Tuesday, January 29, 2013

Impersonate your “Friends”

My previous post showed you what you can do after you’ve compromised a host.  In this post we will explore how you can use impersonation tokens to do potentially evil things.  In my example I will be using a single host, but imagine what could be done if your compromised machine was joined to a domain.  Even better, what if a user  used the “Run As” option to launch Active Directory Users and Computers with their Domain Admin credentials?

In this example I will show you how you can steal a token and impersonate a user.

Again, enter Metasploit and the Meterpreter.

Step 1 – Compromise the host

image

Step 2 – load the incognito extension

image

Step 3 – Lets see what tokens are available.  As you can see, there are two users on the system we could impersonate.

image

Step 4 - But lets look at another options, and see if any processes are running we could use to impersonate.

image

As you can see, there is an FTP server running under putz.  What if this was actually ADUC? or some other sensitive process?  Lets steal the token for this process.  First we’ll see who we are on the box and then who we can be.

image

image

Now that we are Putz, lets start something as him.  Assume this account is a Domain Admin so what kind of mischief could we get into? for this example, lets just calculate something.

 image

I am currently logged on as user Neal. Do you notice anything suspicious?

image

Step 5 – Lets return to ourselves.

image

I hope you enjoyed this and please leave comments.

No comments:

Post a Comment