Week
Three ↓
I
hypothetically have an account with system level privileges in a domain. This
account however cannot access the internet access as I am an intern. I am also
aware that my supervisor (who is also a domain user with system level
privileges) has access to the internet. I know I would need to have access to
his account, but I do not have his password.
This attack vector provides a way around
this without any third-party tools, only windows commands are used.
Attack Vector
“psexec” is a windows
command line utility for remote administration. It allows us to remotely
execute processes on other systems. “PsExec also allows redirects of the input
and output of a remotely started executable using SMB and the hidden $ADMIN
share on the remote system” (Chris, 2010). “tscon” is a terminal service utility on windows command line. It helps
to connect to another session on a remote desktop session.
“psexec -s \\localhost
cmd” on the attacker’s command prompt will start a command
window with administrative privileges. Now the attacker can open a remote
desktop session to the victims account by using “tscon x /dest:console” where x is the session ID of the victims
account, gotten from the “query user” command.
This works on all versions of windows operation system (Mohit, 2017) and
requires physical access to the victim’s machine. The attacker would have to
“switchuser” and login using his credentials and the launch the attack.
This flaw was made
known to Microsoft, but they did not consider it as a vulnerability as the
attack requires administrative privileges. Though there are other ways to go
about this, this method is stealthy as running
tscon.exe with a session number will not leave as much traces as compared to using
any external tool (Mohit, 2017). A hacker could launch further attacks as he
now has access to the victims account.
COUNTERMEASURES
A firewall rule can be created to block
Remote desktop protocol using Windows Firewall with Advanced Security (WFAS);
Block users from connecting to your
computer remotely from the system properties’ options;
Event logs can be viewed from Event viewer
to get information about logons to your computer;
Avoid configuring more than one administrator on your
computer if possible.
Reference
Mohit Kumar. (March, 2017). Hacker reveals easiest way to hijack
privileged windows user session without password. Retrieved from https://thehackernews.com/2017/03/hack-windows-user-account.html
Chris Sanders. (September, 2010). PsExec and the Nasty
things it can do. Retrieved from http://techgenix.com/psexec-nasty-things-it-can-do/
Video credit: Alexander Korznikov. March 16, 2017
No comments:
Post a Comment