DOMAIN ESCALATION

Domain Escalation with Token Impersonation

Token Impersonation with Delegation Tokens — MITRE ATT&ACK — Access Token Manipulation T1134

Credit- simpson33

Token impersonation is a Windows post-exploitation technique that allows an attacker to steal the access token of a logged-on user on the system without knowing their credentials and impersonate them to perform operations with their privileges.

This technique is effective for lateral movement and privilege escalation; an attacker can obtain domain admin privileges if a logged-on user is a domain administrator. They can also use the impersonated tokens to pivot to other domain machines on the network. The impersonation technique requires the attacker to gain local admin privileges on the compromised machine to steal its tokens.

In this post, we will learn about token impersonation and how we can use it to perform domain escalation.

Table of Contents

• Token Impersonation
• Access Tokens
• Token Types
• Impersonation Demo

Access Tokens

Access tokens are usually generated when a user authenticates to the system by providing their username and password, which they get checked by the Local Security Authority Subsystem Service (LSASS). If the user account is local, the LSASS will verify the credentials in its Security Account Manager (SAM). However, if the account is a domain account, the verification request will be sent to the domain controller to verify the user’s identity.

After the verification step is complete, the user is issued an access token that identifies their identity and privileges associated with their account.
The access token helps the system make security decisions determining the access level needed for the user to perform system-related operations.

Token Types

There are two types of tokens related to the token impersonation technique — Delegation and Impersonation:

Delegation tokens are created when users interactively login into a system using their credentials. The interactive logins can be physical or remote as a Remote Desktop with RDP or VNC.

Delegation tokens are used for domain escalation because they contain authentication credentials; attackers can steal high-privileged tokens and use them to perform privileged operations without knowing their actual credentials.

Impersonation tokens are created when users non-interactively login into a system, like accessing a shared drive on the network. Users usually don’t get prompted for credentials when accessing the share; instead, they use their tokens for the access.

Impersonation tokens are usually generated after the delegation tokens. Non-interactive authentication uses established credentials from an interactive authentication.

🔨Tools:

• Bloodhound
• Metasploit — PSexec module
• Metasploit — Incognito module
• Incognito — Standalone Application

🔥 Attack Demonstration

The lab setup for this demo consists of two (2) Windows 2016 machines; one is a domain controller (dc01.r3dlab.local), and the other is a development server (server01.r3dlab.local).

The attack scenario will demonstrate how attackers can escalate their domain privileges by stealing domain admins’ delegation tokens. We will assume in this scenario that I compromised the development server through social engineering techniques, like phishing or capturing the hashes and cracking them offline and have gained local administrator privileges on the compromised machine.

Next, I started the post-exploitation recon on the compromised machine by running Bloodhound to collect information about the domain. I used Bloodhound pre-built and custom queries to identify active privileged sessions. I found that the domain admin had two active sessions — one on the compromised machine (Server01) and the other on the domain controller (dc01).

Pre-built - Final all active Domain Admin sessions

Custom query - Find Domain Admin Logons to non-Domain Controllers

Figure 1 — identifying active domain admin sessions with Bloodhound.

Since the DA has a session on the compromised machine already, we can use the impersonation token technique to steal the DA token. We will use the Incognito application for the impersonation part in two ways; one through the Incognito module on Metasploit and the other with the standalone application. I’ll demonstrate both ways for reference.

Method #1 Incognito Module on Metasploit

We connect to the machine using the Psexec module with the compromised credentials obtained in the exploitation phase. The compromised user is a local administrator.

Figure 2— connecting to the server01 machine with the psexec module on Metasploit.

Before we list the available tokens, we check if the current user can view the domain controller C$ directory. First, we can type the “shell” command to get into the command line prompt (cmd), then the “dir” command followed by the domain controller C drive path to list its contents.

shell

dir \\192.168.128.152\C$

As expected, the local administrator doesn’t have permission to connect to the DC directories.

Figure 3- getting access denied error with the current user permissions.

Next, we exit the cmd prompt by typing “exit” to go back to the meterpreter session and load the incognito module to list the available tokens on the machine (Server01).

exit

load incognito

list_token -u

Figure 4 — loading the incognito module and listing available tokens.

As seen in the screenshot above, we have a delegation token for the domain administrator (r3dlab\deb). This means that the domain admin had logged into the machine interactively at some point using their credentials.

To take advantage of the DA token, we will run the “impersonate_token” command with the domain admin name to impersonate their account.

💡Ensure that you have double-forwarded slashes between the domain name and the username.

impersonate_token r3dlab\\deb

As seen below, with the new impersonated privileges, we can view the directory’s contents on the domain controller as the domain admin.

Figure 5 — listing the C directory on the domain controller.

Method #2 — Incognito Standalone Application

The second method uses the standalone application by FSecureLab in GitHub (link to the compiled version).

We need to open up a Powershell or cmd prompt as an administrator and run the application with the list_tokens command to list the available tokens.

.\incognito.exe list_tokens -u 

Figure 6 — listing all available tokens with incognito.exe

As in the first method, when accessing the C directory on the domain controller with current permissions, we get an “Access denied” error.

Figure 7 — getting access denied error with the current user permissions.

Next, we run the application with the “execute” command providing the username we want to impersonate and the program path to launch with the privileges of the impersonated user. Below I ran the cmd program.

.\incognito.exe execute -c "domain\user" C:\Windows\system32\cmd.exe

As seen below, the application ran and started a new cmd process with the DA impersonated privileges allowing us to view the “C$” directory contents on the DC.

Figure —

That’s all for today; thanks for stopping by 😃.

🔔 All used commands can be found at R3d-Buck3T — (Active Directory Methodology — Domain Escalation by Abusing Kerberos Delegation- Token Impersonations)

Resources

What is Access Token in Operating System — javatpoint

Security Implications of Windows Access Tokens — A Penetration Tester’s Guide by Luke Jennings

Token Impersonation Attack - Security Tutorials

Ldapwiki: Non-interactive

Fun with Incognito | Offensive Security

Network vs Interactive Logons

PayloadsAllTheThings/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThings

Windows & Active Directory Exploitation Cheat Sheet and Command Reference

Access Token Manipulation: Token Impersonation/Theft