Offensive Security
Search…
Web Vulnerabilities - OWASP TOP 10
Other Web Vulnerabilities
Operating System philosophy
Going deeper into a rabbit hole.
Learning about the systems from a philosophical stance.
System designers had a vision and goal in mind when creating their products. The definition of a system is a set of rules, an arrangement of things, or a group of related things that work toward a common goal. An example of a system are the laws and procedures of a democratic government. ... An example of a system is all the organs that work together for digestion.
Could not load image
In all cases of systems, be it operating or biological ones, all interconnected parts work together to an end goal. Can the purpose of system be sustaining life and longevity of the system itself or is there something more to it?
Systeminfo vs uname -a
In IT world we have two major systems that dominate user experience – Windows and Linux. Similarities here are that an operating system is a program that manages a computer ’s hardware. It also provides a basis for application programs and acts as an intermediary between the computer user and the computer hardware. An amazing aspect of operating systems is how they vary in accomplishing these tasks. Main frame operating systems are designed primarily to optimize utilization of hardware. Personal computer (PC) operating systems support complex games, business applications, and everything in between. Operating systems for mobile computers provide an environment in which a user can easily interface with the computer to execute programs. Thus, some operating systems are designed to be convenient,others to be efficient,and others to be some combination of the two.
Now that we know the similar function that both operating system share, let’s look at the underlying philosophy of Linux and Windows.
Linux and the Unix Philosophy, by Mike Gancarz, quite informative:
An operating system, by its nature, embodies the philosophy of its creators... The creators of the Unix operating system started with a radical concept: they assumed that the user of their operating system would be computer literate from the start. The entire Unix philosophy revolves around the idea that the user knows what he or she is doing.
UNIX was not designed to stop its users from doing stupid things, as that would also stop them from doing clever things. -- unknown (generally attributed to a Doug Gwyn, but no information found about him)
Going through reflections of those who have used Unix system to it’s fully capabilities we see emphasis on freedom to make mistakes. Windows from another hand approaches user experience from a different standpoint:
For example, the philosophy of Windows is very similar to that of Digital Equipment Corporation's (DEC) VMS operating system. It amounts to "shield the users from everything that might get them into trouble." Of course, the reason for this similarity is that the prime developer of Windows NT is the same person who developed VMS. The philosophy of both operating systems is based on the underlying belief that users are afraid of computers and need to be shielded from their complexity.
Taking power of responsibility away from users between giving them more power. What does it take to break the system ?
Comparison:
With that in mind let’s dive into understanding the operating system architecture, starting from kernel:
The kernel is the core of the operating system. It performs functionalities such as communicating with hardware devices, process management, file handling, and many other tasks. Various operating systems have different kernels depending on the type of OS. Moreover, devices in Windows and Linux have different kernels.
​
Could not load image
Structure of the Windows NT Kernel:
Diagram of the functions of Windows NT kernel
This is where and why we "enumerate" with the aim of privilege escalation - process of gaining more control over the system. Lets call it a revolution or process of overthrowing a kernel, metaphorically speaking.
Extracting information about Windows kernel version can be done through:
Navigating to C:/Windows/System32 and checking version of ntoskrnl.exe
Command line:
1
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
2
OS Name: Microsoft Windows 10 Enterprise LTSC
3
OS Version: 10.0.17763 N/A Build 17763
Copied!
Powershell:
1
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, CSDVersion, ServicePackMajorVersion, BuildNumber | FL
2
​
3
​
4
Caption : Microsoft Windows 10 Enterprise LTSC
5
CSDVersion :
6
ServicePackMajorVersion : 0
7
BuildNumber : 17763
Copied!
1
[System.Environment]::OSVersion.Version
2
​
3
Major Minor Build Revision
4
----- ----- ----- --------
5
10 0 17763 0
Copied!
Or WMIC (Windows Management Instrumentation Command):
1
wmic os get buildnumber,caption,CSDVersion /format:csv
2
​
3
Node,BuildNumber,Caption,CSDVersion
4
DESKTOP-JHU119R,17763,Microsoft Windows 10 Enterprise LTSC,
Copied!
Why is it important to know Windows kernel version from a security standpoint ?
1
└──╼ $searchsploit Microsoft Windows kernel | grep local
2
Microsoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation | exploits/windows_x86/local/43192.c
3
Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (MS15-052) | exploits/windows/local/37052.c
4
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039) | exploits/windows_x86/local/44480.cpp
5
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017) | exploits/windows_x86/local/44479.cpp
6
Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042) | exploits/windows_x86-64/local/20861.txt
7
Microsoft Windows Kernel - Local Privilege Escalation (MS06-049) | exploits/windows/local/2412.c
8
Microsoft Windows Kernel - 'win32k.sys' Local Privilege Escalation (MS14-058) | exploits/windows/local/39666.txt
9
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (1) | exploits/windows/local/40823.txt
10
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2) | exploits/windows/local/41015.c
11
Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit) | exploits/windows_x86/local/33213.rb
12
Microsoft Windows Server 2000 Kernel - APC Data-Free Local Escalation (MS05-055) | exploits/windows/local/1407.c
13
Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow | exploits/windows/local/32590.c
14
Microsoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation (MS10-073) | exploits/windows/local/36327.txt
Copied!
That basic enumeration is the one that is most commonly used. However, attempt at exploitation of Windows Kernel does not end here at all. We still needed to explore other avenues as pointed out in the Kernel diagram below:
Company -> Executive power -> Managers -> Little guys ?
The Windows Executive services make up the low-level kernel-mode portion, and are contained in the file NTOSKRNL.EXE.[8] It deals with I/O, object management, security and process management. These are divided into several subsystems, among which are Cache Manager, Configuration Manager, I/O Manager, Local Procedure Call (LPC), Memory Manager, Object Manager, Process Structure and Security Reference Monitor (SRM). Grouped together, the components can be called Executive services (internal name Ex). System Services (internal name Nt), i.e., system calls, are implemented at this level, too, except very few that call directly into the kernel layer for better performance
2.
Security Reference Monitor - The primary authority for enforcing the security rules of the security integral subsystem.[20] It determines whether an object or resource can be accessed, via the use of access control lists (ACLs), which are themselves made up of access control entries (ACEs). ACEs contain a Security Identifier (SID) and a list of operations that the ACE gives a select group of trustees—a user account, group account, or login session[21]—permission (allow, deny, or audit) to that resource.[22]​[23]​
2.a
I see ACLS or short ICACLS.exe.
Linux alternative to chown allows to check folders permissions and with /save it extracts the SID permissions as well:
1
icacls c:\windows\Temp /save Desktop/New.txt
2
processed file: c:\windows\Temp
3
Successfully processed 1 files; Failed processing 0 files
Copied!
Output:
1
more Desktop\New.txt
2
Temp
3
D:PAI(A;CI;0x100026;;;BU)(A;;FA;;;BA)(A;OICIIO;FA;;;BA)(A;;FA;;;SY)(A;OICIIO;FA;;;SY)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;S-1-5-21-2437496762-2379314466-1107088517-1001)S:AINO_ACCESS_CONTROL
Copied!
2.b
SID known as Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.
How to find out more information about SID's ?
From a command line:
1
whoami /user
2
USER INFORMATION
3
User Name SID
4
===================== ==============================================
5
DESKTOP-JHU119R\admin S-1-5-21-2437496762-2379314466-1107088517-1001
Copied!
WMIC:
1
wmic useraccount get name,sid
2
Name SID
3
admin S-1-5-21-2437496762-2379314466-1107088517-1001
4
Administrator S-1-5-21-2437496762-2379314466-1107088517-500
5
DefaultAccount S-1-5-21-2437496762-2379314466-1107088517-503
6
Guest S-1-5-21-2437496762-2379314466-1107088517-501
7
WDAGUtilityAccount S-1-5-21-2437496762-2379314466-1107088517-504
Copied!
Powershell - finding the little guys
1
get-wmiobject -class "win32_account" -namespace "root\cimv2" | sort caption | format-table domain,name, __CLASS, SID
2
​
3
domain name __CLASS SID
4
------ ---- ------- ---
5
DESKTOP-JHU119R Access Control Assistance Operators Win32_Group S-1-5-32-579
6
DESKTOP-JHU119R admin Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-1001
7
DESKTOP-JHU119R Administrator Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-500
8
DESKTOP-JHU119R Administrators Win32_Group S-1-5-32-544
9
DESKTOP-JHU119R ANONYMOUS LOGON Win32_SystemAccount S-1-5-7
10
DESKTOP-JHU119R Authenticated Users Win32_SystemAccount S-1-5-11
11
DESKTOP-JHU119R Backup Operators Win32_Group S-1-5-32-551
12
DESKTOP-JHU119R BATCH Win32_SystemAccount S-1-5-3
13
DESKTOP-JHU119R BUILTIN Win32_SystemAccount S-1-5-32
14
DESKTOP-JHU119R CREATOR GROUP Win32_SystemAccount S-1-3-1
15
DESKTOP-JHU119R CREATOR GROUP SERVER Win32_SystemAccount S-1-3-3
16
DESKTOP-JHU119R CREATOR OWNER Win32_SystemAccount S-1-3-0
17
DESKTOP-JHU119R CREATOR OWNER SERVER Win32_SystemAccount S-1-3-2
18
DESKTOP-JHU119R Cryptographic Operators Win32_Group S-1-5-32-569
19
DESKTOP-JHU119R DefaultAccount Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-503
20
DESKTOP-JHU119R Device Owners Win32_Group S-1-5-32-583
21
DESKTOP-JHU119R DIALUP Win32_SystemAccount S-1-5-1
22
DESKTOP-JHU119R Distributed COM Users Win32_Group S-1-5-32-562
23
DESKTOP-JHU119R ENTERPRISE DOMAIN CONTROLLERS Win32_SystemAccount S-1-5-9
24
DESKTOP-JHU119R Event Log Readers Win32_Group S-1-5-32-573
25
DESKTOP-JHU119R Everyone Win32_SystemAccount S-1-1-0
26
DESKTOP-JHU119R Guest Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-501
27
DESKTOP-JHU119R Guests Win32_Group S-1-5-32-546
28
DESKTOP-JHU119R Hyper-V Administrators Win32_Group S-1-5-32-578
29
DESKTOP-JHU119R IIS_IUSRS Win32_Group S-1-5-32-568
30
DESKTOP-JHU119R INTERACTIVE Win32_SystemAccount S-1-5-4
31
DESKTOP-JHU119R IUSR Win32_SystemAccount S-1-5-17
32
DESKTOP-JHU119R LOCAL Win32_SystemAccount S-1-2-0
33
DESKTOP-JHU119R LOCAL SERVICE Win32_SystemAccount S-1-5-19
34
DESKTOP-JHU119R NETWORK Win32_SystemAccount S-1-5-2
35
DESKTOP-JHU119R Network Configuration Operators Win32_Group S-1-5-32-556
36
DESKTOP-JHU119R NETWORK SERVICE Win32_SystemAccount S-1-5-20
37
DESKTOP-JHU119R OWNER RIGHTS Win32_SystemAccount S-1-3-4
38
DESKTOP-JHU119R Performance Log Users Win32_Group S-1-5-32-559
39
DESKTOP-JHU119R Performance Monitor Users Win32_Group S-1-5-32-558
40
DESKTOP-JHU119R Power Users Win32_Group S-1-5-32-547
41
DESKTOP-JHU119R PROXY Win32_SystemAccount S-1-5-8
42
DESKTOP-JHU119R Remote Desktop Users Win32_Group S-1-5-32-555
43
DESKTOP-JHU119R REMOTE INTERACTIVE LOGON Win32_SystemAccount S-1-5-14
44
DESKTOP-JHU119R Remote Management Users Win32_Group S-1-5-32-580
45
DESKTOP-JHU119R Replicator Win32_Group S-1-5-32-552
46
DESKTOP-JHU119R RESTRICTED Win32_SystemAccount S-1-5-12
47
DESKTOP-JHU119R SELF Win32_SystemAccount S-1-5-10
48
DESKTOP-JHU119R SERVICE Win32_SystemAccount S-1-5-6
49
DESKTOP-JHU119R SYSTEM Win32_SystemAccount S-1-5-18
50
DESKTOP-JHU119R System Managed Accounts Group Win32_Group S-1-5-32-581
51
DESKTOP-JHU119R TERMINAL SERVER USER Win32_SystemAccount S-1-5-13
52
DESKTOP-JHU119R Users Win32_Group S-1-5-32-545
53
DESKTOP-JHU119R WDAGUtilityAccount Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-504
Copied!
But what do those number mean ?
All SID fields have a specific meaning; so, for the above sample SID:
- S: The initial S identifies the following string as a SID.
- 1: The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.
- 5: The identifier authority value. This is a predefined identifier for the top-level authority that issued the SID. This is typically 5, which represents the SECURITY_NT_AUTHORITY.
- 21-4064627337-2434140041-2375368561: This section is the domain or local computer identifier (in this example, a domain identifier). This is a 48-bit string that identifies the authority (the computer or domain) that created the SID.
- 1036: The Relative ID (RID) is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain security authority that issued the SID. Any group or user that the Windows OS doesn't create has a RID of 1000 or greater by default.
Individual SID can be queried with:
1
sc showsid trustedinstaller
2
​
3
NAME: trustedinstaller
4
SERVICE SID: S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
5
STATUS: Active
Copied!
C:\Windows\System32\hall.dll
The HAL is loaded into kernel address space and runs in kernel mode, so routines in the HAL cannot be called directly by applications, and no user mode APIs correspond directly to HAL routines. Instead, the HAL provides services primarily to the Windows executive and kernel and to kernel mode device drivers. Although drivers for most hardware are contained in other files, commonly of file type .sys, a few core drivers are compiled into Hal.dll.
​
User mode:
UAC, which has a similar architecture to Privilege Guard, as both are implemented in user mode.
Last modified 2yr ago
Copy link