Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/windows/local/ms16_reflection.md
Views: 11789
Introduction
This module will abuse the SeImperonsate privilege commonly found in services due to the requirement to impersonate a client upon authentication. As such it is possible to impersonate the SYSTEM account and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM attack at which intercepts the hash and relay responses from RPC to be able to establish a handle to a new SYSTEM token. Some caveats : Set your target option to match the architecture of your Meterpreter session, else it will inject the wrong architecture DLL into the process of a separate architecture. Additionally, after you have established a session, you must use incognito to imperonsate the SYSTEM Token.
Usage
You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the payload
and session
options, in addition to architecture.
Your user at which you are trying to exploit must have SeImpersonate
privileges.
The module has a hardcoded timeout of 20 seconds, as the attack may not work immediately and take a few seconds to start. Also, check to make sure port 6666 is inherently not in use else the exploit will not run properly