Difference between revisions of "Spring Training 2017 - Windows Breakout and Privilege Escalation"
From BruCON 2017
(→Requirements) |
(→Hardware/software Requirements) |
||
Line 34: | Line 34: | ||
= Hardware/software Requirements = | = Hardware/software Requirements = | ||
− | Attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free. | + | Attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free. |
− | It is recommended that attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL: | + | It is recommended that attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL: |
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ | https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ |
Revision as of 16:25, 25 January 2017
Contents
Windows Breakout and Privilege Escalation
This course, which was previously delivered at large conference such as DEFCON 24, will provide attendees with the required knowledge to perform post-exploitation actions on locked down Windows machines. Tools, tips and techniques will be shared to break out of restrictive execution environments and escalate privileges from a low level user to SYSTEM on modern Windows operating systems. Contrary to common perception, Windows machines can be really well locked down if they are configured with care. As such, attackers will need to dig deep in order to break out of restrictive environments and escalate privileges.
Course Description
This training aims to provide hands-on knowledge which can be directly applied against locked down environments in the field. The breakout portion covered fundamental techniques to circumvent applications deployed through Terminal Services and Citrix or environments locked down through the use of Software Restriction Policies (SRPs), Applocker and Group Policy. The privilege escalation portion will show how to take advantage of security fails, configuration issues and weak permissions. The focus of this portion is on manual identification, analysis and exploitation. Automated tools can assist in this process; however a solid understanding of the various types of vulnerabilities is essential when attacking real-world systems. The requisite techniques for this course will be demonstrated on a modern 64-bit Windows 10 Enterprise platform.
Course contents
The course is broken down into three portions, all of which will have real-world examples that attendees can get their hands dirty with in order to solidify the theory.
The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix, or in environments which have been locked down through AppLocker and Group Policy. Topics covered will include:
- Abusing intended application functionality
- Bypassing folder path / type restrictions
- File protocol handlers
- Evading black / white lists.
The Windows privilege escalation portion of the training aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to Administrator or SYSTEM level privileges. Automated tools, such as Meterpreter's "getsystem", have their place in this process; however, reliance on automation breeds weakness. Topics covered will include:
- Enumeration of the target machine
- Identification of common and uncommon configuration weaknesses
- Permission analysis
- Analysis of Windows privilege escalation vulnerabilities
The UAC bypass section of the training will cover the techniques used to get around User Access Control and obtain full administrative privileges from medium integrity level privileges. UAC restricts administrators’ rights when elevated privileges are not required and is present on most modern Windows machines by default. Topics covered will include:
- Anatomy of the UAC “security mechanism”
- Analysis of UAC bypass techniques
- Taking advantage of Auto-Elevate
- Taking advantage of Elevated File Operations
- Finding your own UAC 0-days
Requirements
This beginner to intermediate courses requires basic familiarity with the Windows OS; the course is intended for those with an interest in this area. It is not restricted to any job role or experience.
Hardware/software Requirements
Attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free.
It is recommended that attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL:
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
Trainers Biography
Jason Cook is a CREST certified simulated attack specialist who has lead many high profile red team and scenario based attack scenarios for Context's global clients. As part of his role he keeps the internal simulated attack and privilege escalation toolkit within Context at the forefront, continuously updating the exploits, methodologies and attack methods to incorporate the newest research and code.
Francesco Mifsud developed the training course; by combining his knowledge of Windows privilege escalation techniques with the attack scenarios he encountered as part of his work at Context he has made a uniquely realistic and relevant training course that has already met with widespread success and acclaim. After trialing the course at the London BSides, his training was accepted by DEFCON Las Vegas in the Spring of '16. At Context he works as a general Consultant and Internal Windows Attack specialist.
Links :
Wed. 19 - 21 April 2017 (09:00 - 17:00) (3-day)