The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: NtFileSins v2.2 - Windows NTFS Privileged File Access Enumeration Tool (Python v3)
from subprocess import Popen, PIPE
import sys,argparse,re
#MIT License
#Copyright (c) 2020 John Page (aka hyp3rlinx)
#Permission is hereby granted, free of charge, to any person obtaining a copy
#of this software and associated documentation files (the "Software"), to deal
#in the Software without restriction, including without limitation the rights
#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
#copies of the Software, and to permit persons to whom the Software is
#furnished to do so, subject to the following conditions:
#The above copyright notice and this permission notice shall be included in all
#copies or substantial portions of the Software.
#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
#SOFTWARE.
#Permission is also explicitly given for insertion in vulnerability databases and similar,
#provided that due credit is given to the author John Page (aka hyp3rlinx).
#
#
# NtFileSins v2.2 (c)
# By John Page (aka hyp3rlinx)
# Python v3 compatible
# Enhancements: search target user dir on first pass, unless the -d flag is used, added .dat, .tmp file ext checks.
# TODO: Alternate Data Streams (ADS) check e.g. abc.txt:test.txt:$DATA
# Original advisory: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt
#
# NtFileSins is a Windows File Enumeration Intel Gathering Tool.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted by another user.
#
# However, accessing files directly by attempting to "open" them from cmd.exe shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges (not admin to admin).
# 2) artifacts must contain a dot "." or returns false positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command,
# operable program or batch file" = Admin to Admin so this script is not required.
#
# Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with user-only rights.
#From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe
#or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass.
#Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide
#processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is
#how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the
#malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights.
#
#Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd.
#However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages.
#
#==========================================================================#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.2 (c) #
# By John Page (aka hyp3rlinx) #
# Apparition Security #
#==========================================================================#
BANNER='''
_ _______________ __ _____ _
/ | / /_ __/ ____(_) /__ / ___/(_)___ _____
/ |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/
/ /| / / / / __/ / / / __/__/ / / / / (__ )
/_/ |_/ /_/ /_/ /_/_/\___/____/_/_/ /_/____/ v2.2 (c)
By hyp3rlinx
ApparitionSec
'''
sin_cnt=0
internet_sin_cnt=0
found_set=set()
zone_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"
ZONE_IDENTIFIER=":Zone.Identifier:$DATA"
USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures",
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]
APPDATA_DIR=["AppData/Local/Temp"]
EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat",".tmp",
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv",".dat"])
REPORT="NtFileSins_Log.txt"
def usage():
print("NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n")
print('-u victim -d Searches -a "MS17-020 - Google Search.url"')
print('-u victim -a "<name.ext>"')
print("-u victim -d Downloads -a <name.ext> -s")
print('-u victim -d Contacts -a "Mike N.contact"')
print("-u victim -a APT -b -n")
print("-u victim -d -z Desktop/MyFiles -a <.name>")
print("-u victim -d Searches -a <name>.search-ms")
print("-u victim -d . -a <name.ext>")
print("-u victim -d desktop -a inverted-crosses.mp3 -b")
print("-u victim -d Downloads -a APT.exe -b")
print("-u victim -f list_of_files.txt")
print("-u victim -f list_of_files.txt -b -s")
print("-u victim -f list_of_files.txt -x .txt")
print("-u victim -d desktop -f list_of_files.txt -b")
print("-u victim -d desktop -f list_of_files.txt -x .rar")
print("-u victim -z -s -f list_of_files.txt")
def parse_args():
parser.add_argument("-u", "--user", help="Privileged user target")
parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search <e.g. Downloads>.")
parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.")
parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/Temp directory.")
parser.add_argument("-f", "--artifacts_from_file", nargs="?", help="Enumerate a list of supplied artifacts from a file.")
parser.add_argument("-n", "--notfound", nargs="?", const="1", help="Display unfound artifacts.")
parser.add_argument("-b", "--built_in_ext", nargs="?", const="1", help="Enumerate files using NtFileSin built-in ext types.")
parser.add_argument("-x", "--specific_ext", nargs="?", help="Enumerate using specific ext, e.g. <.exe> using a supplied list of artifacts, a supplied ext will override any in the supplied artifact list.")
parser.add_argument("-z", "--zone_identifier", nargs="?", const="1", help="Identifies artifacts downloaded from the internet by checking for Zone.Identifier:$DATA.")
#parser.add_argument("-r", "--ads_streams", nargs="?", const="1", help="Locate ADS hidden file streams (artifact name required).")
parser.add_argument("-s", "--save", nargs="?", const="1", help="Saves successfully enumerated artifacts, will log to "+REPORT)
parser.add_argument("-v", "--verbose", nargs="?", const="1", help="Displays the file access error messages.")
parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show example usage.")
return parser.parse_args()
def access(j):
result=""
try:
p = Popen([j], stdout=PIPE, stderr=PIPE, shell=True)
stderr,stdout = p.communicate()
result = stdout.strip()
res = result.decode("utf-8")
except Exception as e:
#print(str(e))
pass
return res
def artifacts_from_file(artifacts_file, bflag, specific_ext):
try:
f=open(artifacts_file, "r")
for a in f:
idx = a.rfind(".")
a = a.strip()
if a != "":
if specific_ext:
if idx==-1:
a = a + specific_ext
else:
#replace existing ext
a = a[:idx] + specific_ext
if bflag:
ARTIFACTS_SET.add(a)
else:
ARTIFACTS_SET.add(a)
f.close()
except Exception as e:
print(str(e))
exit()
def save():
try:
f=open(REPORT, "w")
for j in found_set:
f.write(j+"\n")
f.close()
except Exception as e:
print(str(e))
def recon_msg(s):
if s == 0:
return "Access is denied."
else:
return "\t[*] Artifact exists ==>"
def echo_results(args, res, x, i):
global sin_cnt
if res=="":
print("\t[!] No NTFS message, you must already be admin, then this script is not required.")
exit()
if "not recognized as an internal or external command" in res:
print("\t[!] You must target users with higher privileges than yours.")
exit()
if res != recon_msg(0):
if args.verbose:
print("\t"+res)
else:
if args.notfound:
print("\t[-] not found: " + x +"/"+ i)
else:
sin_cnt += 1
if args.save or args.zone_identifier:
found_set.add(x+"/"+i)
if args.verbose:
print(recon_msg(1)+ x+"/"+i)
print("\t"+res)
else:
print(recon_msg(1)+ x+"/"+i)
def valid_artifact_name(sin,args):
idx = "." in sin
if re.findall(r"[/\\*?:<>|]", sin):
print("\t[!] Skipping: disallowed file name character.")
return False
if not idx and not args.built_in_ext and not args.specific_ext:
print("\t[!] Warning: '"+ sin +"' has no '.' in the artifact name, this can result in false positives.")
print("\t[+] Searching for '"+ sin +"' using built-in ext list to prevent false positives.")
if not args.built_in_ext:
if sin[-1] == ".":
print("\t[!] Skipping: "+sin+" non valid file name.")
return False
return True
def search_missing_ext(path,args,i):
res=""
for x in path:
for e in EXTS:
res = access(ROOTDIR+"/"+x+"/"+i+e)
if res=="":
res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
if res:
echo_results(args, res, x, i+e)
#Check if the found artifact was downloaded from internet
def zone_identifier_check(args):
global ROOTDIR, internet_sin_cnt
zone_set.update(found_set)
for c in found_set:
c = c + ZONE_IDENTIFIER
res = access(ROOTDIR+args.user+"/"+c)
if res == "Access is denied.":
internet_sin_cnt += 1
print("\t[$] Zone Identifier found: "+c+" this file was downloaded over the internet!.")
zone_set.add(c)
#@TODO: Find ADS
def alternate_data_dreams():
pass
def ntsins(path,args,i):
res=""
if i.rfind(".")==-1:
search_missing_ext(path,args,i)
i=""
for x in path:
if i != "":
if args.built_in_ext=="1":
for e in EXTS:
#Search current targets user dir first.
res = access(ROOTDIR+"/"+x+"/"+i+e)
if res=="":
res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
if res:
echo_results(args, res, x, i+e)
elif args.specific_ext:
idx = i.rfind(".")
if idx == -1:
i = i + "."
else:
i = i[:idx] + args.specific_ext
#Search current targets user dir first.
res = access(ROOTDIR+"/"+x+"/"+i)
if res=="":
res = access(ROOTDIR+args.user+"/"+x+"/"+i)
if res:
echo_results(args, res, x, i)
def search(args):
print("\tSearching...\n")
global ROOTDIR, USER_DIRS, ARTIFACTS_SET
if args.artifact:
ARTIFACTS_SET = set([args.artifact])
for i in ARTIFACTS_SET:
idx = i.rfind(".") + 1
if idx and args.built_in_ext:
i = i[:idx -1:None]
if len(i) > 0 and i != None:
if valid_artifact_name(i,args):
#specific user dir search
if args.directory:
single_dir=[args.directory]
ntsins(single_dir,args,i)
#search appdata dirs
elif args.appdata:
ntsins(APPDATA_DIR,args,i)
#all default user dirs
else:
ntsins(USER_DIRS,args,i)
def check_dir_input(_dir):
if len(re.findall(r":", _dir)) != 0:
print("[!] Check the directory arg, NtFileSins searches under c:/Users/target by default see Help -h.")
return False
return True
def main(args):
global USER_DIRS
if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)
if args.examples:
usage()
exit()
if not args.user:
print("[!] No target user specified see Help -h")
exit()
if args.appdata and args.directory:
print("[!] Multiple search directories supplied see Help -h")
exit()
if args.specific_ext:
if "." not in args.specific_ext:
print("[!] Must use full extension e.g. -x ."+args.specific_ext+", dot in filenames mandatory to prevent false positives.")
exit()
if args.artifact and args.artifacts_from_file:
print("[!] Multiple artifacts specified, use just -f or -a see Help -h")
exit()
if args.built_in_ext and args.specific_ext:
print("\t[!] Both specific and built-in extensions supplied, use only one.")
exit()
if args.specific_ext and not args.artifacts_from_file:
print("\t[!] -x to be used with -f flag only see Help -h.")
exit()
if args.artifact:
if args.artifact.rfind(".")==-1 and not args.built_in_ext:
print("\t[!] Artifacts must contain a .ext or will result in false positives, use -b flag (built-in ext checks).")
exit()
if args.directory:
if not check_dir_input(args.directory):
exit()
if args.artifacts_from_file:
artifacts_from_file(args.artifacts_from_file, args.built_in_ext, args.specific_ext)
#TODO:
#if args.ads_streams:
#alternate_data_dreams()
if not args.artifact and not args.artifacts_from_file:
print("[!] Exiting, no artifacts supplied see Help -h")
exit()
else:
#Search targets user dir by default, instead of require -d flag to specify the dir.
USER_DIRS.append(args.user)
search(args)
if sin_cnt >= 1 and args.zone_identifier:
zone_identifier_check(args)
if args.save and len(found_set) != 0 and not args.zone_identifier:
save()
if args.save and len(zone_set) != 0:
found_set.update(zone_set)
save()
print("\n\tNtFileSins Detected "+str(sin_cnt)+ " out of %s" % str(len(ARTIFACTS_SET)) + " Sins.\n")
if args.zone_identifier and internet_sin_cnt >= 1:
print("\t"+str(internet_sin_cnt) + " of the sins were internet downloaded.\n")
if not args.notfound:
print("\tuse -n to display unfound enumerated files.")
if not args.built_in_ext:
print("\tfor extra search coverage try -b flag or targeted artifact search -a.")
if __name__ == "__main__":
print(BANNER)
parser = argparse.ArgumentParser()
main(parse_args())
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum