GitBook: [master] 9 pages modified
This commit is contained in:
parent
bfa5e227e4
commit
e366f0d1d9
|
@ -93,7 +93,7 @@
|
|||
* [Stealing Credentials](windows/stealing-credentials/README.md)
|
||||
* [Credentials Protections](windows/stealing-credentials/credentials-protections.md)
|
||||
* [Mimikatz](windows/stealing-credentials/credentials-mimikatz.md)
|
||||
* [Authentication, Credentials, UAC and EFS](windows/credentials.md)
|
||||
* [Authentication, Credentials, UAC and EFS](windows/authentication-credentials-uac-and-efs.md)
|
||||
* [Basic CMD for Pentesters](windows/basic-cmd-for-pentesters.md)
|
||||
* [Basic PowerShell for Pentesters](windows/basic-powershell-for-pentesters/README.md)
|
||||
* [PowerView](windows/basic-powershell-for-pentesters/powerview.md)
|
||||
|
|
|
@ -75,7 +75,7 @@ If you are **not root/Administrator** inside the box, you should find a way to *
|
|||
Here you can find a **guide to escalate privileges locally in** [**Linux**](linux-unix/privilege-escalation/) **and in** [**Windows**](windows/windows-local-privilege-escalation/)**.**
|
||||
You should also check this pages about how does **Windows work**:
|
||||
|
||||
* [**Authentication, Credentials, Token privileges and UAC**](windows/credentials.md)\*\*\*\*
|
||||
* [**Authentication, Credentials, Token privileges and UAC**](windows/authentication-credentials-uac-and-efs.md)\*\*\*\*
|
||||
* How does [**NTLM works**](windows/ntlm/)\*\*\*\*
|
||||
* How to [**steal credentials**](windows/stealing-credentials/) in Windows
|
||||
* Some tricks about [_**Active Directory**_](windows/active-directory-methodology/)_\*\*\*\*_
|
||||
|
|
|
@ -222,7 +222,7 @@ The **security descriptors** are used to **store** the **permissions** an **obje
|
|||
|
||||
### **Custom SSP**
|
||||
|
||||
[Learn what is a SSP \(Security Support Provider\) here.](../credentials.md#security-support-provider-interface-sspi)
|
||||
[Learn what is a SSP \(Security Support Provider\) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)
|
||||
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
|
||||
****[**More information about Custom SSP here.**](custom-ssp.md)
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Custom SSP
|
||||
|
||||
[Learn what is a SSP \(Security Support Provider\) here.](../credentials.md#security-support-provider-interface-sspi)
|
||||
[Learn what is a SSP \(Security Support Provider\) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)
|
||||
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
|
||||
|
||||
#### Mimilib
|
||||
|
|
|
@ -265,7 +265,7 @@ C:\windows\tracing
|
|||
### UAC
|
||||
|
||||
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.
|
||||
[**More information about UAC here**](../credentials.md#uac).
|
||||
[**More information about UAC here**](../authentication-credentials-uac-and-efs.md#uac).
|
||||
|
||||
```text
|
||||
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
@ -300,7 +300,7 @@ If you **belongs to some privileged group you may be able to escalate privileges
|
|||
|
||||
### Token manipulation
|
||||
|
||||
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../credentials.md#access-tokens).
|
||||
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs.md#access-tokens).
|
||||
Check the following page to **learn about interesting tokens** and how to abuse them:
|
||||
|
||||
{% page-ref page="privilege-escalation-abusing-tokens.md" %}
|
||||
|
@ -1220,7 +1220,7 @@ When a **client writes on a pipe**, the **server** that created the pipe can **i
|
|||
|
||||
## From Administrator Medium to High Integrity Level / UAC Bypass
|
||||
|
||||
\*\*\*\*[**Read this to learn about Integrity Levels**](integrity-levels.md) **and** [**this to learn what is UAC**](../credentials.md#uac)**, then read how to**[ **bypass it**](../credentials.md#uac)**.**
|
||||
\*\*\*\*[**Read this to learn about Integrity Levels**](integrity-levels.md) **and** [**this to learn what is UAC**](../authentication-credentials-uac-and-efs.md#uac)**, then read how to**[ **bypass it**](../authentication-credentials-uac-and-efs.md#uac)**.**
|
||||
|
||||
## **From High Integrity to System**
|
||||
|
||||
|
|
|
@ -57,7 +57,7 @@ SeTimeZonePrivilege Change the time zone Disabled
|
|||
### Local administrator
|
||||
|
||||
When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** \(non-administrator\) **rights is used**. When this user tries to **execute** anything **as administrator** \("Run as Administrator" for example\) the **UAC** will be used to ask for permission.
|
||||
If you want to [**learn more about the UAC read this page**](../credentials.md#uac)**.**
|
||||
If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs.md#uac)**.**
|
||||
|
||||
### Credentials user impersonation
|
||||
|
||||
|
|
|
@ -103,7 +103,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
|
|||
|
||||
### Example
|
||||
|
||||
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **\(bypassing UAC\)**](../credentials.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**
|
||||
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **\(bypassing UAC\)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**
|
||||
Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
|
||||
|
||||
## **Creating and compiling Dlls**
|
||||
|
|
Loading…
Reference in New Issue