My previous post showed you what you can do after you’ve compromised a host. In this post we will explore how you can use impersonation tokens to do potentially evil things. In my example I will be using a single host, but imagine what could be done if your compromised machine was joined to a domain. Even better, what if a user used the “Run As” option to launch Active Directory Users and Computers with their Domain Admin credentials?
In this example I will show you how you can steal a token and impersonate a user.
Again, enter Metasploit and the Meterpreter.
Step 1 – Compromise the host
Step 2 – load the incognito extension
Step 3 – Lets see what tokens are available. As you can see, there are two users on the system we could impersonate.
Step 4 - But lets look at another options, and see if any processes are running we could use to impersonate.
As you can see, there is an FTP server running under putz. What if this was actually ADUC? or some other sensitive process? Lets steal the token for this process. First we’ll see who we are on the box and then who we can be.
Now that we are Putz, lets start something as him. Assume this account is a Domain Admin so what kind of mischief could we get into? for this example, lets just calculate something.
I am currently logged on as user Neal. Do you notice anything suspicious?
Step 5 – Lets return to ourselves.
I hope you enjoyed this and please leave comments.
No comments:
Post a Comment