Sunday, January 17, 2016
Privilege Escalation - Potato
5:26:00 PM
Exploitation, Hackers Tools, Pentest Tools, Post-Exploitation, Security Tools
No comments
Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012
Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.
Windows 7
This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network. Often it is the case that once an attacker is able to gain high privileged access to ANY workstation or server on a Windows network, they can use this access to gain “lateral movement” and compromise other hosts on the same domain. As an attacker, we often gain access to a computer through a low privilege user or service account. Gaining high privilege access on a host is often a critical step in a penetration test, and is usually performed in an ad-hoc manner as there are no known public exploits or techniques to do so reliably.
Windows Server 2008
The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues and has been for some time (circa 2000). These are unfortunately hard to fix without breaking backward compatibility and have been leveraged by attackers for over 15 years.
The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches. Each part corresponds to an already well known attack that has been in use for years:
º Local NBNS Spoofer
NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments.
º Fake WPAD Proxy Server
In Windows, Internet Explorer by default will automatically try to detect network proxy setting configuration by accessing the URL “http://wpad/wpad.dat”
º HTTP -> SMB NTLM Relay
Part of Windows Integrated Auth protocol suite. Essentially a challenge-response design
Windows 8/10/Server 2012
Search
Categories
Popular Posts
-
dotenv loads .env files into process.env for Node.js projects, making it useful for configuration hygiene checks, secret-handling review...
-
In this post, we will explore a Python script designed to parse logs containing url:user:pass data. These logs are instrumental in executin...
-
New bug bounty(vulnerabilities) collector Requirements Chrome with GUI (If you encounter trouble with script execution, check the stat...
-
x64dbg is a Windows user-mode debugger for controlled runtime inspection, breakpoint logic, trace collection and patch validation in autho...
-
As cyber threats evolve, so must our strategies to combat them. The deepdarkCTI project serves as a crucial resource, offering access to a c...
-
GTFOcli it's a Command Line Interface for easy binaries search commands that can be used to bypass local security restrictions in mis...
-
As mobile applications become more integral to our daily lives, ensuring their security is paramount. Vulnerabilities in mobile apps can exp...
-
social-analyzer provides API, CLI, and web interfaces for finding and analyzing public profiles across more than 1000 social media and web...
-
Remote adminitration tool for android Features Notifications listener SMS listener Phone call recording Image capturing and sc...
-
RepoReaper is a precision tool designed to automate the identification of exposed .git repositories across a list of domains and subdomai...
Blog Archive
-
►
2026
(3)
- ► 05/24 - 05/31 (3)
-
►
2024
(42)
- ► 05/26 - 06/02 (1)
- ► 05/12 - 05/19 (1)
- ► 05/05 - 05/12 (5)
- ► 03/10 - 03/17 (3)
- ► 02/18 - 02/25 (32)
-
►
2022
(20)
- ► 02/06 - 02/13 (18)
- ► 01/30 - 02/06 (2)
-
►
2018
(69)
- ► 10/14 - 10/21 (4)
- ► 08/26 - 09/02 (7)
- ► 08/12 - 08/19 (4)
- ► 07/15 - 07/22 (2)
- ► 07/08 - 07/15 (6)
- ► 07/01 - 07/08 (3)
- ► 06/17 - 06/24 (2)
- ► 03/04 - 03/11 (2)
- ► 02/18 - 02/25 (1)
- ► 02/04 - 02/11 (3)
- ► 01/28 - 02/04 (7)
- ► 01/21 - 01/28 (6)
- ► 01/14 - 01/21 (12)
- ► 01/07 - 01/14 (10)
-
►
2017
(72)
- ► 12/31 - 01/07 (2)
- ► 12/03 - 12/10 (1)
- ► 11/19 - 11/26 (1)
- ► 11/12 - 11/19 (1)
- ► 10/22 - 10/29 (3)
- ► 10/01 - 10/08 (2)
- ► 09/17 - 09/24 (6)
- ► 09/10 - 09/17 (2)
- ► 09/03 - 09/10 (2)
- ► 08/27 - 09/03 (4)
- ► 07/23 - 07/30 (5)
- ► 07/16 - 07/23 (3)
- ► 06/25 - 07/02 (1)
- ► 06/18 - 06/25 (4)
- ► 05/21 - 05/28 (7)
- ► 05/14 - 05/21 (1)
- ► 05/07 - 05/14 (2)
- ► 04/30 - 05/07 (2)
- ► 04/23 - 04/30 (2)
- ► 04/16 - 04/23 (2)
- ► 03/19 - 03/26 (4)
- ► 01/22 - 01/29 (2)
- ► 01/15 - 01/22 (1)
- ► 01/08 - 01/15 (8)
- ► 01/01 - 01/08 (4)
-
▼
2016
(648)
- ► 12/25 - 01/01 (1)
- ► 12/18 - 12/25 (2)
- ► 12/11 - 12/18 (6)
- ► 12/04 - 12/11 (4)
- ► 11/27 - 12/04 (5)
- ► 11/13 - 11/20 (1)
- ► 11/06 - 11/13 (1)
- ► 10/30 - 11/06 (5)
- ► 10/23 - 10/30 (1)
- ► 10/16 - 10/23 (2)
- ► 10/09 - 10/16 (5)
- ► 10/02 - 10/09 (3)
- ► 09/25 - 10/02 (2)
- ► 09/18 - 09/25 (6)
- ► 09/11 - 09/18 (6)
- ► 09/04 - 09/11 (4)
- ► 08/28 - 09/04 (7)
- ► 08/21 - 08/28 (5)
- ► 08/14 - 08/21 (4)
- ► 08/07 - 08/14 (2)
- ► 07/31 - 08/07 (2)
- ► 07/24 - 07/31 (5)
- ► 07/17 - 07/24 (2)
- ► 07/10 - 07/17 (3)
- ► 07/03 - 07/10 (6)
- ► 06/26 - 07/03 (11)
- ► 06/12 - 06/19 (4)
- ► 06/05 - 06/12 (1)
- ► 05/29 - 06/05 (1)
- ► 05/08 - 05/15 (4)
- ► 04/24 - 05/01 (8)
- ► 04/17 - 04/24 (5)
- ► 04/10 - 04/17 (1)
- ► 04/03 - 04/10 (8)
- ► 03/27 - 04/03 (1)
- ► 03/20 - 03/27 (5)
- ► 03/13 - 03/20 (1)
- ► 03/06 - 03/13 (12)
- ► 02/28 - 03/06 (14)
- ► 02/21 - 02/28 (11)
- ► 02/14 - 02/21 (12)
- ► 02/07 - 02/14 (13)
- ► 01/31 - 02/07 (121)
- ► 01/24 - 01/31 (34)
-
▼
01/17 - 01/24
(58)
- Open Source Vulnerability Scanner - OpenVAS
- Passive DNS Network Mapper - dnsmap
- Admin Page Finder Script
- TrueCrypt brute-force password cracker - TrueCrack
- Automatic Database Dump - sqlcake
- Open Source Intelligence - Maltego
- Mobile Terminal Application for Intermittent Conne...
- Joomla Security Scanner - Joomscan
- Post Exploitation Framework - Intersect
- Exploring Android Platform - Mercury
- Python Script Searching - Dark D0rk3r
- SQLi and Web Attack Framework - Enema SQLi
- Linux Live USB Creator - LiLi
- Backup and Recovery - ReDo
- Yet Another Man in The Middle Automation Script -...
- Wi-Fi network scanner - inSSIDer
- Open Source MySQL Injection - sqlsus
- Extreme GPU - Bruteforcer
- Passive Traffic Fingerprinting - p0f
- Rainbow Tables Hash Cracker - RainbowCrack
- Web Application Testing - Vega
- PDF Analysis Tool - peepdf
- PHP Vulnerability - Hunter
- O Programa da Matrix Está Falhando - ''O Que Você ...
- Automatic Bluetooth Spoofing - Spooftooph
- Wireless Network Monitoring Tool - Kismet
- Pentest - Security Cheatsheets
- Antivirus Evasion - foolav
- Razorback
- LAMP/LEMP Secure Deployment - JShielder
- Wordlist Generator - Crunch
- SIP Witch
- Injecting Fake Updates - Evilgrade
- Tiny Core Linux
- MD5 Online Password Cracking - md5cracker
- Writing Your Own Exploits
- Encrypt Your Network Traffic - Tcpcrypt
- Passive Network Monitoring - lanmap2
- Wireless and Wired Network Interceptor - the Inter...
- Encrypted UDP based FTP - UFTP
- IDS evasion - Inundator
- Standardized Security - OpenSCAP
- Web Application Security Scanner - w3af
- Log Monitoring Daemon - agentsmith
- Blind SQL Injections - BSQL Hacker
- Final Released - Bruter v1.0
- V For Vendetta
- AfterGlow
- Network Forensics - Xplico
- Digital Forensics Framework - DFF
- Digital Forensics - Autopsy
- Volatility 2.5 - Memory Forensics
- Credit Card Magstripe Spoofer - MagSpoof
- Privilege Escalation - Potato
- Cross Platform ELF Analysis - ELF Parser
- Pentest Distro - Web Testing Framework Samurai
- 10 Estratégias de Manipulação da Mídia
- Project Arsenal X - As HackTheGame But Real
- ► 01/10 - 01/17 (59)
- ► 01/03 - 01/10 (174)
-
►
2015
(26)
- ► 12/27 - 01/03 (1)
- ► 08/30 - 09/06 (8)
- ► 08/23 - 08/30 (16)
- ► 08/16 - 08/23 (1)
Home
Privacy Center
Data Protection
Community
Digital Policy
Security Tools
Online Utilities
Resources
Search Operators
Library

0 comentários:
Post a Comment
Note: Only a member of this blog may post a comment.