Windows Kernel Exploits

What is Kernel?

A Kernel is a computer program that is the core of an operating system, managing system resources and hardware with complete control. It acts as a translation layer between hardware and software, facilitating communication between these two layers.

• Windows Kernel: The Windows kernel is part of the Windows operating system, providing essential services such as memory management, process scheduling, and hardware abstraction. It ensures smooth operation and security of the system by managing system calls and handling low-level tasks.

• Linux Kernel: The Linux kernel is the heart of the Linux operating system, offering similar functionalities as the Windows kernel. It manages system resources, handles process control, memory management, and device drivers, and provides a stable and efficient environment for running applications and services.

Both kernels are crucial for the stability, security, and performance of their respective operating systems.

Privilege Escalation

• Privilege escalation is the process of exploiting vulnerabilities or misconfigurations in systems to elevate privileges from one user to another, typically to a user with administrative or root access on a system.

• Privilege escalation is a vital element of the attack life cycle and is a major determinant in the overall success of a penetration test.

• After gaining an initial foothold on a target system you will be required to elevate your privileges in order to perform tasks and functionality that require administrative privileges.

• The importance of privilege escalation in the penetration testing process cannot be overstated or overlooked. Developing your privilege escalation skills will mark you out as a good penetration tester.

Windows Kernel

• Windows NT Kernel is the core component of all Microsoft Windows versions, designed as a traditional kernel with a user-focused design philosophy. It operates in two main modes:

  • User Mode: Limited access to system resources and hardware, where programs and services run with restricted privileges.

  • Kernel Mode: Unrestricted access to system resources and hardware, responsible for managing devices, system memory, and core OS functions.

Windows Kernel Exploitation

• Kernel exploits on Windows will typically target vulnerabilities In the Windows kernel to execute arbitrary code in order to run privileged system commands or to obtain a system shell.

• This process will differ based on the version of Windows being targeted and the kernel exploit being used.

• Privilege escalation on Windows systems will typically follow the following methodology:

  • Identifying kernel vulnerabilities

  • Downloading, compiling and transferring kernel exploits onto the target system.

Tools & Environment

• Windows-Exploit-Suggester - This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

  • GitHub: https://github.com/AonCyberLabs/Windows-Exploit-Suggester

• Windows-Kernel-Exploits - Collection of Windows Kernel exploits sorted by CVE.

  • GitHub: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135

Attack Flow: Post-Exploitation: Privilege Escalation on Windows Systems

1. Establish Initial Access

• Obtain Basic Access: Ensure you have a Meterpreter session or similar access level on the target system.

2. Attempt Privilege Escalation Using Metasploit

• Use getsystem Command:

getsystem

This command attempts to elevate privileges based on known vulnerabilities and methods. It tries different techniques like:

• Token impersonation

• Kernel exploits

• Service exploits

• Run the Local Exploit Suggester:

use post/multi/recon/local_exploit_suggester

This Metasploit module scans the target system to enumerate potential privilege escalation vulnerabilities.

Commands to Run:

use post/multi/recon/local_exploit_suggester
set SESSION <session-id>
run

Output: Lists potential vulnerabilities and corresponding exploits that can be used to elevate privileges.

3. Manual Privilege Escalation Techniques

• Download and Run Windows Exploit Suggester:

  • Download: Get the tool from GitHub.

  • Run Locally: Execute the tool on your local system to analyze the target’s security patch levels and find potential exploits.

  Commands:

git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
python windows-exploit-suggester.py --database <path-to-database> --systeminfo <path-to-systeminfo-file>

Output: Provides a list of vulnerabilities with corresponding exploit codes.

4. Upload Exploits to Target System

• Use the upload Command in Metasploit:

upload <local-file-path> <remote-file-path>

This command allows you to transfer files from your local machine to the compromised target system.

5. Execute Exploits

• Run the Exploit: Execute the exploit on the target system based on the vulnerabilities identified in the previous steps.

6. Verify Privilege Escalation

• Check Elevated Privileges: Use commands to verify that you have obtained higher-level access, such as:

whoami /priv

Hacker's Mantra:Berkeley hackers liked to see themselves as rebels against soulless corporate empires. - Eric S. Raymond