Learning about the systems from a philosophical stance.
System designers had a vision and goal in mind when creating their products. The definition of a system is a set of rules, an arrangement of things, or a group of related things that work toward a common goal. An example of a system are the laws and procedures of a democratic government. ... An example of a system is all the organs that work together for digestion.
In all cases of systems, be it operating or biological ones, all interconnected parts work together to an end goal. Can the purpose of system be sustaining life and longevity of the system itself or is there something more to it?
Systeminfo vs uname -a
In IT world we have two major systems that dominate user experience – Windows and Linux. Similarities here are that an operating system is a program that manages a computer ’s hardware. It also provides a basis for application programs and acts as an intermediary between the computer user and the computer hardware. An amazing aspect of operating systems is how they vary in accomplishing these tasks. Main frame operating systems are designed primarily to optimize utilization of hardware. Personal computer (PC) operating systems support complex games, business applications, and everything in between. Operating systems for mobile computers provide an environment in which a user can easily interface with the computer to execute programs. Thus, some operating systems are designed to be convenient,others to be efficient,and others to be some combination of the two.
Now that we know the similar function that both operating system share, let’s look at the underlying philosophy of Linux and Windows.
Linux and the Unix Philosophy, by Mike Gancarz, quite informative:
An operating system, by its nature, embodies the philosophy of its creators... The creators of the Unix operating system started with a radical concept: they assumed that the user of their operating system would be computer literate from the start. The entire Unix philosophy revolves around the idea that the user knows what he or she is doing.
UNIX was not designed to stop its users from doing stupid things, as that would also stop them from doing clever things. -- unknown (generally attributed to a Doug Gwyn, but no information found about him)
Going through reflections of those who have used Unix system to it’s fully capabilities we see emphasis on freedom to make mistakes. Windows from another hand approaches user experience from a different standpoint:
For example, the philosophy of Windows is very similar to that of Digital Equipment Corporation's (DEC) VMS operating system. It amounts to "shield the users from everything that might get them into trouble." Of course, the reason for this similarity is that the prime developer of Windows NT is the same person who developed VMS. The philosophy of both operating systems is based on the underlying belief that users are afraid of computers and need to be shielded from their complexity.
Taking power of responsibility away from users between giving them more power. What does it take to break the system ?
https://www.youtube.com/watch?v=-ccSckKZA6E – no hassle
https://www.youtube.com/watch?v=BBWT2CqEsO0 – lots of hassle.
With that in mind let’s dive into understanding the operating system architecture, starting from kernel:
The kernel is the core of the operating system. It performs functionalities such as communicating with hardware devices, process management, file handling, and many other tasks. Various operating systems have different kernels depending on the type of OS. Moreover, devices in Windows and Linux have different kernels.
Structure of the Windows NT Kernel:
This is where and why we "enumerate" with the aim of privilege escalation - process of gaining more control over the system. Lets call it a revolution or process of overthrowing a kernel, metaphorically speaking.
Extracting information about Windows kernel version can be done through:
Navigating to C:/Windows/System32 and checking version of ntoskrnl.exe
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"OS Name: Microsoft Windows 10 Enterprise LTSCOS Version: 10.0.17763 N/A Build 17763
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, CSDVersion, ServicePackMajorVersion, BuildNumber | FLCaption : Microsoft Windows 10 Enterprise LTSCCSDVersion :ServicePackMajorVersion : 0BuildNumber : 17763
[System.Environment]::OSVersion.VersionMajor Minor Build Revision----- ----- ----- --------10 0 17763 0
Or WMIC (Windows Management Instrumentation Command):
wmic os get buildnumber,caption,CSDVersion /format:csvNode,BuildNumber,Caption,CSDVersionDESKTOP-JHU119R,17763,Microsoft Windows 10 Enterprise LTSC,
Why is it important to know Windows kernel version from a security standpoint ?
└──╼ $searchsploit Microsoft Windows kernel | grep localMicrosoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation | exploits/windows_x86/local/43192.cMicrosoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (MS15-052) | exploits/windows/local/37052.cMicrosoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039) | exploits/windows_x86/local/44480.cppMicrosoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017) | exploits/windows_x86/local/44479.cppMicrosoft Windows Kernel - Intel x64 SYSRET (MS12-042) | exploits/windows_x86-64/local/20861.txtMicrosoft Windows Kernel - Local Privilege Escalation (MS06-049) | exploits/windows/local/2412.cMicrosoft Windows Kernel - 'win32k.sys' Local Privilege Escalation (MS14-058) | exploits/windows/local/39666.txtMicrosoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (1) | exploits/windows/local/40823.txtMicrosoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2) | exploits/windows/local/41015.cMicrosoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit) | exploits/windows_x86/local/33213.rbMicrosoft Windows Server 2000 Kernel - APC Data-Free Local Escalation (MS05-055) | exploits/windows/local/1407.cMicrosoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow | exploits/windows/local/32590.cMicrosoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation (MS10-073) | exploits/windows/local/36327.txt
That basic enumeration is the one that is most commonly used. However, attempt at exploitation of Windows Kernel does not end here at all. We still needed to explore other avenues as pointed out in the Kernel diagram below:
The Windows Executive services make up the low-level kernel-mode portion, and are contained in the file NTOSKRNL.EXE. It deals with I/O, object management, security and process management. These are divided into several subsystems, among which are Cache Manager, Configuration Manager, I/O Manager, Local Procedure Call (LPC), Memory Manager, Object Manager, Process Structure and Security Reference Monitor (SRM). Grouped together, the components can be called Executive services (internal name Ex). System Services (internal name Nt), i.e., system calls, are implemented at this level, too, except very few that call directly into the kernel layer for better performance
I see ACLS or short ICACLS.exe.
Linux alternative to chown allows to check folders permissions and with /save it extracts the SID permissions as well:
icacls c:\windows\Temp /save Desktop/New.txtprocessed file: c:\windows\TempSuccessfully processed 1 files; Failed processing 0 files
SID known as Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.
How to find out more information about SID's ?
From a command line:
whoami /userUSER INFORMATIONUser Name SID===================== ==============================================DESKTOP-JHU119R\admin S-1-5-21-2437496762-2379314466-1107088517-1001
wmic useraccount get name,sidName SIDadmin S-1-5-21-2437496762-2379314466-1107088517-1001Administrator S-1-5-21-2437496762-2379314466-1107088517-500DefaultAccount S-1-5-21-2437496762-2379314466-1107088517-503Guest S-1-5-21-2437496762-2379314466-1107088517-501WDAGUtilityAccount S-1-5-21-2437496762-2379314466-1107088517-504
Powershell - finding the little guys
get-wmiobject -class "win32_account" -namespace "root\cimv2" | sort caption | format-table domain,name, __CLASS, SIDdomain name __CLASS SID------ ---- ------- ---DESKTOP-JHU119R Access Control Assistance Operators Win32_Group S-1-5-32-579DESKTOP-JHU119R admin Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-1001DESKTOP-JHU119R Administrator Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-500DESKTOP-JHU119R Administrators Win32_Group S-1-5-32-544DESKTOP-JHU119R ANONYMOUS LOGON Win32_SystemAccount S-1-5-7DESKTOP-JHU119R Authenticated Users Win32_SystemAccount S-1-5-11DESKTOP-JHU119R Backup Operators Win32_Group S-1-5-32-551DESKTOP-JHU119R BATCH Win32_SystemAccount S-1-5-3DESKTOP-JHU119R BUILTIN Win32_SystemAccount S-1-5-32DESKTOP-JHU119R CREATOR GROUP Win32_SystemAccount S-1-3-1DESKTOP-JHU119R CREATOR GROUP SERVER Win32_SystemAccount S-1-3-3DESKTOP-JHU119R CREATOR OWNER Win32_SystemAccount S-1-3-0DESKTOP-JHU119R CREATOR OWNER SERVER Win32_SystemAccount S-1-3-2DESKTOP-JHU119R Cryptographic Operators Win32_Group S-1-5-32-569DESKTOP-JHU119R DefaultAccount Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-503DESKTOP-JHU119R Device Owners Win32_Group S-1-5-32-583DESKTOP-JHU119R DIALUP Win32_SystemAccount S-1-5-1DESKTOP-JHU119R Distributed COM Users Win32_Group S-1-5-32-562DESKTOP-JHU119R ENTERPRISE DOMAIN CONTROLLERS Win32_SystemAccount S-1-5-9DESKTOP-JHU119R Event Log Readers Win32_Group S-1-5-32-573DESKTOP-JHU119R Everyone Win32_SystemAccount S-1-1-0DESKTOP-JHU119R Guest Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-501DESKTOP-JHU119R Guests Win32_Group S-1-5-32-546DESKTOP-JHU119R Hyper-V Administrators Win32_Group S-1-5-32-578DESKTOP-JHU119R IIS_IUSRS Win32_Group S-1-5-32-568DESKTOP-JHU119R INTERACTIVE Win32_SystemAccount S-1-5-4DESKTOP-JHU119R IUSR Win32_SystemAccount S-1-5-17DESKTOP-JHU119R LOCAL Win32_SystemAccount S-1-2-0DESKTOP-JHU119R LOCAL SERVICE Win32_SystemAccount S-1-5-19DESKTOP-JHU119R NETWORK Win32_SystemAccount S-1-5-2DESKTOP-JHU119R Network Configuration Operators Win32_Group S-1-5-32-556DESKTOP-JHU119R NETWORK SERVICE Win32_SystemAccount S-1-5-20DESKTOP-JHU119R OWNER RIGHTS Win32_SystemAccount S-1-3-4DESKTOP-JHU119R Performance Log Users Win32_Group S-1-5-32-559DESKTOP-JHU119R Performance Monitor Users Win32_Group S-1-5-32-558DESKTOP-JHU119R Power Users Win32_Group S-1-5-32-547DESKTOP-JHU119R PROXY Win32_SystemAccount S-1-5-8DESKTOP-JHU119R Remote Desktop Users Win32_Group S-1-5-32-555DESKTOP-JHU119R REMOTE INTERACTIVE LOGON Win32_SystemAccount S-1-5-14DESKTOP-JHU119R Remote Management Users Win32_Group S-1-5-32-580DESKTOP-JHU119R Replicator Win32_Group S-1-5-32-552DESKTOP-JHU119R RESTRICTED Win32_SystemAccount S-1-5-12DESKTOP-JHU119R SELF Win32_SystemAccount S-1-5-10DESKTOP-JHU119R SERVICE Win32_SystemAccount S-1-5-6DESKTOP-JHU119R SYSTEM Win32_SystemAccount S-1-5-18DESKTOP-JHU119R System Managed Accounts Group Win32_Group S-1-5-32-581DESKTOP-JHU119R TERMINAL SERVER USER Win32_SystemAccount S-1-5-13DESKTOP-JHU119R Users Win32_Group S-1-5-32-545DESKTOP-JHU119R WDAGUtilityAccount Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-504
But what do those number mean ?
All SID fields have a specific meaning; so, for the above sample SID:
S: The initial S identifies the following string as a SID.
1: The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.
5: The identifier authority value. This is a predefined identifier for the top-level authority that issued the SID. This is typically 5, which represents the SECURITY_NT_AUTHORITY.
21-4064627337-2434140041-2375368561: This section is the domain or local computer identifier (in this example, a domain identifier). This is a 48-bit string that identifies the authority (the computer or domain) that created the SID.
1036: The Relative ID (RID) is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain security authority that issued the SID. Any group or user that the Windows OS doesn't create has a RID of 1000 or greater by default.
Individual SID can be queried with:
sc showsid trustedinstallerNAME: trustedinstallerSERVICE SID: S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464STATUS: Active
The HAL is loaded into kernel address space and runs in kernel mode, so routines in the HAL cannot be called directly by applications, and no user mode APIs correspond directly to HAL routines. Instead, the HAL provides services primarily to the Windows executive and kernel and to kernel mode device drivers. Although drivers for most hardware are contained in other files, commonly of file type .sys, a few core drivers are compiled into Hal.dll.
UAC, which has a similar architecture to Privilege Guard, as both are implemented in user mode.