Wednesday, November 16, 2022
HomeInformation SecurityArea Escalation with Token Impersonation | by Nairuz Abulhul | R3d Buck3T...

Area Escalation with Token Impersonation | by Nairuz Abulhul | R3d Buck3T | Nov, 2022


DOMAIN ESCALATION

Token Impersonation with Delegation Tokens — MITRE ATT&ACK — Entry Token Manipulation T1134

Credit score- simpson33

Token impersonation is a Home windows post-exploitation method that permits an attacker to steal the entry token of a logged-on person on the system with out realizing their credentials and impersonate them to carry out operations with their privileges.

This system is efficient for lateral motion and privilege escalation; an attacker can receive area admin privileges if a logged-on person is a website administrator. They will additionally use the impersonated tokens to pivot to different area machines on the community. The impersonation method requires the attacker to realize native admin privileges on the compromised machine to steal its tokens.

On this put up, we are going to find out about token impersonation and the way we are able to use it to carry out area escalation.

Desk of Contents

  • Token Impersonation
  • Entry Tokens
  • Token Varieties
  • Impersonation Demo

Entry Tokens

Entry tokens are often generated when a person authenticates to the system by offering their username and password, which they get checked by the Native Safety Authority Subsystem Service (LSASS). If the person account is native, the LSASS will confirm the credentials in its Safety Account Supervisor (SAM). Nevertheless, if the account is a website account, the verification request shall be despatched to the area controller to confirm the person’s identification.

After the verification step is full, the person is issued an entry token that identifies their identification and privileges related to their account.
The entry token helps the system make safety choices figuring out the entry degree wanted for the person to carry out system-related operations.

Token Varieties

There are two varieties of tokens associated to the token impersonation method — Delegation and Impersonation:

Delegation tokens are created when customers interactively login right into a system utilizing their credentials. The interactive logins will be bodily or distant as a Distant Desktop with RDP or VNC.

Delegation tokens are used for area escalation as a result of they include authentication credentials; attackers can steal high-privileged tokens and use them to carry out privileged operations with out realizing their precise credentials.

Impersonation tokens are created when customers non-interactively login right into a system, like accessing a shared drive on the community. Customers often don’t get prompted for credentials when accessing the share; as a substitute, they use their tokens for the entry.

Impersonation tokens are often generated after the delegation tokens. Non-interactive authentication makes use of established credentials from an interactive authentication.

🔨Instruments:

  • Bloodhound
  • Metasploit — PSexec module
  • Metasploit — Incognito module
  • Incognito — Standalone Software

🔥 Assault Demonstration

The lab setup for this demo consists of two (2) Home windows 2016 machines; one is a website controller (dc01.r3dlab.native), and the opposite is a growth server (server01.r3dlab.native).

The assault state of affairs will display how attackers can escalate their area privileges by stealing area admins’ delegation tokens. We’ll assume on this state of affairs that I compromised the event server by way of social engineering strategies, like phishing or capturing the hashes and cracking them offline and have gained native administrator privileges on the compromised machine.

Subsequent, I began the post-exploitation recon on the compromised machine by operating Bloodhound to gather details about the area. I used Bloodhound pre-built and customized queries to determine energetic privileged classes. I discovered that the area admin had two energetic classes — one on the compromised machine (Server01) and the opposite on the area controller (dc01).

Pre-built - Remaining all energetic Area Admin classes
Customized question - Discover Area Admin Logons to non-Area Controllers
Figure 1 — identifying active domain admin sessions with Bloodhound. (Token Impersonation — R3duck3t.medium.com)
Determine 1 — figuring out energetic area admin classes with Bloodhound.

Because the DA has a session on the compromised machine already, we are able to use the impersonation token method to steal the DA token. We’ll use the Incognito software for the impersonation half in two methods; one by way of the Incognito module on Metasploit and the opposite with the standalone software. I’ll display each methods for reference.

Technique #1 Incognito Module on Metasploit

We connect with the machine utilizing the Psexec module with the compromised credentials obtained within the exploitation section. The compromised person is an area administrator.

Figure 2- connect to the server01 machine with psexec module on Metasploit. (Token Impersonation — R3duck3t.medium.com)
Determine 2— connecting to the server01 machine with the psexec module on Metasploit.

Earlier than we checklist the accessible tokens, we verify if the present person can view the area controller C$ listing. First, we are able to kind the “shell” command to get into the command line immediate (cmd), then the “dir” command adopted by the area controller C drive path to checklist its contents.

shell
dir 192.168.128.152C$

As anticipated, the native administrator doesn’t have permission to hook up with the DC directories.

Figure 3- getting access denied error with the current user permissions. (Token Impersonation — R3duck3t.medium.com)
Determine 3- getting entry denied error with the present person permissions.

Subsequent, we exit the cmd immediate by typing “exit” to return to the meterpreter session and cargo the incognito module to checklist the accessible tokens on the machine (Server01).

exit
load incognito
list_token -u
Figure 4 — loading the incognito module and listing available tokens. (Token Impersonation — R3duck3t.medium.com)
Determine 4 — loading the incognito module and itemizing accessible tokens.

As seen within the screenshot above, now we have a delegation token for the area administrator (r3dlabdeb). Which means that the area admin had logged into the machine interactively sooner or later utilizing their credentials.

To reap the benefits of the DA token, we are going to run the “impersonate_token” command with the area admin title to impersonate their account.

💡Guarantee that you’ve got double-forwarded slashes between the area title and the username.

impersonate_token r3dlabdeb

As seen beneath, with the brand new impersonated privileges, we are able to view the listing’s contents on the area controller because the area admin.

Figure 5 — listing the C directory on the domain controller. (Token Impersonation — R3duck3t.medium.com)
Determine 5 — itemizing the C listing on the area controller.

Technique #2 — Incognito Standalone Software

The second methodology makes use of the standalone software by FSecureLab in GitHub (hyperlink to the compiled model).

We have to open up a Powershell or cmd immediate as an administrator and run the applying with the list_tokens command to checklist the accessible tokens.

.incognito.exe list_tokens -u 
Figure 6 — listing all available tokens with incognito.exe (Token Impersonation — R3duck3t.medium.com)
Determine 6 — itemizing all accessible tokens with incognito.exe

As within the first methodology, when accessing the C listing on the area controller with present permissions, we get an “Entry denied” error.

getting access denied error with the current user permissions. (Token Impersonation — R3duck3t.medium.com)
Determine 7 — getting entry denied error with the present person permissions.

Subsequent, we run the applying with the “execute” command offering the username we need to impersonate and this system path to launch with the privileges of the impersonated person. Under I ran the cmd program.

.incognito.exe execute -c "domainuser" C:Windowssystem32cmd.exe

As seen beneath, the applying ran and began a brand new cmd course of with the DA impersonated privileges permitting us to view the “C$” listing contents on the DC.

Determine —

That’s all for at this time; thanks for stopping by 😃.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments