The Hackr

Session Hijacking without Password on All Windows Versions

Session Hijacking lets you log into any account on the computer without knowing password.

Recently, a security researcher, Alexander Korznikov, has found a way to log into any account on the same computer, even without knowing its password. This technique works on all Windows versions and doesn’t require special privileges. The researcher can’t figure out if it’s a Windows feature or security flaw.

The researcher calls the attack as “privilege escalation and session hijacking.” This attack can also be performed via an RDP session, escalating the attacker’s access to user accounts.

 

Hijacking active user/RDP session

The simple trick behind the attack is that any user can use inbuilt Windows CLI commands to escalate his access and switch to any other active user session on the PC.

However, the attack won’t work if the targeted account is not logged in on the same machine.

The attacker can execute some cmd.exe commands and then select the active user session to log into. This attack not only works with local user sessions, but also with RDP sessions.

Related to remarks in Microsoft documentation                                                                     https://technet.microsoft.com/en-us/library/cc770988(v=ws.11).aspx

But actually, tscon doesn’t fails, if you do not specify a password in the parameter.

Sticky Keys (cmd backdoor) at windows login screen runs with NT AUTHORITY/SYSTEM. They have Full Control access permission, and can connect to every user session without asking for a password.

The most surprising thing is that the legit user isn’t asked for logout. So, by using this technique the user just will be kicked out of the session without any notification.

 

Its Trivial to Execute for Attackers

A privileged user can gain command execution with NT AUTHORITY/SYSTEM rights. And also can hijack any currently logged in user’s session, without any knowledge about his credentials.Terminal Services session can be either in connected or disconnected state.

This is high risk vulnerability which allows any local admin to hijack a session and get access to:

 •   Domain admin session.                                                                                                          •   Any unsaved documents, that user works on.                                                                  •   Any other systems/applications in which user previously logged in ( includes another Remote Desktop sessions, Network Share mappings, applications which require another credentials, E-mail etc.)

Furthermore, tools like metasploit, incognito, mimikatz etc, used for manipulating and impersonating logged in users for user’s token are no more required for attackers.

Everything is done with built-in commands. Every admin can impersonate any logged in user either locally with physical access or remotely via Remote Desktops.

Kevin Beaumont confirmed and tested this attack on Windows 2016, Windows 2012 R2, Windows 2008, Windows 10 and Windows 7.

The most incredible thing, is that we don’t need to know the credentials of hijacked user, it is pure passwordless hijacking.

 

Proof Of Concept

The whole attack takes about one minute to perform and doesn’t include many steps.

1. Windows 7 via Task Manager :

2. Windows 7 via command line :

3. Windows 2012 R2 via service creation :

 

However, Korznikov discovery isn’t entirely new but appears to be an expanded version of an older attack. Back in 2011, Benjamin Delpy, a security researcher for the Bank of France, detailed the very same user session hijacking technique on his blog, albeit in French.

Furthermore, Microsoft didn’t find out about this issue in the past six years. It’s very likely that they didn’t consider it a security flaw, and deemed this was how Windows was supposed to behave.

 

 

Abhilash

It was a hobby I got into a long time ago, hacking cameras. And I am here making posts @TheHackr today!

up