Token impersonation
Windows access tokens are integral to Microsoft’s authentication, access control and single sign-on (SSO) model and are created and managed by the Local Security Authority Subsystem Service (LSASS). They're Temporary keys that allows you to access the system and network without having to provide credentials each time you access a file. There are two types of tokens: delegate and impersonate :
Delegate tokens are created for ‘interactive’ logons, such as logging into the machine or connecting to it via Remote Desktop.
Impersonate tokens are for ‘non-interactive’ sessions, such as attaching a network drive or a domain logon script.
The other great things about tokens? They persist until a reboot. When a user logs off, their delegate token is reported as an impersonate token, but will still hold all of the rights of a delegate token.
TIP: File servers are virtual treasure troves of tokens since most file servers are used as network attached drives via domain logon scripts
you can impersonate valid tokens on the system and become that specific user without ever having to worry about credentials, or for that matter, even hashes. During a penetration test, this is especially useful due to the fact that tokens have the possibility of allowing local and/or domain privilege escalation, enabling you alternate avenues with potentially elevated privileges to multiple systems. Now of to the attack, fire up metasploit and get RCE on your victim (using for example psexec), once you do that, load a tool called incognito :
Find the user you want to impersonate and :
and now when you type for example shell and whoami you should see that you're impersonating the user.
if you want to revert back to the user you came in, type :
Last updated