Josh Stone, Blog

Josh’s projects and security nerdery

Homegrown Incognito

A penetration tester’s work is never done. One day, you feel like you have a good thing going – a few tricks up the sleeve, you get into a rhythm. A penetration test can be just about as compelling as work can get. But growing complacent and relying on tools makes you weak. Over time, our industry moves, and it’s important to keep up. There are lots of ways to keep up – read a lot, take some training, etc. Sometimes, though, you really need to take things into your own hands.

In many of my penetration tests, making use of normal tools and techniques will make a lot of progress. In the typical case, if I can get an initial “in”, the escalation path looks very consistent. We establish a foothold with Metasploit’s Meterpreter, use its bag of tricks to escalate privileges, and all is happy. Sometimes, though, something gets in the way. One of the most frequent is anti-virus software. Some products out there do quite well at stopping Metasploit; my guess is it’s because MSF is a big target, and easily identifiable for most A/V. There are lots of ways to get around A/V – maybe you can disable it, maybe you can re-encode your payload so it’s not recognized, etc.

One of the tricks supported by Meterpreter that I find most useful is the Incognito module. This allows you to search for and manipulate security tokens on a compromised system. By co-opting security tokens, it is often quick to assume elevated rights and either expand a penetration into other areas in the network or even domain administrator itself. But if A/V gets in the way, I like to have alternate tools lying around that duplicate the key functionality of Meterpreter for just such an occasion. Incognito, it turns out, is not too difficult to move out of Meterpreter and deploy on your own.

A couple items that you will need to have around to do this yourself:

First, we need to prepare our executable. You can directly use code provided as part of Metasploit – no changes necessary at all! Copy the following files into a directory to work in (they should be found in /opt/metasploit/msf3/external/source/meterpreter/source/extensions/incognito/):

  • list_tokens.h
  • list_tokens.c
  • token_info.c
  • token_info.h
  • incognito.h

The Incognito code itself is fairly tightly bound to some Metasploit internals. I had no fun extracting the useful pieces out for the UI, so I just wrote some code to use functions in the above files to my advantage. I’m not going to quote all of the code in here, but you can download it here. It’s not the cleanest ever, but it functions well enough for me. YMMV and all that.

With these together, compiling the code is fairly straightforward:

$ gcc -o joshcognito.exe list_tokens.c token_info.c main.c

To keep the executable down in size, I like to strip out the unneeded symbols as well. Here is the complete “build process” (if you can really call it that…):

Compiling with MinGW

Armed with this handy executable, it’s a matter of finding a good target. The following screenshots and narrative describe using this code in a test environment. First, we need to somehow get joshcognito.exe onto the server. I leave these details to you and the magnificence of the penetration test you’re actually working – in the demo, I just copy it up using the local administrator account’s password:

Uploading joshcognito.exe

Once we have the machinery in place, we need to get a shell on the target system with NT AUTHORITY\SYSTEM rights. This can be done several ways (yes, even without Metasploit). One of the best is psexec – just make sure you use the “-s” flag. Note that in a real-world scenario, it is often possible to use Mark Russinovich’s actual psexec tool even when Metasploit’s psexec module is blocked by A/V. Most A/V products recognize the Sysinternals psexec as an administrative tool, which we can use to our advantage.

Uploading joshcognito.exe

We now run joshcognito.exe using the “list” command. This enumerates all of the available tokens on the system and displays them for your view. Of course, many of them are not useful, but I thought it better to print them all out rather than to filter out internal defaults. Gee, I hope you don’t have to impersonate a user named “list” ;-). Anyway, this screenshot shows the process of listing the tokens:

Uploading joshcognito.exe

Of interest, you can see that this system has a token for the user “josh” in the “TRACETEST” domain. This may prove useful to us – since we presently only have access to the local system’s administrator account, getting these domain rights may help us expand our penetration test. We can do so by passing the token’s username as an argument to the joshcognito.exe program:

Uploading joshcognito.exe

And here, we can see that we have assumed the rights of a domain user. I wonder how powerful this user is? I don’t know about you, but the first thing I do with any domain account is ask if it’s a domain admin. One way to do this is to try something that (most likely) only a domain admin can do – here I map the C$ share off of the domain controller.

Uploading joshcognito.exe

Actually, I usually do something like net user /domain /add josh2012 1337passwordhere to see if it works, but for this demonstration it doesn’t make much difference.

So there you have it – you never know how your own little Incognito executable might come in handy. Obviously, use your powers for good, under contract, with permission, etc. Of course, this isn’t anything that you can’t already do – it’s just another way to skin the same cat.