web application penetration tests, vulnerability assessments and internal and external infrastructure tests. He regularly leads engagements and has worked within a wide variety of business sectors including banking, telecommunications and retail.


300px-twitter-icon.jpg @CTXIS

Links :

Wed. 19 - 21 April 2017 (09:00 - 17:00) (3-day)

Register.jpg

Back to Training Overview