Scripting Metasploit for a Real-Life Pentest

Nytro · March 26, 2015

During a recent internal penetration test, we got to the point where we had to search a lot of Windows machines for Domain Admin tokens. Of course, our objective was to impersonate such a (delegation) token with Metasploit and create our own Domain Admin user.Since the search space was quite large, we had to automate this task by creating a custom Metasploit script. In this post we detail the creation of this script and its results.

A bit of context

During our penetration test we’ve managed to obtain the credentials of a privileged user. This user, let’s call him Robert, had local administrative rights on multiple workstations in the Windows domain.Furthermore, we’ve managed to create a low privileged domain user, which we’ll further denote by OurUser, but we were not able to add it to the Domain Admins group.However, we came up with the idea of using Robert’s credentials to log in to as many hosts as possible and hope we can impersonate a more privileged user. By leveraging its privileges, we hoped we would be able to add OurUser to the Domain Admins group.We’ve used the SMB Login Check Scanner in Metasploit for determining the range of hosts in the local domain which allowed us access with Robert’s credentials. Armed with this list, we were faced with the Sisyphean task of connecting to each host and, using a combination of psexec_psh and reverse_tcp, open a meterpreter shell and then issue the appropriate commands.