Windows 4 pentesters - internals 101

Windows 4 pentesters
Internals 101

# whoami
Krzysztof ‘0kami’ Marciniak
Twitter: @__0kami
medium.com/_0kami
Security Consultant @ F-Secure
Poznan Security Meetup co-founder
Binexp, CTFs, OS (mostly Windows)
internals

Windows infrastructure intro a.k.a. why?
● IT-managed desktops/notebooks with Windows
(usually 7/10)
● Servers with Windows Server (i.e. file servers)
● Organized into a “domain”
● Domain controller (Windows server)
● Users, policies etc. stored in Active Directory

Authentication - Local Security Authority (LSA)
The LSA handles user logon and authentication on the local computer, and if the authentication package processing the
logon request supports pass-through authentication, the LSA can also log users on to other computers on the network. The
LSA provides access to authentication packages for Security Support Providers (SSPs). One of the two following types of
authentication is performed:
● Interactive Authentication
● Noninteractive Authentication
https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-user-logon-authentication

Authentication - LSASS memory
The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active
Windows sessions. This allows users to seamlessly access network resources, such as file shares, Exchange Server
mailboxes, and SharePoint sites, without re-entering their credentials for each remote service.
LSASS can store credentials in multiple forms, including:
● Reversibly encrypted plaintext
● Kerberos tickets (TGTs, service tickets)
● NT hash
● LM hash
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)

Authentication - NTLM
● Besides the regular user+pass pair, NTLM hash can be used
for auth.
● NTLM auth (Net-NTLMv2) is a challenge-response auth.
process
● By default, Windows tries to auth with the hash even to
unknown shares

Authentication - recap
● Local authentication is handled by LSA
● LSA Subsystem Service (LSASS) caches those credentials*
● Credentials can either be user+pass, hashes, Kerberos
tickets

Processes, threads, ﬁbers… oh my!
● When you run an application, a process is created
● A process (or multiple processes) can be grouped into a
job
● A process consists of 0+ threads*
● In Windows threads are the basic unit of scheduling
● Fibers (similar to threads in *NIX), however, are
scheduled manually by the user

Process/thread in-mem shenanigans
● All processes are injected with several interesting dlls
○ ntdll.dll
○ kernel32.dll
○ kernelbase.dll
● We can use this for our advantage
○ No touching disk/invoking LoadLibrary()
○ Utilizing existing pieces of code
○ ...

Process/thread in-mem shenanigans
mov ebx, fs:0x30 ; Get pointer to PEB
mov ebx, [ebx + 0x0C] ; Get pointer to PEB_LDR_DATA
mov ebx, [ebx + 0x14] ; Get pointer to first entry in
InMemoryOrderModuleList
mov ebx, [ebx] ; Get pointer to second (ntdll.dll)
entry in InMemoryOrderModuleList
mov ebx, [ebx] ; Get pointer to third (kernel32.dll)
entry in InMemoryOrderModuleList
mov ebx, [ebx + 0x10] ; Get kernel32.dll base address
https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html#find_dll

Privileges
Privileges determine the type of system operations that a user account can perform. An administrator assigns privileges to
user and group accounts. Each user's privileges include those granted to the user and to the groups to which the user
belongs.
The functions that get and adjust the privileges in an access token use the locally unique identifier (LUID) type to identify
privileges.

Windows 4 pentesters - internals 101

Handles
● In Windows, resources are usually ref. with a handle
● A handle is a pointer to some actual resource
● The type is usually HANDLE
● Example: acquire process handle
HANDLE OpenProcess(
DWORD dwDesiredAccess,
BOOL bInheritHandle,
DWORD dwProcessId
);

Memory management
● Memory is virtual, paged
● To manage memory, one needs to:
○ Acquire process handle
○ Allocate a page, i.e. with LPVOID VirtualAlloc( LPVOID lpAddress,
SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
○ Adjust protection (VirtualProtect) [optional]
○ Read/Write/… memory (ReadMemory, WriteMemory, …)
○ Free with VirtualFree()
○ Close handle with CloseHandle()

Memory management
Hint 1: One does not need to allocate memory in self (only
have a handle to where the memory will be allocated)
Hint 2: The same goes for pages with PAGE_EXECUTE*

Memory management: consequences
● Read memory of privileged process requires local admin
● Cached passwords from LSASS can thus easily dumped
● One can spawn a thread from another process’s memory
region (without touching the disk)

Dumping LSASS: plan
● Acquire debug privileges
● Attach to the lsass process
● ReadMemory()
● Save to file
● ...
● Profit!

Code injection
● We can access any* process’s memory
● CreateRemoteThread
● DLL/PE injection
● Hollowing
● Hooking (i.e. SetWindowsHookEx)
● AtomBombing
● ...
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Process creation
1. Open EXE, create selection object
2. Create executive process object
a. Set up EPROCESS
b. Set up initial proc. address space
c. Create kernel process block
d. Conclude setup of process address space
e. Set up PEB
f. Complete the setup
3. Create initial thread (stack, context, executive thread object)
4. Notify the Win32 subsystem of the new process
5. Start initial thread execution (unless CREATE_SUSPENDED)
6. Complete initialization (i.e. load DLLs), begin execution

DKOM rootkit - process hiding: plan
● Windows stores info about processes in EPROCESS (kernel)
● EPROCESS has two pointers: Flink, Blink (double-linked list)
● Drivers can modify kernel objects (DKOM)
● Change pointers to make the process “disappear”

DKOM rootkit - process hiding: plan
● Create a driver
○ Find the EPROCESS struct for the given process
○ Point front to back, back to front
● Create a loader
● Load the driver
● ...
● Profit!
(or, rather, watch the proc disappear and wait for BSOD :D)

PEB shenanigans: argument spooﬁng - idea
● PEB stores arguments for the process (runtime)
● PEB is stored in an RW region
● Windows logs process information at creation time
● Taskmgr, for example, gets proc info based on this
● Binary utilizes PEB args

PEB shenanigans: argument spooﬁng - plan
● Create process as suspended
● NtQueryInformationProcess(..., ProcessBasicInformation, ...) ->
PEB address
● Update pPEB->ProcessParameters
● Resume process
Hint: the easy way is long args -> short args
(verified with a ton of pain and misery, tears not included)

Bonus: parent spooﬁng - idea
● CreateProcess can spawn processes, buuuut…
To set extended attributes, use a STARTUPINFOEX structure and specify EXTENDED_STARTUPINFO_PRESENT in the
dwCreationFlags parameter.
[...]
InitializeProcThreadAttributeList ->
UpdateProcThreadAttribute(lpList, dwFlags,
PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, ...)

Bonus: parent spooﬁng - code/demo
[insert obligatory sacrifice for RNG gods]

Bonus: getsystem via parent spooﬁng - code/demo
[insert obligatory sacrifice for RNG gods]

Bonus: parent spooﬁng -> SYSTEM
Fact: child process inherits parent’s token
Consequence: if we spawn a child under a privileged process
(SYSTEM), we get a privileged child

Thank you! / Dziękuję za uwagę!
ありがとうございます

Windows 4 pentesters - internals 101

More Related Content

What's hot (20)

Similar to Windows 4 pentesters - internals 101 (20)

Recently uploaded (20)

Windows 4 pentesters - internals 101