Learn, hack!

URL

https://media.blackhat.com/bh-us-10/whitepapers/Keltner/BlackHat-USA-2010-Keltner-Elrod-Adventures-In-Limited-User-Post-Exploitation-wp-v1.3.pdf

File name

BlackHat-USA-2010-Keltner-Elrod-Adventures-In-Limited-User-Post-Exploitation-wp-v1.3.pdf

File size

157.8 KB

MD5

d55b5eef39e63900e6bb6b6f203d40c1

SHA1

ec19ac3f623e7d837e5b064037c6fcac6b91c142

Just how much damage *can* be done with EIP under a non-Administrative Windows environment? Much, much more than you likely think. Through new techniques and live examples, attendees will be guided through the modern day attack surface of a restrictive corporate Windows world. Based purely on the Windows privilege model, demonstrations and new code will cover techniques related to collecting and replaying passwords and password hashes, destroying the browser trust model, attacking the network and the domain, and more, all without administrative access. Moving into a world of Windows Vista, 7, and hardened XP environments, the days of easily popping shells with Admin access are becoming less common. When a Limited User is exploited via a client side vulnerability, damage is often believed to be lessened due to the inability of attacker code to access sensitive portions of the OS, such as those containing passwords and password hashes, without an additional privilege escalation exploit. Despite conventional wisdom from vendors and security press, taking your users out of the 'Local Administrators' OU doesn't mean your environment is magically protected from privilege-agnostic attackers.