blackMath Posted November 10, 2015 Share Posted November 10, 2015 We would like to report a new technique (pass-the-token) and a tool made for use it by us.DARKEXECThis tool and techinque steals windows access tokens, bypassing restriction between user's context without getting passwords or dumping others authentication-mechanism grants... Using this, it leads to full access all user's resources (filesystem, registry, memory) and obviously all the others authentication-mechanism-grants already held by that user.The tool-project went out mainly for:“Administrative” and academic purposes, just think about those billions things n'configs you can't make without being inside own user's context. hell, yeah..“Evil” purposes instead... just wonder how bad it will be, directly accessing some windows domain network or, effectively in a post-exploitation scenario, gaining access with an account fully-privileged on the local system but without any grant on any interesting remote resource.. and maybe on to the same machine, or being able to access some others, where others have....Implementing and testing it, we've found this new technique (pass-the-token) reliable and simple, fully offering all capabilities held by the user such as smb, kerberos, and any.. in the same situation/assumption involved dumping memory...Take a look at references and try our tool @ www.blackmath.it any opinion about it, it's really appreciate! Quote Link to comment Share on other sites More sharing options...
cooper Posted November 11, 2015 Share Posted November 11, 2015 Source code...? Quote Link to comment Share on other sites More sharing options...
digip Posted November 13, 2015 Share Posted November 13, 2015 Pass the hash rebranded? Quote Link to comment Share on other sites More sharing options...
blackMath Posted November 13, 2015 Author Share Posted November 13, 2015 Hi Cooper sorry for the delay at the answer, as you can see above this is really a POC, we are rushing to complete a final release, to be published with the code. Actually the sources are really confusing, uncommented, written quickly and misses some fundamental core parts we are working on! We hope to release all soon but meanwhile, in few days, you can find the complete winAPI function mechanism it uses, updated on our site. @digip Passes-the-hash means using (smb or others) hashes of password instead of password itself.Darkexec works on windows access tokens, that are structure completely different by the hashes... in the specific wins create a token after every succeeded logon and use it like a reference for the completely security context of the user itself. Quote Link to comment Share on other sites More sharing options...
cooper Posted November 16, 2015 Share Posted November 16, 2015 Which is pass-the-hash just not using a hash but a structure reference. Same difference, but if this gets you access to different parts of the system where current pass-the-hash programs fail to tread you're doing useful work. Quote Link to comment Share on other sites More sharing options...
blackMath Posted January 26, 2016 Author Share Posted January 26, 2016 It's now out the newer version 1.2 These are the news : • New access Token search engine. Now all available Users access token on the machine, with highest privileges, are listed and ready to be used.• New named-pipe service, fixed buffer I/O issue where causing blocking output • Embedded dex.exe code into dexsvc service, last one is called recursively as executable too.• Usage simplified defaulting arguments when missing • Bug Fixes Quote Link to comment Share on other sites More sharing options...
cooper Posted January 27, 2016 Share Posted January 27, 2016 Source code...? Quote Link to comment Share on other sites More sharing options...
sud0nick Posted January 27, 2016 Share Posted January 27, 2016 Source code...? Quote Link to comment Share on other sites More sharing options...
blackMath Posted July 23, 2016 Author Share Posted July 23, 2016 Sorry guys, no code will be released at the moment because we are still working on.... new version was released a couple of days ago with a full demonstration video, please try it and have fun! 21.07.16 Released Darkexec ver 1.3 • New token output provides Domain\Username, Session, Impersonation Level, Process ID, Thred ID • No more windows displayed in loopback connections • Fixed setting ACL in Interactive mode • Asks session number if is not passed by • Improved dynamic-lenght buffer for output • Improved Token search engine performance • Improved more detailed Error Handling • Now working on "WORKGROUP" machines too • Bug fixes http://www.blackmath.it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.