Author Topic: DARKEXEC, a new way to surf'n a Domain! #TokenStealing, #UserImpersonation  (Read 1733 times)

0 Members and 1 Guest are viewing this topic.

Offline blackmath

  • NULL
  • Posts: 3
  • Cookies: 2
    • View Profile
We would like to report a new technique (we call it #pass-the-token) and a tool made for use it by us.

DARKEXEC

This tool and techinique steals windows access tokens, bypassing restriction between user's context without getting passwords or dumping others authentication-mechanism grants...
Using this, it leads to full access all user's resources (filesystem, registry, memory) and obviously all the others authentication-mechanism-grants already held by that user.

The tool-project went out mainly for:

“Administrative” and academic purposes, just think about those billions things n'configs you can't make without being inside own user's context. hell, yeah..

“Evil” purposes instead... just wonder how bad it will be, directly accessing some windows domain network or, effectively in a post-exploitation scenario, gaining access with an account fully-privileged on the local system but without any grant on any interesting remote resource.. and maybe on to the same machine, or being able to access some others, where others have....

Implementing and testing it, we've found this new technique (pass-the-token) reliable and simple, fully offering all capabilities held by the user such as smb, kerberos, and any.. in the same situation/assumption involved dumping memory...

Take a look at references and try our tool @ www.blackmath.it
any opinion about it, it's really appreciate! 


Offline blindfuzzy

  • VIP
  • Peasant
  • *
  • Posts: 86
  • Cookies: 34
    • View Profile
Interesting, you guys are Italian?

Offline blackmath

  • NULL
  • Posts: 3
  • Cookies: 2
    • View Profile
Yes we're  ;)

Offline white_noise

  • Serf
  • *
  • Posts: 21
  • Cookies: -5
    • View Profile
This looks interesting. I'll check it out  :)

Offline blackmath

  • NULL
  • Posts: 3
  • Cookies: 2
    • View Profile
It's now out the newer version 1.2
 
These are the news :
 
• New access Token search engine. Now all available Users access token on the machine, with highest privileges, are listed and ready to be used.
• New named-pipe service, fixed buffer I/O issue where causing blocking output
• Embedded dex.exe code into dexsvc service, last one is called recursively as executable too.
• Usage simplified defaulting arguments when missing
• Bug Fixes
 
 :)