Well, no-one is safe in a digital world! Recently, a security researcher from Israel, Alexander Korznikov has managed to gain access to any local user account on Windows machine.
Well, the researchers don’t have any idea about how he managed to gain access to any local user account on Windows machine without knowing the login credentials. However, it has been confirmed by another researcher Kevin Beaumont that the attack works on all Windows version.
The user must be logged in to the computer to make this attack work. So, this simply means that the attack needs physical access to the target machine. However, the attack can also work over a remote desktop session on a hacked machine.
Well, the attacker just needs less than one minute of time to hijack any other active user session without known Login ID or Password. Hackers can use built-in Windows command prompt commands to tackle elevated privileges on the system.
Using the NT AUTHORITY/SYSTEM command attacker can hijack any currently logged in user’s session, without any knowledge about his/her credentials. Well, the researcher was not the first to perform this type of hack. The similar hack was performed by Benjamin Delpy in the year 2011.
The researcher claimed that he isn’t sure about how he performed this attack this might be because of any zero-day vulnerability or it can be a bug which remains undetected. Benjamin Delpy had told Korznikov “That is normal Windows API, that’s the design flow, they use it.”
“As mentioned earlier, if you admin, you can do everything. But here is the point. Why and HOW you become the admin? If some unprivileged user becomes admin using some local privilege escalation – that’s the problem and not the design flow we are talking about”
“You can do everything, even patch terminal services the way that it will accept your token and allow shadowing mode, without user’s knowledge.”
Below are the videos presented by Alexander Korznikov:
Windows 7 via Command Line:
Windows 7 Via Task Manager:
Windows 2012 R2 via Service Creation: