.

New tool for finding domain admins for token theft

<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Nov 08, 2012 10:33 pm

New tool for finding domain admins for token theft

Hey everyone, I'm going to copy/paste what I sent to a SANS mailing list because I'm too tired to come up with something original. Please check out the blog article and give me some feedback.

When widespread local admin password reuse is detected on an engagement, finding privileged tokens to steal with incognito is a common next-step. There are already a few ways to automate finding privileged processes, but my solution seems to be faster and more flexible than most I've seen (granted, I could have totally missed something obvious). The only downside I've noticed thus far is that it fails on systems with UAC enabled.

I wrapped the Foofus winexe (which is patched to also accept hashes), threaded it, and basically used Tim Tome's technique of reviewing the output of tasklist on each system in an IP list. The script requires the credentials (password or hash) of the local admin account that's been reused, the target domain name, list of domain admins (or whatever list of users you're targeting), and SMB IPs. You can optionally specify the number of threads and timeout for winexe calls.

The tests I've done allowed me to analyze 120 systems in 104 seconds using 10 threads/30 second timeout, and 22 seconds using 80 threads/15 second timeout (diminishing returns). Also, this was over a WAN connection; that's just how the cookie crumbled on this engagement (the account names and IPs have obviously been changed to project the victims).

I have the script and a full write-up here: https://www.infosiege.net/2012/11/intro ... -token-py/ This is the first "tool" I've published and am interested in feedback and constructive criticism. It worked well during this past engagement, so I figured I'd share it in case anyone else might find it useful.
The day you stop learning is the day you start becoming obsolete.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Nov 09, 2012 6:50 am

Re: New tool for finding domain admins for token theft

Thanks!  I'll definitely give it a look.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Nov 09, 2012 8:26 am

Re: New tool for finding domain admins for token theft

Sweet, can think of plenty of times where this would have been helpful. Will test it out next opportunity I get.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software