Scripting Metasploit for a Real-Life Pentest

During a recent internal penetration test, we got to the point where we had to search a lot of Windows machines for Domain Admin tokens. Of course, our objective was to impersonate such a  (delegation) token with Metasploit and create our own Domain Admin user.

Since the search space was quite large, we had to automate this task by creating a custom Metasploit script. In this post we describe the process of creating and running such a script.

A bit of context

During our penetration test we’ve managed to obtain the credentials of a privileged user. This user, let’s call him Robert, had local administrative rights on multiple workstations in the Windows domain.

Using Robert’s credentials, we managed to create a low privileged domain user, which we’ll further denote by OurUser, but we were not able to add it to the Domain Admins group.

Continue reading