).
Figure 16-11 Windows debugger !token display
PART IV
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
405
Figure 16-12 AccessChk directory DACL
Figure 16-13 SubInACL directory DACL
Gray Hat Hacking: The Ethical Hacker??™s Handbook
406
Dumping ACLs with the Built-In Explorer UI
And finally, you can display the DACL by using the built-in Advanced view from Windows
Explorer. We??™ve displayed it once already in this chapter (see Figure 16-6). Notice
in this UI there are various options to change the inheritance flags for each ACE and the
DACL control flags. You can experiment with the different values for the ???Apply onto???
drop-down and the checkboxes that will change inheritance.
Special SIDs, Special Access, and ???Access Denied???
Now, one third of the way through the chapter, we??™ve discussed all the basic concepts
you??™ll need to understand to attack this area. You also are armed with tools to enumerate
the access control objects that factor into AccessCheck. It??™s time now to start talking
about the ???gotchas??? of access control and then start into the attack patterns.
Special SIDs
You are now familiar with the usual cast of SIDs. You??™ve seen the JNESS2\jness user SID
several times.
Pages:
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724