I've seen a few people post a link to this paper and tool but no one actually showing it in use yet, so here is the first of some notes on it.
From the whitepaper:
"Domain Privilege Escalation refers to the ability to use a Delegate token to access other systems, which may otherwise be secure from direct attack. This is possible because Delegate tokens contain authentication credentials and so can be used to access external systems for which those credentials are valid.
In order to perform this type of attack, it is usually necessary to have administrative privileges on the compromised system. This is because impersonating a token requires the “SeImpersonate” privilege, as of Windows XP SP2, Windows 2003 and Windows 2000 SP4; additionally, Delegate tokens are normally the result of interactive logins and so administrative access is required in order to access the tokens present in all user processes on the system. Other privileges may also be required (such as “SeAssignPrimaryTokenPrivilege” and “SeCreateTokenPrivilege”) depending on the specific post-exploitation task performed.
There are, however, some exceptions to this. For example, if an attacker were to compromise a service account that was trusted for delegation then they may be able to perform this attack, since services are normally given the “SeImpersonate” privilege. Additionally, on systems before “SeImpersonate” was introduced it may be possible to perform this attack from a low privileged user account under certain circumstances.
A good example of a use case for this type of attack would be as part of compromising a critical database server. If an attacker were unable to compromise the database server directly then they could turn their attention to the DBA’s workstation, since their user account will often have legitimate access to the database servers themselves. If they successfully compromised the workstation then they could use the tokens present to access the database server."
If you actually read the whitepaper there are several scenarios. I am going to cover having a user account with administrative privileges, dumping available tokens, and becoming another user.
Let's get started. First we want to see who we are. Let's run the "set" command to see.
Let's also see what groups brian is in:
Then we run find_token (which any user can actually run) and then we use incognito to list tokens that are available to delegate and impersonate
Next we connect to the remote box, and use the impersonate token for HOUSEOFMUNCH\root and become that user.
pop a system shell and become a user
user the meterpreter incognito module
verify the terminal services stuff in the paper
see how dameware with windows authentication handles tokens
project website: http://sourceforge.net/projects/incognito
DEFCON 15 Presentation (pdf): http://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-jennings.pdf
DEFCON 15 Presentation (video): Broke...WTF
Token Kidnapping by Cesar http://www.argeniss.com/research/TokenKidnapping.pdf