SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of "Spring Training 2017 - Windows Breakout and Privilege Escalation"

Difference between revisions of "Spring Training 2017 - Windows Breakout and Privilege Escalation"

From BruCON 2017

Jump to: navigation, search
(Course contents)
Line 9: Line 9:
  
 
= Course contents =
 
= Course contents =
The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix, or in environments which have been locked down through AppLocker and Group Policy. Topics covered will include:
+
The course is broken down into three portions, all of which will have real-world examples that attendees can get their hands dirty with in order to solidify the theory.  
  
*Abusing intended application functionality
+
The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix, or in environments which have been locked down through AppLocker and Group Policy. Topics covered will include:
* Bypassing folder path / type restrictions
+
* Abusing intended application functionality  
* File protocol handlers
+
* Bypassing folder path / type restrictions  
* Evading black / white lists.
+
* File protocol handlers  
 +
* Evading black / white lists.  
  
The Windows privilege escalation portion of the training aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to Administrator or SYSTEM level privileges. Automated tools, such as Meterpreter's "getsystem", have their place in this process; however, reliance on automation breeds weakness. Topics covered will include:
+
The Windows privilege escalation portion of the training aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to Administrator or SYSTEM level privileges. Automated tools, such as Meterpreter's "getsystem", have their place in this process; however, reliance on automation breeds weakness. Topics covered will include:  
 +
* Enumeration of the target machine
 +
* Identification of common and uncommon configuration weaknesses
 +
* Permission analysis
 +
* Analysis of Windows privilege escalation vulnerabilities
  
* Enumeration of the target machine
+
The UAC bypass section of the training will cover the techniques used to get around User Access Control and obtain full administrative privileges from medium integrity level privileges. UAC restricts administrators’ rights when elevated privileges are not required and is present on most modern Windows machines by default. Topics covered will include:  
* Identification of common and uncommon configuration weaknesses
+
* Anatomy of the UAC “security mechanism”  
* Permission analysis
+
* Analysis of UAC bypass techniques  
* Analysis of Windows privilege escalation vulnerabilities
+
* Taking advantage of Auto-Elevate  
 
+
* Taking advantage of Elevated File Operations  
The UAC bypass section of the training will cover the techniques used to get around User Access Control and obtain full administrative privileges from medium integrity level privileges. UAC restricts administrators’ rights when elevated privileges are not required and is present on most modern Windows machines by default. Topics covered will include:
 
 
 
* Anatomy of the UAC “security mechanism”
 
* Analysis of UAC bypass techniques
 
* Taking advantage of Auto-Elevate
 
* Taking advantage of Elevated File Operations
 
 
* Finding your own UAC 0-days
 
* Finding your own UAC 0-days
 
All three portions of the workshop will have real-world examples that attendees can get their hands dirty with in order to solidify the theory. This workshop aims to provide hands-on knowledge which can be directly applied against locked down environments in the field.
 
  
 
= Requirements =  
 
= Requirements =  

Revision as of 16:25, 25 January 2017

Windows Breakout and Privilege Escalation

This course, which was previously delivered at large conference such as DEFCON 24, will provide attendees with the required knowledge to perform post-exploitation actions on locked down Windows machines. Tools, tips and techniques will be shared to break out of restrictive execution environments and escalate privileges from a low level user to SYSTEM on modern Windows operating systems. Contrary to common perception, Windows machines can be really well locked down if they are configured with care. As such, attackers will need to dig deep in order to break out of restrictive environments and escalate privileges.

Course Description

This training aims to provide hands-on knowledge which can be directly applied against locked down environments in the field. The breakout portion covered fundamental techniques to circumvent applications deployed through Terminal Services and Citrix or environments locked down through the use of Software Restriction Policies (SRPs), Applocker and Group Policy. The privilege escalation portion will show how to take advantage of security fails, configuration issues and weak permissions. The focus of this portion is on manual identification, analysis and exploitation. Automated tools can assist in this process; however a solid understanding of the various types of vulnerabilities is essential when attacking real-world systems. The requisite techniques for this course will be demonstrated on a modern 64-bit Windows 10 Enterprise platform.

Course contents

The course is broken down into three portions, all of which will have real-world examples that attendees can get their hands dirty with in order to solidify the theory.

The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix, or in environments which have been locked down through AppLocker and Group Policy. Topics covered will include:

  • Abusing intended application functionality
  • Bypassing folder path / type restrictions
  • File protocol handlers
  • Evading black / white lists.

The Windows privilege escalation portion of the training aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to Administrator or SYSTEM level privileges. Automated tools, such as Meterpreter's "getsystem", have their place in this process; however, reliance on automation breeds weakness. Topics covered will include:

  • Enumeration of the target machine
  • Identification of common and uncommon configuration weaknesses
  • Permission analysis
  • Analysis of Windows privilege escalation vulnerabilities

The UAC bypass section of the training will cover the techniques used to get around User Access Control and obtain full administrative privileges from medium integrity level privileges. UAC restricts administrators’ rights when elevated privileges are not required and is present on most modern Windows machines by default. Topics covered will include:

  • Anatomy of the UAC “security mechanism”
  • Analysis of UAC bypass techniques
  • Taking advantage of Auto-Elevate
  • Taking advantage of Elevated File Operations
  • Finding your own UAC 0-days

Requirements

There are no special requirements to attend the training except interest in the material.

Hardware/software Requirements

Attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free.

It is recommended that attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Trainers Biography

Jason Cook is a CREST certified simulated attack specialist who has lead many high profile red team and scenario based attack scenarios for Context's global clients. As part of his role he keeps the internal simulated attack and privilege escalation toolkit within Context at the forefront, continuously updating the exploits, methodologies and attack methods to incorporate the newest research and code.




Francesco.Mifsud.png

Francesco Mifsud developed the training course; by combining his knowledge of Windows privilege escalation techniques with the attack scenarios he encountered as part of his work at Context he has made a uniquely realistic and relevant training course that has already met with widespread success and acclaim. After trialing the course at the London BSides, his training was accepted by DEFCON Las Vegas in the Spring of '16. At Context he works as a general Consultant and Internal Windows Attack specialist.


300px-twitter-icon.jpg @CTXIS

Links :

Wed. 19 - 21 April 2017 (09:00 - 17:00) (3-day)

Register.jpg

Back to Training Overview