Token are like cookies for computers. So just like a browser has cookies and it remembers who you are, same kind of concept is here.

Access Tokens

Access tokens are usually generated when a user authenticates to the system by providing their username and password, which they get checked by the Local Security Authority Subsystem Service (LSASS). If the user account is local, the LSASS will verify the credentials in its Security Account Manager (SAM). However, if the account is a domain account, the verification request will be sent to the domain controller to verify the user’s identity.

After the verification step is complete, the user is issued an access token that identifies their identity and privileges associated with their account.

The access token helps the system make security decisions determining the access level needed for the user to perform system-related operations.

Token Types

There are two types of tokens related to the token impersonation technique — Delegation and Impersonation:

• Delegation tokens are created when users interactively login into a system using their credentials. The interactive logins can be physical or remote as a Remote Desktop with RDP or VNC. Delegation tokens are used for domain escalation because they contain authentication credentials; attackers can steal high-privileged tokens and use them to perform privileged operations without knowing their actual credentials.
• Impersonation tokens are created when users non-interactively login into a system, like accessing a shared drive on the network or using a script. Users usually don’t get prompted for credentials when accessing the share; instead, they use their tokens for the access. Impersonation tokens are usually generated after the delegation tokens. Non-interactive authentication uses established credentials from an interactive authentication.

How to

We will assume in this scenario that we have compromised the server1 and have gained local administrator privileges on the compromised machine.

Next, we started the post-exploitation recon on the compromised machine by running Bloodhound to collect information about the domain using pre-built queries to identify active privileged sessions.

Since the Domain Admin has a session on the compromised machine already, we can use the impersonation token technique to steal the Domain Admin token. We will use the Incognito application for the impersonation part in two ways; one through the Incognito module on Metasploit and the other with the standalone application.

Method #1 Incognito Module on Metasploit (Linux)

Within metasploit ****we can do Token Impersonation using a module named incognito.

We connect to the machine using the psexec module with the compromised credentials obtained in the exploitation phase. The compromised user is a local administrator:

Before we list the available tokens, we check if the current user can view the domain controller C$ directory. First, we can type the shell command to get into the command line prompt, then the dir command followed by the domain controller C drive path to list its contents.