Книга: Black Hat Python: Python Programming for Hackers and Pentesters
Назад: 9. Fun with Internet Explorer
Дальше: 11. Automating Offensive Forensics

for instructions on installing easy_install.

Execute the following in a cmd.exe shell on your Windows VM:

.

Next, you’ll want to install the example service that my tech reviewers Dan Frisch and Cliff Janzen wrote for me. This service emulates a common set of vulnerabilities that we’ve uncovered in large enterprise networks and helps to illustrate the example code in this chapter.

  1. Download the zip file from: .

  2. Install the service using the provided batch script, install_service.bat. Make sure you are running as Administrator when doing so.

    You should be good to go, so now let’s get on with the fun part!

). The tool is designed to be used by people on the defense side of security to track process creation and the installation of malware. While consulting one day, my coworker Mark Wuergler suggested that we use El Jefe as a lightweight mechanism to monitor processes executed as SYSTEM on our target Windows machines. This would give us insight into potentially insecure file handling or child process creation. It worked, and we walked away with numerous privilege escalation bugs that gave us the keys to the kingdom.

The major drawback of the original El Jefe is that it used a DLL that was injected into every process to intercept calls to all forms of the native CreateProcess function. It then used a named pipe to communicate to the collection client, which then forwarded the details of the process creation to the logging server. The problem with this is that most antivirus software also hooks the CreateProcess calls, so either they view you as malware or you have system instability issues when El Jefe runs side-by-side with antivirus software. We’ll re-create some of El Jefe’s monitoring capabilities in a hookless manner, which also will be geared toward offensive techniques rather than monitoring. This should make our monitoring portable and give us the ability to run with antivirus software activated without issue.

] that provides the basic process information, and then build on that to determine the enabled privileges. Note that in order to capture information about ] that contains all of the relevant information that we are after. One of the class functions is GetOwner, which we call ➍ to determine who spawned the process and from there we collect all of the process information we are looking for, output it to the screen, and log it to a file.

] How a token is initialized and which permissions and privileges are set on a token determine which tasks that process or thread can perform. A well-intentioned developer might have a system tray application as part of a security product, which they’d like to give the ability for a non-privileged user to control the main Windows service, which is a driver. The developer uses the native Windows API function . It isn’t exhaustive, but serves as a good starting point.[]

] we’ll create the general framework to do so, and you can run wild from there. Let’s modify our file_monitor.py script and add the following code after the file modification constants:

to connect the listener you just spawned. To make sure your privilege escalation worked, connect to the listener and check which user you are running as.

] This code was adapted from the Python WMI page ().

[] Win32_Process class documentation:

[] MSDN – Access Tokens:

[] For the full list of privileges, visit .

[] Carlos Perez does some amazing work with PowerShell; see .

© RuTLib.com 2015-2018