DARKEXEC, a new way to surf'n a Domain!

[blackMath]

We would like to report a new technique (pass-the-token) and a tool made for use it by us.

DARKEXEC

This tool and techinque steals windows access tokens, bypassing restriction between user's context without getting passwords or dumping others authentication-mechanism grants...
Using this, it leads to full access all user's resources (filesystem, registry, memory) and obviously all the others authentication-mechanism-grants already held by that user.

The tool-project went out mainly for:

“Administrative” and academic purposes, just think about those billions things n'configs you can't make without being inside own user's context. hell, yeah..

“Evil” purposes instead... just wonder how bad it will be, directly accessing some windows domain network or, effectively in a post-exploitation scenario, gaining access with an account fully-privileged on the local system but without any grant on any interesting remote resource.. and maybe on to the same machine, or being able to access some others, where others have....

Implementing and testing it, we've found this new technique (pass-the-token) reliable and simple, fully offering all capabilities held by the user such as smb, kerberos, and any.. in the same situation/assumption involved dumping memory...

Take a look at references and try our tool @ www.blackmath.it

any opinion about it, it's really appreciate!

[cooper]

Source code...?

[digip]

Pass the hash rebranded?

[blackMath]

Hi Cooper sorry for the delay at the answer, as you can see above this is really a POC, we are rushing to complete a final release, to be published with the code. Actually the sources are really confusing, uncommented, written quickly and misses some fundamental core parts we are working on! We hope to release all soon but meanwhile, in few days, you can find the complete winAPI function mechanism it uses, updated on our site.

@digip

Passes-the-hash means using (smb or others) hashes of password instead of password itself.
Darkexec works on windows access tokens, that are structure completely different by the hashes... in the specific wins create a token after every succeeded logon and use it like a reference for the completely security context of the user itself.

[cooper]

Which is pass-the-hash just not using a hash but a structure reference. Same difference, but if this gets you access to different parts of the system where current pass-the-hash programs fail to tread you're doing useful work.

[blackMath]

It's now out the newer version 1.2

These are the news :

• New access Token search engine. Now all available Users access token on the machine, with highest privileges, are listed and ready to be used.
• New named-pipe service, fixed buffer I/O issue where causing blocking output
• Embedded dex.exe code into dexsvc service, last one is called recursively as executable too.
• Usage simplified defaulting arguments when missing

• Bug Fixes

[cooper]

Source code...?

[sud0nick]

Source code...?

[blackMath]

Sorry guys, no code will be released at the moment because we are still working on.... 

new version was released a couple of days ago with a full demonstration video, please try it and have fun!

21.07.16 Released Darkexec ver 1.3
• New token output provides Domain\Username, Session, Impersonation Level, Process ID, Thred ID 
• No more windows displayed in loopback connections
• Fixed setting ACL in Interactive mode
• Asks session number if is not passed by
• Improved dynamic-lenght buffer for output
• Improved Token search engine performance 
• Improved more detailed Error Handling 
• Now working on "WORKGROUP" machines too
• Bug fixes

http://www.blackmath.it