Adventures In Limited User Post Exploitation presented at Blackhat USA 2010

by Nathan Keltner, Tim Elrod,

Tags: Security Exploitation

Summary : Just how much damage *can* be done with EIP under a non-Administrative Windows environment? Much, much more than you likely think. Through new techniques and live examples, attendees will be guided through the modern day attack surface of a restrictive corporate Windows world. Based purely on the Windows privilege model, demonstrations and new code will cover techniques related to collecting and replaying passwords and password hashes, destroying the browser trust model, attacking the network and the domain, and more, all without administrative access.
Moving into a world of Windows Vista, 7, and hardened XP environments, the days of easily popping shells with Admin access are becoming less common. When a Limited User is exploited via a client side vulnerability, damage is often believed to be lessened due to the inability of attacker code to access sensitive portions of the OS, such as those containing passwords and password hashes, without an additional privilege escalation exploit. Despite conventional wisdom from vendors and security press, taking your users out of the 'Local Administrators' OU doesn't mean your environment is magically protected from privilege-agnostic attackers.