AdSense

Friday, June 10, 2016

METASPLOIT - Windows 7 - Bypassing User Account Control


WINDOWS 7 - BYPASSING USER ACCOUNT CONTROL



- Layout for this exercise:




- Let's suppose we have a Windows 7 system already exploited:




- From Control Panel -> User Accounts and Family Safety -> User Accounts -> Change User Account Control Settings:




In this case Windows 7 has got the User Account Control (UAC) set to Default level:








- Let's exploit the system with badblue_passthru:




- However, it is not possible to get total control over the system, due to the presence of the UAC:




- Post explotaition cannot be performed:




- To perform good exploitation of UAC, it is recommendable to use processes as much stable as possible. For instance, the current process is badblue.exe:










- It would be a good idea to migrate to a more stable process like explorer.exe:







- To start the process of bypassing UAC, in order to get total control over the victim, the current meterpreter session is put into background mode:





- At the moment, there is only 1 meterpreter session active:




- There is a good exploit to bypass the User Account Control:





- For this exploit, the active meterpreter session is a required option:




- So, session is set to 1:




- Also, reverse_tcp payload is used, with local host the attacker's IP:




- The exploit is launched, and a second meterpreter session is achieved as a result:




- Now, from this second meterpreter session Privilege Escalation is done with no problem. Getting control over the system with authority credentials:





- A good example of post exploitation is the command hashdump, which provides hashes of the passwords:




- Also, smart_hashdump dumps hashes on a file text, for further treatment for instance with John the Ripper: