Adventures in Limited User Post Exploitation

Black Hat USA 2010

Presented by: Tim Elrod, Nathan Keltner
Date: Wednesday July 28, 2010
Time: 13:45 - 15:00
Location: Milano 5+6+7+8
Track: OS Wars

Just how much damage can be done with EIP under a non-Administrative Windows environment? Much, much more than you likely think. Through new techniques and live examples, attendees will be guided through the modern day attack surface of a restrictive corporate Windows world. Based purely on the Windows privilege model, demonstrations and new code will cover techniques related to collecting and replaying passwords and password hashes, destroying the browser trust model, attacking the network and the domain, and more, all without administrative access.

Moving into a world of Windows Vista, 7, and hardened XP environments, the days of easily popping shells with Admin access are becoming less common. When a Limited User is exploited via a client side vulnerability, damage is often believed to be lessened due to the inability of attacker code to access sensitive portions of the OS, such as those containing passwords and password hashes, without an additional privilege escalation exploit. Despite conventional wisdom from vendors and security press, taking your users out of the 'Local Administrators' OU doesn't mean your environment is magically protected from privilege-agnostic attackers.

Nathan Keltner

FishNet Security Nathan Keltner is a consultant on FishNet Security's Assessment team, breaking into (and out of) corporate networks for a living. In between post exploitation activities, he's frequently breaking Smart Grid infrastructure and arguing why Oklahoma might well be the greatest state in the Union.

Tim Elrod

Tim Elrod is an Independent Security Researcher based out of Oklahoma, tagged by some as the most interesting security researcher in the world. In fact, the police often question him simply because they find him so enthralling. His blood smells of cologne... and 0day. If he were to give you directions you would never get lost and always arrive 5 minutes early. Truly, truly, Tim has a passion for security and post exploitation research and enjoys discovering creative and interesting techniques for exploitation.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats