{"id":164,"date":"2018-06-27T16:56:37","date_gmt":"2018-06-27T15:56:37","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=164"},"modified":"2018-07-06T22:04:20","modified_gmt":"2018-07-06T21:04:20","slug":"analyze-a-windows-service","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=164","title":{"rendered":"Analyze a windows service"},"content":{"rendered":"<p style=\"text-align: justify;\">Inspired by the CQURE <a href=\"https:\/\/cqureacademy.com\/challenge\" target=\"_blank\" rel=\"noopener\">5 day challenge<\/a> I&#8217;ve decided to document some of the things that I&#8217;ve learned from the daily assesments. \ud83d\ude42<\/p>\n<p>Table of Content<\/p>\n<ul>\n<li><strong>Analyze a Windows Service<\/strong><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=199\" target=\"_blank\" rel=\"noopener\">Auditing permissions<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=181\" target=\"_blank\" rel=\"noopener\">About handles and the SAM file<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=213\" target=\"_blank\" rel=\"noopener\">Password Hashes<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=253\" target=\"_blank\" rel=\"noopener\">Memory Dump<\/a><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">When we want to understand the permissions of windows services or specially have to deal with a service that we can&#8217;t manage as a local Windows Administrator we get in touch with a strange term called &#171;SDDL&#187;.\u00a0 It stands for <strong>Security Descriptor Definition language<\/strong> and is a form of text strings that contains security informations for one or more object.<\/p>\n<p style=\"text-align: justify;\">Let&#8217;s play with a <a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/StopMeIfYouCan_Service.zip\" target=\"_blank\" rel=\"noopener\">prepared service<\/a> that we can start, but not stop as a local windows Administrator. To install the service simply use the parameter \/install.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-168 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/2.png\" alt=\"\" width=\"826\" height=\"349\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/2.png 826w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/2-300x127.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/2-768x324.png 768w\" sizes=\"auto, (max-width: 826px) 100vw, 826px\" \/><\/a><\/p>\n<p>First let&#8217;s see if we can stop this service when we start another cmd with localsystem permission.\u00a0 I do this with help of <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/psexec\" target=\"_blank\" rel=\"noopener\">PsExec<\/a>, one of the sysinternals process utilities.<\/p>\n<p><code>PsExec.exe -s -i -d cmd.exe<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-169 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/3.png\" alt=\"\" width=\"768\" height=\"322\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/3.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/3-300x126.png 300w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><\/p>\n<p><code>whoami<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-170 size-large\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/4-1024x384.png\" alt=\"\" width=\"1024\" height=\"384\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/4-1024x384.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/4-300x112.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/4-768x288.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/4.png 1028w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>And now let&#8217;s see if we can stop our particalar service. Seems that we still have no luck \ud83d\ude41<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-171 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/5.png\" alt=\"\" width=\"981\" height=\"281\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/5.png 981w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/5-300x86.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/5-768x220.png 768w\" sizes=\"auto, (max-width: 981px) 100vw, 981px\" \/><\/a><\/p>\n<p>What we can do next is to check the SDDL of the service. We can do this by typing:<\/p>\n<p><code>sc sdshow stopme<\/code><\/p>\n<p><code>sc sdshow stopme &gt;stopme.txt<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-173 size-large\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/6-1024x262.png\" alt=\"\" width=\"1024\" height=\"262\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/6-1024x262.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/6-300x77.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/6-768x196.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/6.png 1259w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>A possible SDDL String can look like this:<\/p>\n<p><code>\"CQUREHACKS\",4 (A;;RPWPDTRC;;;S-1-5-21-xxx-xxx-xxx-xxx-xxx)<\/code><\/p>\n<p><code>(D;; --&gt; Stands for Deny<\/code><\/p>\n<p><code>(A;; --&gt; Stands for Allow<\/code><\/p>\n<p><code>(A;;RPWP;;;SID) --&gt; Allow Start\/Stop Service \/ specific SID<\/code><\/p>\n<p><code>;;;AU --&gt; Authenticated Users<\/code><br \/>\n<code>;;;BA --&gt; BuiltinAdmins<\/code><br \/>\n<code>;;;SY --&gt; System<\/code><\/p>\n<p>With the command sc sdset we can overrite permissions, but if I have a closer look now on the SSDL of that service I took notice that BA and SY have allready permission to stop that service!<\/p>\n<p><code>D:(<strong>A;;<\/strong>CCLCSW<strong>RPWPDT<\/strong>LOCR<strong>RC<\/strong>;;;<strong>SY<\/strong>)(<strong>A;;<\/strong>CCDCLCSW<strong>RPWPDT<\/strong>LOCRSDRCWDWO;;;<strong>BA<\/strong>)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)<\/code><\/p>\n<p>Let&#8217;s do a sc sdquery to check how that service is configured<\/p>\n<p><code>sc query stopme<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-174 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/7.png\" alt=\"\" width=\"741\" height=\"323\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/7.png 741w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/7-300x131.png 300w\" sizes=\"auto, (max-width: 741px) 100vw, 741px\" \/><\/a><\/p>\n<p><strong>(NOT_STOPPABLE,\u00a0 NOT_PAUSABLE, ACCEPTS_SHUTDOWN)<\/strong><\/p>\n<p>Seems that I was on the wrong path and this Service is not stopable because of\u00a0 a permission thing, it&#8217;s by design!<\/p>\n<p>Set start mode of service to disabled<\/p>\n<p><code>sc config stopme start= disabled<\/code><\/p>\n<p>Let&#8217;s check which task is involved by this service<\/p>\n<p><code>sc qc stopme<\/code><\/p>\n<p>Let&#8217;s kill that particular task<\/p>\n<p><code>taskkill \/f \/IM \"stopmeifyoucan.exe\"<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-175 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/8.png\" alt=\"\" width=\"977\" height=\"509\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/8.png 977w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/8-300x156.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/8-768x400.png 768w\" sizes=\"auto, (max-width: 977px) 100vw, 977px\" \/><\/a><\/p>\n<p>Uninstall the service<\/p>\n<p><code>Stopmeifyoucan.exe \/uninstall<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-176 size-large\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/9-1024x281.png\" alt=\"\" width=\"1024\" height=\"281\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/9-1024x281.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/9-300x82.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/9-768x211.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/06\/9.png 1110w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>What did we learn so far?<\/p>\n<p style=\"text-align: justify;\">With help of the <strong>psexec.exe<\/strong> command line utility it&#8217;s possible to get a cmd with localsystem privileges. In some cases it&#8217;s possible to start\/stop a service where the local admin group is not allowed to do. With help of the command <strong>sc sdshow &#171;servicename&#187;<\/strong>, we get the SDDL of the service. It can be helpful to write the output of the command to a textfile. If the problem is based on a permission issue we can change the SDDL of the service by using the command <strong>sc sdset &#171;Servicename&#187; &#171;SDDL Value&#187;<\/strong>. To get further informations about how the service is configured we can use the <strong>sc query &#171;Servicename&#187;<\/strong> command. To get the binary path of a service we can use the command <strong>sc qc &#171;Servicename&#187;<\/strong>. Last but not least we can set the startmode of the service to disabled by using the command <strong>sc config &#171;servicename&#187; startmode = disabled<\/strong> and trying to kill the involed task by using the command <strong>taskkill \/f \/IM &#171;task.exe&#187;<\/strong><\/p>\n<p>Some repeating questions of that exercise:<\/p>\n<p><strong>Which command may be used to change permissions of Service?<\/strong><br \/>\nsc.exe<\/p>\n<p><strong>How can we specify service permissions to be used with sc.exe sdset command?<\/strong><br \/>\nwith sddl<\/p>\n<p><strong>How can you specify an AD Group to include it in SDDL?<\/strong><br \/>\nwith SID<\/p>\n<p><strong>How localsystem is presented in SDDL?<\/strong><br \/>\nSY<\/p>\n<p><strong>Which Account should be used if you&#8217;re local administrator on your workstation and you have no permission to change service parameters<\/strong><br \/>\nlocalsystem<\/p>\n<p>&nbsp;<\/p>\n<p>Further References:<\/p>\n<p><a href=\"https:\/\/blog.netspi.com\/penetration-testing-stopping-an-unstoppable-windows-service\/\" target=\"_blank\" rel=\"noopener\">Stopping an unstoppable Windows Service<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>Inspired by the CQURE 5 day challenge I&#8217;ve decided to document some of the things that I&#8217;ve learned from the daily assesments. \ud83d\ude42 Table of <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=164\" title=\"Analyze a windows service\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":165,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10],"tags":[],"class_list":["post-164","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-windows-security"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=164"}],"version-history":[{"count":11,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/164\/revisions"}],"predecessor-version":[{"id":268,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/164\/revisions\/268"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/165"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}