我们通常认为配置得当的Windows是安全的,事实真的是这样吗?今天让我们跟随本文作者一起深入了解Windows操作系统的黑暗角落,看看是否能得到SYSTEM权限,今天小编就来说说关于windows提权是什么?下面更多详细答案一起来看看吧!
windows提权是什么
我们通常认为配置得当的Windows是安全的,事实真的是这样吗?今天让我们跟随本文作者一起深入了解Windows操作系统的黑暗角落,看看是否能得到SYSTEM权限。
作者将使用不同版本的Windows来强调任何可能存在的命令行差异,请牢记因为不同的操作系统和版本差异会在命令行中显现,作者试图构造本教程,以便它适用于Windows提权的最普遍的方式。
注:文章篇幅较长,阅读用时约10分钟。
必要文档补充:
Encyclopaedia Of Windows Privilege Escalation (Brett Moore)
Windows Attacks: AT is the new black (Chris Gates & Rob Fuller)
Elevating privileges by exploiting weak folder permissions (Parvez Anwar)
译者注:原文作者提到了meterpreter,我们可以把meterpreter比做sql注入利用的sqlmap,在得到meterpreter的shell后,可以输入命令getsystem,自动完成提权。
在t0-t3阶段,最初的信息收集方法
最开始是一个低权限的shell,这个shell可能是通过远程代码执行、钓鱼、反弹得到的。
在最开始的阶段,我们要快速收集一些基本信息来评估我们的环境。
第一步,找到连接的操作系统。
C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" OS Name: Microsoft Windows 7 Professional OS Version: 6.1.7601 Service Pack 1 Build 7601
接下来,我们将看到主机名和连接上的对应用户。
Command-Line Ninjitsu (SynJunkie)
一些默认配置的Windows并不允许访问WMIC,除非是用户在Windows的管理组,从虚拟机测试来看,任何版本的Windows XP的低权限用户并不能访问WMIC。相反的,默认配置的Windows 7专业版和Windows 8企业版允许低权限的用户访问WMIC并查询操作系统版本。
这正是我们所需要的,因为我们正在使用WMIC来收集关于目标机的信息。关于WMIC的选项,列出了下面可用的命令行:
C:\Windows\system32> wmic /? [global switches] The following global switches are available: /NAMESPACE Path for the namespace the alias operate against. /ROLE Path for the role containing the alias definitions. /NODE Servers the alias will operate against. /IMPLEVEL Client impersonation level. /AUTHLEVEL Client authentication level. /LOCALE Language id the client should use. /PRIVILEGES Enable or disable all privileges. /TRACE Outputs debugging information to stderr. /RECORD Logs all input commands and output. /INTERACTIVE Sets or resets the interactive mode. /FAILFAST Sets or resets the FailFast mode. /USER User to be used during the session. /PASSWORD Password to be used for session login. /OUTPUT Specifies the mode for output redirection. /APPEND Specifies the mode for output redirection. /AGGREGATE Sets or resets aggregate mode. /AUTHORITY Specifies the for the connection. /?[:<BRIEF|FULL>] Usage information. For more information on a specific global switch, type: switch-name /? The following alias/es are available in the current role: ALIAS - Access to the aliases available on the local system BASEBOARD - Base board (also known as a motherboard or system board) management. BIOS - Basic input/output services (BIOS) management. BOOTCONFIG - Boot configuration management. CDROM - CD-ROM management. COMPUTERSYSTEM - Computer system management. CPU - CPU management. CSPRODUCT - Computer system product information from SMBIOS. DATAFILE - DataFile Management. DCOMAPP - DCOM Application management. DESKTOP - User's Desktop management. DESKTOPMONITOR - Desktop Monitor management. DEVICEMEMORYADDRESS - Device memory addresses management. DISKDRIVE - Physical disk drive management. DISKQUOTA - Disk space usage for NTFS volumes. DMACHANNEL - Direct memory access (DMA) channel management. ENVIRONMENT - System environment settings management. FSDIR - Filesystem directory entry management. GROUP - Group account management. IDECONTROLLER - IDE Controller management. IRQ - Interrupt request line (IRQ) management. JOB - Provides access to the jobs scheduled using the schedule service. LOADORDER - Management of system services that define execution dependencies. LOGICALDISK - Local storage device management. LOGON - LOGON Sessions. MEMCACHE - Cache memory management. MEMORYCHIP - Memory chip information. MEMPHYSICAL - Computer system's physical memory management. NETCLIENT - Network Client management. NETLOGIN - Network login information (of a particular user) management. NETPROTOCOL - Protocols (and their network characteristics) management. NETUSE - Active network connection management. NIC - Network Interface Controller (NIC) management. NICCONFIG - Network adapter management. NTDOMAIN - NT Domain management. NTEVENT - Entries in the NT Event Log. NTEVENTLOG - NT eventlog file management. ONBOARDDEVICE - Management of common adapter devices built into the motherboard (system board). OS - Installed Operating System/s management. PAGEFILE - Virtual memory file swapping management. PAGEFILESET - Page file settings management. PARTITION - Management of partitioned areas of a physical disk. PORT - I/O port management. PORTCONNECTOR - Physical connection ports management. PRINTER - Printer device management. PRINTERCONFIG - Printer device configuration management. PRINTJOB - Print job management. PROCESS - Process management. PRODUCT - Installation package task management. QFE - Quick Fix Engineering. QUOTASETTING - Setting information for disk quotas on a volume. RDACCOUNT - Remote Desktop connection permission management. RDNIC - Remote Desktop connection management on a specific network adapter. RDPERMISSIONS - Permissions to a specific Remote Desktop connection. RDTOGGLE - Turning Remote Desktop listener on or off remotely. RECOVEROS - Information that will be gathered from memory when the operating system fails. REGISTRY - Computer system registry management. SCSICONTROLLER - SCSI Controller management. SERVER - Server information management. SERVICE - Service application management. SHADOWCOPY - Shadow copy management. SHADOWSTORAGE - Shadow copy storage area management. SHARE - Shared resource management. SOFTWAREELEMENT - Management of the elements of a software product installed on a system. SOFTWAREFEATURE - Management of software product subsets of SoftwareElement. SOUNDDEV - Sound Device management. STARTUP - Management of commands that run automatically when users log onto the computer system. SYSACCOUNT - System account management. SYSDRIVER - Management of the system driver for a base service. SYSTEMENCLOSURE - Physical system enclosure management. SYSTEMSLOT - Management of physical connection points including ports, slots and peripherals, and proprietary connections points. TAPEDRIVE - Tape drive management. TEMPERATURE - Data management of a temperature sensor (electronic thermometer). TIMEZONE - Time zone data management. UPS - Uninterruptible power supply (UPS) management. USERACCOUNT - User account management. VOLTAGE - Voltage sensor (electronic voltmeter) data management. VOLUME - Local storage volume management. VOLUMEQUOTASETTING - Associates the disk quota setting with a specific disk volume. VOLUMEUSERQUOTA - Per user storage volume quota management. WMISET - WMI service operational parameters management. For more information on a specific alias, type: alias /? CLASS - Escapes to full WMI schema. PATH - Escapes to full WMI object paths. CONTEXT - Displays the state of all the global switches. QUIT/EXIT - Exits the program. For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?
为了简化操作,我已经创建了一个脚本,可以在目标机器上使用WMIC提取以下信息:流程、服务、用户帐号、用户组、网络接口、硬盘信息、网络共享信息、安装Windows补丁、程序在启动运行、安装的软件列表、操作系统、时区信息。
通过各种标志和参数来提取有价值的信息,如果有人想要添加到列表中,请在下面留下评论。使用内置的输出特性,脚本将把所有结果写入可读的html文件。
脚本地址:
http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar
输出页面:
http://www.fuzzysecurity.com/tutorials/files/Win7.html
以上是今天的内容,大家看懂了吗?下期我们将继续分享Windows提权基本原理的相关内容,请大家及时关注。
,