Privilege Escalation

• Gathering information: logged as user (not admin), use find, look in directories, look for SAM, and enumeration tools. Basic countermeasure: Do not save the LAN Manager. BIOS password!!

• Add to administrator group: getadmin and XP sechole - apply service packs and restrict FTP to server script directories. Also rogue DLLs.

• Cracking passwords: dictionary (create hashes from a most probable password list), and brute force (create hashes from all possible values in the key space, e.g. 267 posssible uppercase <=7 digits in a password). John the Ripper is one of the best tools (link is for graphical interface).

• Obtaining SYSTEM account privileges: at 10:00 /INTERACTIVE cmd.exe (replace 10:00 with 2 minutes after you type this) -- disabled in Win 7

• Trojans: Basic rule: do not use a Server as a workstation (no e-mail, no outside browsing), backup! See Symantec Threats and Vulnerabilities and Removal Tools. Or this other just of Trojans by ports.

• Registry: very few items accessible by everyone. Probably the lowest threat, and you can use the Policy Editor to hide/deny access,

• Kerberos : only 2K, XP, 7 machines have it, downgrades to NTLM and LAN Manager authentication if Win 9x/NT are involved.

• EFS attack: deleting the SAM blanks the Administrator password. This allows to login as Administrator (the recovery agent) and decrypt the content of the files. Set BIOS password and C: drive boot only.

Previous slide

Next slide

Back to first slide

View graphic version