We would like to report a new technique (we call it #pass-the-token) and a tool made for use it by us.
DARKEXEC
This tool and techinique steals windows access tokens, bypassing restriction between user's context without getting passwords or dumping others authentication-mechanism grants...
Using this, it leads to full access all user's resources (filesystem, registry, memory) and obviously all the others authentication-mechanism-grants already held by that user.
The tool-project went out mainly for:
“Administrative” and academic purposes, just think about those billions things n'configs you can't make without being inside own user's context. hell, yeah..
“Evil” purposes instead... just wonder how bad it will be, directly accessing some windows domain network or, effectively in a post-exploitation scenario, gaining access with an account fully-privileged on the local system but without any grant on any interesting remote resource.. and maybe on to the same machine, or being able to access some others, where others have....
Implementing and testing it, we've found this new technique (pass-the-token) reliable and simple, fully offering all capabilities held by the user such as smb, kerberos, and any.. in the same situation/assumption involved dumping memory...
Take a look at references and try our tool @
www.blackmath.itany opinion about it, it's really appreciate!
