DOMAIN ESCALATION
Token Impersonation with Delegation Tokens — MITRE ATT&ACK — Entry Token Manipulation T1134
Token impersonation is a Home windows post-exploitation method that permits an attacker to steal the entry token of a logged-on person on the system with out realizing their credentials and impersonate them to carry out operations with their privileges.
This system is efficient for lateral motion and privilege escalation; an attacker can receive area admin privileges if a logged-on person is a website administrator. They will additionally use the impersonated tokens to pivot to different area machines on the community. The impersonation method requires the attacker to realize native admin privileges on the compromised machine to steal its tokens.
On this put up, we are going to find out about token impersonation and the way we are able to use it to carry out area escalation.
Desk of Contents
- Token Impersonation
- Entry Tokens
- Token Varieties
- Impersonation Demo
Entry Tokens
Entry tokens are often generated when a person authenticates to the system by offering their username and password, which they get checked by the Native Safety Authority Subsystem Service (LSASS). If the person account is native, the LSASS will confirm the credentials in its Safety Account Supervisor (SAM). Nevertheless, if the account is a website account, the verification request shall be despatched to the area controller to confirm the person’s identification.
After the verification step is full, the person is issued an entry token that identifies their identification and privileges related to their account.
The entry token helps the system make safety choices figuring out the entry degree wanted for the person to carry out system-related operations.
Token Varieties
There are two varieties of tokens associated to the token impersonation method — Delegation and Impersonation:
Delegation tokens are created when customers interactively login right into a system utilizing their credentials. The interactive logins will be bodily or distant as a Distant Desktop with RDP or VNC.
Delegation tokens are used for area escalation as a result of they include authentication credentials; attackers can steal high-privileged tokens and use them to carry out privileged operations with out realizing their precise credentials.
Impersonation tokens are created when customers non-interactively login right into a system, like accessing a shared drive on the community. Customers often don’t get prompted for credentials when accessing the share; as a substitute, they use their tokens for the entry.
Impersonation tokens are often generated after the delegation tokens. Non-interactive authentication makes use of established credentials from an interactive authentication.
🔨Instruments:
- Bloodhound
- Metasploit — PSexec module
- Metasploit — Incognito module
- Incognito — Standalone Software
🔥 Assault Demonstration
The lab setup for this demo consists of two (2) Home windows 2016 machines; one is a website controller (dc01.r3dlab.native), and the opposite is a growth server (server01.r3dlab.native).
The assault state of affairs will display how attackers can escalate their area privileges by stealing area admins’ delegation tokens. We’ll assume on this state of affairs that I compromised the event server by way of social engineering strategies, like phishing or capturing the hashes and cracking them offline and have gained native administrator privileges on the compromised machine.
Subsequent, I began the post-exploitation recon on the compromised machine by operating Bloodhound to gather details about the area. I used Bloodhound pre-built and customized queries to determine energetic privileged classes. I discovered that the area admin had two energetic classes — one on the compromised machine (Server01) and the opposite on the area controller (dc01).
Pre-built - Remaining all energetic Area Admin classes
Customized question - Discover Area Admin Logons to non-Area Controllers
Because the DA has a session on the compromised machine already, we are able to use the impersonation token method to steal the DA token. We’ll use the Incognito software for the impersonation half in two methods; one by way of the Incognito module on Metasploit and the opposite with the standalone software. I’ll display each methods for reference.
Technique #1 Incognito Module on Metasploit
We connect with the machine utilizing the Psexec module with the compromised credentials obtained within the exploitation section. The compromised person is an area administrator.
Earlier than we checklist the accessible tokens, we verify if the present person can view the area controller C$ listing. First, we are able to kind the “shell” command to get into the command line immediate (cmd), then the “dir” command adopted by the area controller C drive path to checklist its contents.
shell
dir 192.168.128.152C$
As anticipated, the native administrator doesn’t have permission to hook up with the DC directories.
Subsequent, we exit the cmd immediate by typing “exit” to return to the meterpreter session and cargo the incognito module to checklist the accessible tokens on the machine (Server01).
exit
load incognito
list_token -u
As seen within the screenshot above, now we have a delegation token for the area administrator (r3dlabdeb). Which means that the area admin had logged into the machine interactively sooner or later utilizing their credentials.
To reap the benefits of the DA token, we are going to run the “impersonate_token” command with the area admin title to impersonate their account.
💡Guarantee that you’ve got double-forwarded slashes between the area title and the username.
impersonate_token r3dlabdeb
As seen beneath, with the brand new impersonated privileges, we are able to view the listing’s contents on the area controller because the area admin.
Technique #2 — Incognito Standalone Software
The second methodology makes use of the standalone software by FSecureLab in GitHub (hyperlink to the compiled model).
We have to open up a Powershell or cmd immediate as an administrator and run the applying with the list_tokens command to checklist the accessible tokens.
.incognito.exe list_tokens -u
As within the first methodology, when accessing the C listing on the area controller with present permissions, we get an “Entry denied” error.
Subsequent, we run the applying with the “execute” command offering the username we need to impersonate and this system path to launch with the privileges of the impersonated person. Under I ran the cmd program.
.incognito.exe execute -c "domainuser" C:Windowssystem32cmd.exe
As seen beneath, the applying ran and began a brand new cmd course of with the DA impersonated privileges permitting us to view the “C$” listing contents on the DC.
That’s all for at this time; thanks for stopping by 😃.
