Recently Didier Stevens wrote an interesting article and related SANS posting regarding Windows Backup Privileges. In it he presented a modified cmd.exe from ReactOS to allow asserting the backup privilege which bypasses traverse checking and file DACLs. I had looked into similar techniques as well, and his article prompted me to put together a video adding to what Didier has posted. In addition to using a local process to access files using backup privilege, Windows supports asserting a "backup intent" over network SMB/CIFS connections. This allows someone on a remote system, using an account with backup or restore privileges, to read or write files and traverse file systems regarding of DACLs. Fortunately, there are already a couple of Linux tools (smbclient and mount.cifs) that already implement this capability. This can be extremely useful during penetration tests. I put together a video that demonstrates this capability below. Also in follow up conversations on Twitter, there was some questions raised about using this functionality with native Windows commands. I have found it is possible to do using native PowerShell (using this script) and RoboCopy with the /B option. RoboCopy allows both reading (backup) and writing (restore) files, but does not work when the parent directory is inaccessible (therefore requires copying entire folders when a parent folder is inaccessible). The following screenshot illustrates this.  For future consideration, it should be possible to read and write files using native PowerShell; the library SeBackupPrivilege by giuliano108 does exactly that, but uses compiled .DLLs. With a little more time and PowerShell work it should be possible to accomplish the same thing in native PowerShell. Thanks to Didier for the interesting article, and I hope you find this additional information useful. |
Articles >