One Token to Rule Them All: Post-Exploitation Fun in Windows Environments

Presented at DEF CON 15 (2007), Aug. 3, 2007, 7 p.m. (50 minutes)

The defense techniques employed by large software manufacturers are getting better. This is particularly true of Microsoft who have improved the security of the software they make tremendously since their Trustworthy Computing initiative. Gone are the days of being able to penetrate any Microsoft system by firing off the RPC-DCOM exploit. The consequence of this is that post-exploitation has become increasingly important in order to "squeeze all the juice" out of every compromised system. Windows access tokens are integral to Microsoft's concept of single sign-on in an active directory environment. Compromising a system that has privileged tokens can allow for both local and domain privilege escalation. This talk aims to demonstrate just how devastating attacks of this form can be and introduces a new, open-source tool for penetration testers that provides powerful post-exploitation options for abusing tokens found residing on compromised systems. The functionality of this tool is also provided as a Meterpreter module for the Metasploit Framework to allow its use to be combined with the existing power of Metasploit. In addition, a complete methodology will be given for its use in penetration testing. This will include identifying tokens that can be used to access an otherwise secure target and then locating other systems that may house those tokens. A new vulnerability will also be revealed that appears to have been silently patched by Microsoft. The impact of this vulnerability is that privileged tokens can be found on systems long after the corresponding users have logged off. Finally, defense strategies will be discussed that can help provide defense in depth to reduce the impact of token abuse as a post-exploitation option.

Presenters:

• Luke Jennings - MWR InfoSecurity
  Luke Jennings is a security consultant for MWR InfoSecurity in the UK and is a recent computer science graduate of the University of Southampton. Luke's previous work has primarily been focused on penetration testing and application testing which has also led to his discovery of some critical, remotely exploitable vulnerabilities in widely deployed software. As a result of this, Luke has become increasingly interested in dedicating a portion of his time to active security research. Luke is also interested in promoting security awareness among computer scientists, and has guest lectured at his old university to further this.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#Jennings
• https://www.youtube.com/watch?v=j3gA--ebEaQ

Similar Presentations:

• LocoMocoSec 2018 / Beyond Bearer: Token Binding as the Foundation for a More Secure Web
• DerbyCon 2.0 Reunion (2012) / Introduction to Metasploit Post Exploitation Modules
• 44CON 2016 / Effortless, Agentless Breach Detection in the Enterprise: Token all the Things!