So there are a ton of tools to use for capturing crackable hashes and or relaying them, Metasploit, Impacket, and Responder all have one to varying degrees or another. What I'm going to show you is how to take a network authentication and use it locally to get a token. Then we can simply impersonate that with incognito or write our own method to do it. This is what I'm working on in C# at the moment...
So lets assume we have managed to become LOCAL SYSTEM via potato or some other method and we have a meterpreter session on the box. Its on a 2k12 network and nothing else is running so only RPC port 135 is open. I'm going to start by enabling port 80 on the firewall by running this command with meterpreter.
netsh advfirewall firewall add rule name="Inconspicuous Rule Name" dir=in action=allow protocol=TCP localport=80
Then I'm going to upload the little exe I compiled, .. you can find the source on my github but you'll most likely need to modify it as its not built for any sort of production environment.
upload /tmp/awesome32.exe c:\\Windows\\Temp\\awesome32.exe
Now I'm going to run it simply like so
execute -H -c -f "C:\\Windows\\Temp\\awesome32.exe" -a "0.0.0.0 80"
I could also drop it directly to memory so as not to touch disk, or I could even write a metasploit module to do everything via railgun!
Now we load incognito, and list all the hashes... obviously its just going to be us on there, so what we need to do is either use the post/windows/escalate/droplnk or send someone a e-mail with our link inside, hell we could even do a little spoofing... The goal obviously is to get someone to connect to us, on port 80 "this requires webclient to be running fyi"... the @ sign in a link really helps out btw so don't be afraid to use it and it also enables you to run it on any other port you like. You also need to remember that windows "should" Not authenticate directly if you don't use a named host.
After someone authenticates we simply list_tokens and then do impersonate_token and we become whoever we like.
Our before...
And after...
I also want to point out something a little odd that I have noticed, I haven't had much time to test it but you should definitely check it out as it has happened on a few occasions. If you have a couple of Impersonation tokens and then you do a windows update... your impersonation tokens become delegation tokens... I'm not exactly sure why, and I haven't really had any luck tracking it down but it happens. I have a feeling that when it does a update for some reason duplicates the token and then sets the ASC_REQ_DELEGATE flag in the attributes but I'm not entirely sure.
Anyways the code can be found here for now, and ill be rewriting it in C# just as soon as I get the chance. There are pretty good comments to go along with it so I don't think i have to explain everything, just go take a look.
https://github.com/trump0dump/helpful/tree/master/tokenc
No comments:
Post a Comment