system and host attacks impersonating user access tokens

Access Tokens

Access tokens are created and managed by the Local Security Authority Subsystem Service. They are generated by the winlogon.exe process when users log into windows. These tokens are attached to the userinit.exe process and contain data relating to the identity and privileges of the user account. All child processes started by a user will inherit a copy of the access token and therefore have the same privileges as the user. These tokens therefore control what users can access and not access on windows. They are like session cookies.

Access tokens have two types of security level - impersonate and delegate level tokens. The delegate tokens are more dangerous as they can be used to impersonate tokens on any system because they are generated as a result of an interactive login such as a normal log into windows or via rdp. Impersonate tokens are created as a result of non-interactive logins and can only be used to impersonate tokens on a local system.

In order to impersonate access tokens as a means of gaining an elevated session, the user we have gained an initial shell as needs to have specific privileges. The most useful of these is the SeImpersonatePrivilege which allows a user to create a process under the security context of another user which will typically have admin privileges. The SeAssignPrimaryToken lets users impersonate access tokens and the SeCreateToken lets users create arbitary tokens which have administrative privileges.

The access tokens which can be impersonated will depend on which tokens are available on the system. In order to find these, we can load the incognito module in a meterpreter session: load incognito We will see the Delegation and Impersonate tokens which are available. If none are available, we can try a potato attack to create one. This section does not cover potato attacks - we are focusing on impersonating the tokens which are already available.

Incognito Module

Once we have gained a meterpreter session, we can use: load incognito and then: list_tokens -u The -u flag is the user flag. If we see a user we would like to impersonate, we can use: impersonate_token "ATTACKDEFENCE\Administrator" We typically want to impersonate accounts which have higher privileges than our current session, but if there are other low-level user tokens available it can be useful to impersonate them for the purpose of horizontal movement across a system - we might find useful data or other priv esc opportunities when we have moved horizonally to a different user.

Once we have impersonated an access token, it could be useful to use: list_tokens -u again to see if any further access tokens such as NT AUTHORITY\SYSTEM are available as we can impersonate these newly available tokens, too.