Session Hijacking locked users

July 18, 2017

Intro

As of today this is still a known method of gaining access to locked user accounts. This is based on the findings of Benjamin Delpy Six Years ago.
The PoC was demonstrated by Alexander Korznikov, and works on every windows version. It is known by Microsoft for the passed six years and they do not consider it a security risk.

 

Scenario:

The victim is logged in to the machine, and the user is locked. This is a common company policy to "secure" the desktop if you are temporarily not at your desk. The attacker has an account on the domain or on the local computer and can switch to his user with the victim still logged in.

 

PoC:

- Attacker logs in with his credentials.
- downloads PSTools if not installed
- runs a cmd terminal with command " query user "
- gets the session ID
- runs command " psexec -s \\localhost cmd "
- runs command " tscon 'ID' /dest:console "

After this the attacker has full access to the victims profile.

 

Conclusion:

These days many users leave their desktop/laptop powered on and locked.
If someone has an account on the domain, he can access every profile that is logged in.
This method also works when connected with RDP.