Finally a use for Incognito

Filed under Penetration Testing
Tagged as

Lets say (hypothetically for the sake of this post) that you were able to exploit the system of a Windows domain admin during a pentest. The goal of this attack? Steal the credentials of the domain admin and continue on with owning the domain. Sure, you could use gsecdump, pass-the-hash and do the same thing…however, Incognito (tool to conduct token passing) is nice when you know a system is vulnerable to an exploit and you want to do everything through a nice Metasploit meterpreter shell. The problem with gsecdump is that it would require you to use psexec to run it remotely on the admin’s system. Depending on the scope of your assessment and if you are trying to be covert, gsecdump/psexec may not be the best idea as you may get noticed by either an anti-virus, HIDS alert or some other detection system on the host, including the admin (don’t get me wrong…gsecdump is a GREAT tool and should be part of any pentest toolkit). So here comes Incognito to help you out in this situation…

How does Incognito work? I won’t go into a ton of detail as you can check out CG’s posts over at Carnal0wnage. He did an awesome two part write up about the tool…in detail…you should check out. Here are the high level steps:

1. Ensure you have the latest Metasploit snapshot. Not by doing an “svn update” either…you have to use Subversion and do an “svn co http://metasploit.com/svn/framework3/trunk/”. Run msfconsole through this trunk. Be warned that Subversion is picky with proxy servers if you have to deal with that.
2. Exploit system with Metasploit and a meterpreter payload.
3. Follow CG’s posts (linked above)
4. Once you impersonate the domain admin, use the tool in your meterpreter shell to create a domain user and add your new user to the domain admins group (again…follow CG’s posts).
5. Continue on with your domain compromise…rinse and repeat with your next client and/or pentest! 🙂

One Comment

  1. CG says:

    Hey thanks for the shoutout!

    one of the other great things about using incognito built into meterpreter is that all the tools are run from memory instead of putting the binaries on the remote host. good at clean up time.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*