Changes

From Security Weekly Wiki
Jump to navigationJump to search
No change in size ,  00:47, 22 January 2010
The command completed successfully.
C:\Documents and Settings\labuser\Desktop>exit<\/pre>
So we have checked that the account we are running under is part of the local Administrators group, this is important because the Priv module needs these privileges to run:
labuser:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:067c11d22e8bc3e9b51d0f4eb2a5952a:::
meterpreter ><\/pre>
Now if we run as Administrator the hashdump script it fails
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_create_key: Operation failed: 5
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
meterpreter ><\/pre>
There are several ways around this in Windows 2003 and Windows XP systems:
meterpreter ><\/pre>
As it can be seen, we enumerated the processes and we migrated in to the pid 1040, once migrated we check under what privileges we are running under and execute the script. On Windows Vista/7 and 2008 this is more limited, to run both types of hashdump you must be running as System and UAC in Vista and 7 block the installation of services, drivers and scheduling of tasks, to make it more difficult the enhancement on the new version also blocks the migration to a process running as System. On Windows 2008 if running with Administrator privileges we can schedule tasks, install drivers and sevices but migration is also blocked. A way to bypass the UAC prompt is to have the target user install it for us with a trojaned Installer forcing the user to run it with updated privileges!
1,872

edits

Navigation menu