Steal Windows Credentials, Bypass UAC & Elevate Privileges: The Joy of MetaSploit Modules
Ever since Windows Vista (the operating system we’d all like to forget), Windows employs a powerful security feature called User Account Control, or UAC. UAC is Microsoft’s solution to remote malicious usage of system resources and commands. Briefly, when Windows receives a call to read, write or execute a protected resource, a prompt is pushed to the primary display of the end user. If the action requires administrative privileges, the user will need to enter credentials. However, it’s the next step of the UAC process that secures the system against remote shells. To get past the UAC dialog box, the user must click a button. Because there’s no GUI in a remote shell, the button is never displayed on the attack side and the action cannot be performed.
This simple yet strong protection has stuck around and proven to be effective. So effective that other operating systems like OSX have followed suit and created their own versions of UAC. So how can we get into a system if we can’t click the button?
Two ideas come to mind. First, we could craft a script that simulates the clicking of a button on a virtual display. But attempting to run this script could trigger UAC protection and all our hours spent on the script could be for nothing. So, let’s just bypass UAC altogether…
