Token Impersonation

Tokens

• like cookies for computers

• temp keys that allow you to access system/network without providing creds each time

• Two types

  • Delegate

    • created for logging in or using remote desktop

  • Impersonate

    • non-interactive, such as attaching a network drive or a logon script

Attack

Metasploit

• Get a meterpreter shell

• load incognito

  • list_tokens -u

  • impersonate_token [user listed] (ie: marvel\fcastle)

  • shell

• once we have been able to get local admin on a machine, we can add a user for our benefit

Defense

Limit user/group token creation permission

Account tiering

Local admin restriction