[转帖]「白帽黑客成长记」Windows提权基本原理（上）

我们通常认为配置得当的Windows是安全的，事实真的是这样吗？今天让我们跟随本文作者一起深入了解Windows操作系统的黑暗角落，看看是否能得到SYSTEM权限。

作者将使用不同版本的Windows来强调任何可能存在的命令行差异，请牢记因为不同的操作系统和版本差异会在命令行中显现，作者试图构造本教程，以便它适用于Windows提权的最普遍的方式。

注：文章篇幅较长，阅读用时约10分钟。

必要文档补充：

Encyclopaedia Of Windows Privilege Escalation (Brett Moore)

Windows Attacks: AT is the new black (Chris Gates & Rob Fuller)

Elevating privileges by exploiting weak folder permissions (Parvez Anwar)

译者注：原文作者提到了meterpreter，我们可以把meterpreter比做sql注入利用的sqlmap，在得到meterpreter的shell后，可以输入命令getsystem，自动完成提权。

在t0-t3阶段，最初的信息收集方法

最开始是一个低权限的shell，这个shell可能是通过远程代码执行、钓鱼、反弹得到的。

在最开始的阶段，我们要快速收集一些基本信息来评估我们的环境。

第一步，找到连接的操作系统。

C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601

接下来，我们将看到主机名和连接上的对应用户。

C:\Windows\system32> hostname
b33f
C:\Windows\system32> echo %username%
user1

现在我们得到了一些基本信息，然后列出其他用户的帐户，并在更详细的情况下查看用户信息。

这里会看到user1不是本地组管理员。

C:\Windows\system32> net users
User accounts for \\B33F
-------------------------------------------------------------------------------
Administrator b33f Guest
user1
The command completed successfully.
C:\Windows\system32> net user user1
User name user1
Full Name
Comment
User‘s comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/11/2014 7:47:14 PM
Password expires Never
Password changeable 1/11/2014 7:47:14 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/11/2014 8:05:09 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.

以上是我们目前需要了解的关于用户和权限的全部内容。接下来我们要讨论的是网络信息，连接的设备，以及相应规则。

首先看一下可用的网络接口和路由表。

C:\Windows\system32> ipconfig /all
Windows IP Configuration
 Host Name . . . . . . . . . . . . : b33f
 Primary Dns Suffix . . . . . . . :
 Node Type . . . . . . . . . . . . : Hybrid
 IP Routing Enabled. . . . . . . . : No
 WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Bluetooth Network Connection:
 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
 Physical Address. . . . . . . . . : 0C-84-DC-62-60-29
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
 Physical Address. . . . . . . . . : 00-0C-29-56-79-35
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 Link-local IPv6 Address . . . . . : fe80::5cd4:9caf:61c0:ba6e%11(Preferred)
 IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Lease Obtained. . . . . . . . . . : Saturday, January 11, 2014 3:53:55 PM
 Lease Expires . . . . . . . . . . : Sunday, January 12, 2014 3:53:55 PM
 Default Gateway . . . . . . . . . : 192.168.0.1
 DHCP Server . . . . . . . . . . . : 192.168.0.1
 DHCPv6 IAID . . . . . . . . . . . : 234884137
 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35
 DNS Servers . . . . . . . . . . . : 192.168.0.1
 NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Windows\system32> route print
===========================================================================
Interface List
 18...0c 84 dc 62 60 29 ......Bluetooth Device (Personal Area Network)
 13...00 ff 0c 0d 4f ed ......TAP-Windows Adapter V9
 11...00 0c 29 56 79 35 ......Intel(R) PRO/1000 MT Network Connection
 1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10
 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
 192.168.0.0 255.255.255.0 On-link 192.168.0.104 266
 192.168.0.104 255.255.255.255 On-link 192.168.0.104 266
 192.168.0.255 255.255.255.255 On-link 192.168.0.104 266
 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
 224.0.0.0 240.0.0.0 On-link 192.168.0.104 266
 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
 255.255.255.255 255.255.255.255 On-link 192.168.0.104 266
===========================================================================
Persistent Routes:
 None
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination Gateway
 14 58 ::/0 On-link
 1 306 ::1/128 On-link
 14 58 2001::/32 On-link
 14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128
 On-link
 11 266 fe80::/64 On-link
 14 306 fe80::/64 On-link
 14 306 fe80::8d2:b4e:3f57:ff97/128
 On-link
 11 266 fe80::5cd4:9caf:61c0:ba6e/128
 On-link
 1 306 ff00::/8 On-link
 14 306 ff00::/8 On-link
 11 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
 None

arp -A显示了所有可用接口的arp(地址解析协议)缓存表。

C:\Windows\system32> arp -A
Interface: 192.168.0.104 --- 0xb
 Internet Address Physical Address Type
 192.168.0.1 90-94-e4-c5-b0-46 dynamic
 192.168.0.101 ac-22-0b-af-bb-43 dynamic
 192.168.0.255 ff-ff-ff-ff-ff-ff static
 224.0.0.22 01-00-5e-00-00-16 static
 224.0.0.251 01-00-5e-00-00-fb static
 224.0.0.252 01-00-5e-00-00-fc static
 239.255.255.250 01-00-5e-7f-ff-fa static
 255.255.255.255 ff-ff-ff-ff-ff-ff static

这就使我们了解了活动网络连接和防火墙规则。

C:\Windows\system32> netstat -ano
Active Connections
 Proto Local Address Foreign Address State PID
 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684
 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
 TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
 TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400
 TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4
 TCP [::]:135 [::]:0 LISTENING 684
 TCP [::]:445 [::]:0 LISTENING 4
 TCP [::]:5357 [::]:0 LISTENING 4
 UDP 0.0.0.0:5355 *:* 1100
 UDP 0.0.0.0:52282 *:* 976
 UDP 0.0.0.0:55202 *:* 2956
 UDP 0.0.0.0:59797 *:* 1400
 UDP 127.0.0.1:1900 *:* 2956
 UDP 127.0.0.1:65435 *:* 2956
 UDP 192.168.0.104:137 *:* 4
 UDP 192.168.0.104:138 *:* 4
 UDP 192.168.0.104:1900 *:* 2956
 UDP 192.168.0.104:5353 *:* 1400
 UDP 192.168.0.104:65434 *:* 2956
 UDP [::]:5355 *:* 1100
 UDP [::]:52281 *:* 976
 UDP [::]:52283 *:* 976
 UDP [::]:55203 *:* 2956
 UDP [::]:59798 *:* 1400
 UDP [::1]:1900 *:* 2956
 UDP [::1]:5353 *:* 1400
 UDP [::1]:65433 *:* 2956
 UDP [fe80::5cd4:9caf:61c0:ba6e%11]:1900 *:* 2956
 UDP [fe80::5cd4:9caf:61c0:ba6e%11]:65432 *:* 2956

以下两个netsh命令是在不同操作系统的命令示例。

netsh firewall命令只能从XP SP2和以上版本运行。

C:\Windows\system32> netsh firewall show state
Firewall status:
-------------------------------------------------------------------
Profile = Standard
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.
C:\Windows\system32> netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound COMRaider / E:\comraider\comraider.exe
Enable Inbound nc.exe / C:\users\b33f\desktop\nc.exe
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable

最后，我们将简要地看一下在这个设备上的运行内容，比如计划任务、运行进程、启动服务和安装的驱动程序。

这将显示所有调度任务的详细输出，下面您可以看到单个任务的示例输出。

C:\Windows\system32> schtasks /query /fo LIST /v
Folder: \Microsoft\Windows Defender
HostName: B33F
TaskName: \Microsoft\Windows Defender\MP Scheduled Scan
Next Run Time: 1/22/2014 5:11:13 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob
 -WinTask -RestrictPrivilegesScan
Start In: N/A
Comment: Scheduled Scan
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutes
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 5:11:13 AM
Start Date: 1/1/2000
End Date: 1/1/2100
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
[..Snip..]
# tasklist命令显示了正在运行的进程以及启动服务。
C:\Windows\system32> tasklist /SVC
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 244 N/A
csrss.exe 332 N/A
csrss.exe 372 N/A
wininit.exe 380 N/A
winlogon.exe 428 N/A
services.exe 476 N/A
lsass.exe 484 SamSs
lsm.exe 496 N/A
svchost.exe 588 DcomLaunch, PlugPlay, Power
svchost.exe 668 RpcEptMapper, RpcSs
svchost.exe 760 Audiosrv, Dhcp, eventlog,
 HomeGroupProvider, lmhosts, wscsvc
svchost.exe 800 AudioEndpointBuilder, CscService, Netman,
 SysMain, TrkWks, UxSms, WdiSystemHost,
 wudfsvc
svchost.exe 836 AeLookupSvc, BITS, gpsvc, iphlpsvc,
 LanmanServer, MMCSS, ProfSvc, Schedule,
 seclogon, SENS, ShellHWDetection, Themes,
 Winmgmt, wuauserv
audiodg.exe 916 N/A
svchost.exe 992 EventSystem, fdPHost, netprofm, nsi,
 WdiServiceHost, WinHttpAutoProxySvc
svchost.exe 1104 CryptSvc, Dnscache, LanmanWorkstation,
 NlaSvc
spoolsv.exe 1244 Spooler
svchost.exe 1272 BFE, DPS, MpsSvc
mDNSResponder.exe 1400 Bonjour Service
taskhost.exe 1504 N/A
taskeng.exe 1556 N/A
vmtoolsd.exe 1580 VMTools
dwm.exe 1660 N/A
explorer.exe 1668 N/A
vmware-usbarbitrator.exe 1768 VMUSBArbService
TPAutoConnSvc.exe 1712 TPAutoConnSvc
[..Snip..]
C:\Windows\system32> net start
These Windows services are started:
 Application Experience
 Application Information
 Background Intelligent Transfer Service
 Base Filtering Engine
 Bluetooth Support Service
 Bonjour Service
 COM+ Event System
 COM+ System Application
 Cryptographic Services
 DCOM Server Process Launcher
 Desktop Window Manager Session Manager
 DHCP Client
 Diagnostic Policy Service
 Diagnostic Service Host
 Diagnostic System Host
 Distributed Link Tracking Client
 Distributed Transaction Coordinator
 DNS Client
 Function Discovery Provider Host
 Function Discovery Resource Publication
 Group Policy Client
[..Snip..]
# DRIVERQUERY有时是有用的，因为一些第三方驱动，即使是信誉良好的公司，也比瑞士奶酪上的洞多。这是可能的，因为ring0的利用是在大多数人的专长技能之外。
C:\Windows\system32> DRIVERQUERY
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
1394ohci 1394 OHCI Compliant Ho Kernel 11/20/2010 6:01:11 PM
ACPI Microsoft ACPI Driver Kernel 11/20/2010 4:37:52 PM
AcpiPmi ACPI Power Meter Drive Kernel 11/20/2010 4:47:55 PM
adp94xx adp94xx Kernel 12/6/2008 7:59:55 AM
adpahci adpahci Kernel 5/2/2007 1:29:26 AM
adpu320 adpu320 Kernel 2/28/2007 8:03:08 AM
AFD Ancillary Function Dri Kernel 11/20/2010 4:40:00 PM
agp440 Intel AGP Bus Filter Kernel 7/14/2009 7:25:36 AM
aic78xx aic78xx Kernel 4/12/2006 8:20:11 AM
aliide aliide Kernel 7/14/2009 7:11:17 AM
amdagp AMD AGP Bus Filter Dri Kernel 7/14/2009 7:25:36 AM
amdide amdide Kernel 7/14/2009 7:11:19 AM
AmdK8 AMD K8 Processor Drive Kernel 7/14/2009 7:11:03 AM
AmdPPM AMD Processor Driver Kernel 7/14/2009 7:11:03 AM
amdsata amdsata Kernel 3/19/2010 9:08:27 AM
amdsbs amdsbs Kernel 3/21/2009 2:35:26 AM
amdxata amdxata Kernel 3/20/2010 12:19:01 AM
AppID AppID Driver Kernel 11/20/2010 5:29:48 PM
arc arc Kernel 5/25/2007 5:31:06 AM
[..Snip..]

在t4阶段，神秘艺术之WMIC

WMIC（Windows Management Instrumentation Command-Line，Windows管理工具命令行），是Windows最有用的命令行工具之一。

WMIC对于信息收集和渗透是非常实用的，而且输出内容有很多值得期待的地方。全面解释WMIC的使用将需要一个教程，由于格式化的问题，WMIC有些输出将很难显示。

下面列出两个文章，对于WMIC是非常值得阅读的：

• Command-Line Ninjitsu (SynJunkie)
• Windows WMIC Command Line (ComputerHope)

一些默认配置的Windows并不允许访问WMIC，除非是用户在Windows的管理组，从虚拟机测试来看，任何版本的Windows XP的低权限用户并不能访问WMIC。相反的，默认配置的Windows 7专业版和Windows 8企业版允许低权限的用户访问WMIC并查询操作系统版本。

这正是我们所需要的，因为我们正在使用WMIC来收集关于目标机的信息。关于WMIC的选项，列出了下面可用的命令行：

C:\Windows\system32> wmic /?
[global switches] 
The following global switches are available:
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the for the connection.
/?[:<BRIEF|FULL>] Usage information.
For more information on a specific global switch, type: switch-name /?
The following alias/es are available in the current role:
ALIAS - Access to the aliases available on the local system
BASEBOARD - Base board (also known as a motherboard or system board) management.
BIOS - Basic input/output services (BIOS) management.
BOOTCONFIG - Boot configuration management.
CDROM - CD-ROM management.
COMPUTERSYSTEM - Computer system management.
CPU - CPU management.
CSPRODUCT - Computer system product information from SMBIOS.
DATAFILE - DataFile Management.
DCOMAPP - DCOM Application management.
DESKTOP - User‘s Desktop management.
DESKTOPMONITOR - Desktop Monitor management.
DEVICEMEMORYADDRESS - Device memory addresses management.
DISKDRIVE - Physical disk drive management.
DISKQUOTA - Disk space usage for NTFS volumes.
DMACHANNEL - Direct memory access (DMA) channel management.
ENVIRONMENT - System environment settings management.
FSDIR - Filesystem directory entry management.
GROUP - Group account management.
IDECONTROLLER - IDE Controller management.
IRQ - Interrupt request line (IRQ) management.
JOB - Provides access to the jobs scheduled using the schedule service.
LOADORDER - Management of system services that define execution dependencies.
LOGICALDISK - Local storage device management.
LOGON - LOGON Sessions.
MEMCACHE - Cache memory management.
MEMORYCHIP - Memory chip information.
MEMPHYSICAL - Computer system‘s physical memory management.
NETCLIENT - Network Client management.
NETLOGIN - Network login information (of a particular user) management.
NETPROTOCOL - Protocols (and their network characteristics) management.
NETUSE - Active network connection management.
NIC - Network Interface Controller (NIC) management.
NICCONFIG - Network adapter management.
NTDOMAIN - NT Domain management.
NTEVENT - Entries in the NT Event Log.
NTEVENTLOG - NT eventlog file management.
ONBOARDDEVICE - Management of common adapter devices built into the motherboard (system board).
OS - Installed Operating System/s management.
PAGEFILE - Virtual memory file swapping management.
PAGEFILESET - Page file settings management.
PARTITION - Management of partitioned areas of a physical disk.
PORT - I/O port management.
PORTCONNECTOR - Physical connection ports management.
PRINTER - Printer device management.
PRINTERCONFIG - Printer device configuration management.
PRINTJOB - Print job management.
PROCESS - Process management.
PRODUCT - Installation package task management.
QFE - Quick Fix Engineering.
QUOTASETTING - Setting information for disk quotas on a volume.
RDACCOUNT - Remote Desktop connection permission management.
RDNIC - Remote Desktop connection management on a specific network adapter.
RDPERMISSIONS - Permissions to a specific Remote Desktop connection.
RDTOGGLE - Turning Remote Desktop listener on or off remotely.
RECOVEROS - Information that will be gathered from memory when the operating system fails.
REGISTRY - Computer system registry management.
SCSICONTROLLER - SCSI Controller management.
SERVER - Server information management.
SERVICE - Service application management.
SHADOWCOPY - Shadow copy management.
SHADOWSTORAGE - Shadow copy storage area management.
SHARE - Shared resource management.
SOFTWAREELEMENT - Management of the elements of a software product installed on a system.
SOFTWAREFEATURE - Management of software product subsets of SoftwareElement.
SOUNDDEV - Sound Device management.
STARTUP - Management of commands that run automatically when users log onto the computer 
 system.
SYSACCOUNT - System account management.
SYSDRIVER - Management of the system driver for a base service.
SYSTEMENCLOSURE - Physical system enclosure management.
SYSTEMSLOT - Management of physical connection points including ports, slots and 
 peripherals, and proprietary connections points.
TAPEDRIVE - Tape drive management.
TEMPERATURE - Data management of a temperature sensor (electronic thermometer).
TIMEZONE - Time zone data management.
UPS - Uninterruptible power supply (UPS) management.
USERACCOUNT - User account management.
VOLTAGE - Voltage sensor (electronic voltmeter) data management.
VOLUME - Local storage volume management.
VOLUMEQUOTASETTING - Associates the disk quota setting with a specific disk volume.
VOLUMEUSERQUOTA - Per user storage volume quota management.
WMISET - WMI service operational parameters management.
For more information on a specific alias, type: alias /?
CLASS - Escapes to full WMI schema.
PATH - Escapes to full WMI object paths.
CONTEXT - Displays the state of all the global switches.
QUIT/EXIT - Exits the program.
For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?

为了简化操作，我已经创建了一个脚本，可以在目标机器上使用WMIC提取以下信息：流程、服务、用户帐号、用户组、网络接口、硬盘信息、网络共享信息、安装Windows补丁、程序在启动运行、安装的软件列表、操作系统、时区信息。

通过各种标志和参数来提取有价值的信息，如果有人想要添加到列表中，请在下面留下评论。使用内置的输出特性，脚本将把所有结果写入可读的html文件。

脚本地址：

http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar

输出页面：

http://www.fuzzysecurity.com/tutorials/files/Win7.html

以上是今天的内容，大家看懂了吗？下期我们将继续分享Windows提权基本原理的相关内容，请大家及时关注。