Tuesday, May 6, 2008

Token Passing with Incognito Part 2

Alright, i love this tool and its been officially merged into the msf trunk which is just super.

After talking to the guys at work and doing some thinking on it, the most useful aspect of incognito is being able to become a domain user (if they have logged into the compromised box since the last reboot). Why would i want to be a user instead of the all powerful SYSTEM? well, for one thing, users have access to "net" commands and can enumerate domain information and can view and map shares and what not, generally system while megabadass on the box you are on cant do jack on the domain. SOOOO unless you popped a shell on the DC we need to try to become a user.

so on to the screenshots...

So normal scenario we pop a shell with metasploit, with the NEW "old reliable" msdns_zonename exploit and use the meterpreter payload. Once we are in our meterpreter shell do a "use incognito" to load the library.

we list the available tokens by user using "list_tokens -u". Once we see someone we want to try to impersonate we run the "impersonate_token "domain\\user" command. We can verify it worked using a getuid in meterpreter.

At this point we have two options. We can run commands as our new user and create our own user and add them to whatever groups we want to add them to. Keep in mind that "most" of this works because the person we are impersonating had admin priviliges on the domain (as far as adding users to the domain). If we just wanted to become a user to do domain enumeration we can still do that.

so lets see getting a command shell with our impersonated token.

you have to make sure you pass it the "-t" option to use your token.

2nd option is to just add a user and add them to the appropriate group(s). Just follow along, its not too hard.

now you can just log in normally to the domain, or do whatever it is you need to do to get your paycheck.

I did some playing with the dameware and this tool. i'll save comments for a future post and I need to do some more playing but it appears to be leaving a token in memory as well.


Anonymous said...

Wouldn't it be easier to use a tool like gsecdump or pstoolkit and get the domian hash and use pass-the-hash?

CG said...

depends. on a single box maybe. in a domain (most likely) the hashes you will dump will be local accounts on THAT BOX and not domain credentials unless of course you've popped the DC.

those tools also involve me uploading the executable to the remote box where if you use metasploit incognito is built in and no extra binaries to worry about.

Anonymous said...

gsecdump -u will dump active login sessions including domain users. Just like in your post, it will also give you the hash of a user who has logged in but since logged out (untell the next reboot). I have used this very easy tool to get domain admin on several pen tests. Seems to be simpler than incognito. Maybe incognito has other benefits that gsecdump does not.

CG said...

looks like i need to take another look at it then. thanks for the heads up.