Hey everyone, I'm going to copy/paste what I sent to a SANS mailing list because I'm too tired to come up with something original. Please check out the blog article and give me some feedback.
When widespread local admin password reuse is detected on an engagement, finding privileged tokens to steal with incognito is a common next-step. There are already a few ways to automate finding privileged processes, but my solution seems to be faster and more flexible than most I've seen (granted, I could have totally missed something obvious). The only downside I've noticed thus far is that it fails on systems with UAC enabled.
I wrapped the Foofus winexe (which is patched to also accept hashes), threaded it, and basically used Tim Tome's technique of reviewing the output of tasklist on each system in an IP list. The script requires the credentials (password or hash) of the local admin account that's been reused, the target domain name, list of domain admins (or whatever list of users you're targeting), and SMB IPs. You can optionally specify the number of threads and timeout for winexe calls.
The tests I've done allowed me to analyze 120 systems in 104 seconds using 10 threads/30 second timeout, and 22 seconds using 80 threads/15 second timeout (diminishing returns). Also, this was over a WAN connection; that's just how the cookie crumbled on this engagement (the account names and IPs have obviously been changed to project the victims).
I have the script and a full write-up here:
https://www.infosiege.net/2012/11/introducing-find-token-py/ This is the first "tool" I've published and am interested in feedback and constructive criticism. It worked well during this past engagement, so I figured I'd share it in case anyone else might find it useful.
OSCP - Offensive Security Certified Professional : Failed my first attempt at the OSCP exam
