Understanding Impersonation via Access Tokens
A part of this article is dependent on the previous post- Escalating Privileges through User Account Control (UAC)bypassing.
Once you are into the system, there could be multiple user accounts of interest. Before diving into deep, let’s get a basic understanding of terms like Impersonation, Access Tokens, and, Impersonation Tokens, etc.
What is Impersonation?
“In Information Security, Impersonation is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in the system or in a communication protocol.
Broadly saying, Impersonation is a technique that allows you to mirror another authentic user and take actions on their behalf.
What are Access Tokens?
“An access token contains the security information for a logon session. The system creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token. The token identifies the user, the user’s groups, and the user’s privileges. The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer.
An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. When a user logs on, the system verifies the user’s password by comparing it with information stored in a secure database. If the password is authenticated, the system produces an access token. Every process executed on behalf of this user has a copy of this access token. There are two kinds of access token: primary and impersonation.
What is Impersonation Token?
An access token that has been created to capture the security information of a client process, allowing a server to “impersonate” the client process in security operations.
Thus, Impersonation is the ability of a thread to execute in a security context different from that of the process owning the thread. The server thread uses an access token representing the client’s credentials, and with this, it can access resources that the client can access.
Now, let’s continue from the last post, remember we got into the victim machine using an exploit for- “Buffer Overflow vulnerability in Badblue” and here, we have a shell via the User- John (regular user having no special privileges). Refer to the image Meterpreter Session 1.
Let’s try if we can run privilege commands. Do, getsystem, since we are a regular user, we can’t run privilege commands.
Before escalating privileges, first migrate to a stable process, using commands- migrate <PID>. Then escalate to the system, for steps, refer to the last post- Escalating Privileges through User Account Control (UAC)bypassing.
Now, that we have escalated the privileges of a regular user- John. Refer to the below image, we can now execute privileged commands as getsystem successfully.
Use Commands:
getsystem — it fetches the system
load incognito
list_tokens -u — lists the available tokens according to the users
The “list_tokens” command lists Delegation and Impersonation tokens according to the users. As, in the screenshot, we can see the available Impersonation Token of an anonymous user. We will be impersonating as an anonymous user.
Use Commands:
impersonate_token <token>
Since the user name has space we’ll be quoting the name and use the double backslash “\\” to clarify the differences between domain & name.
Refer to the above image, we are now logged in as an Anonymous User and can take actions anonymously.
Enter “?” to get a list of all the available commands and actions that could be taken, depending upon the user access level.
Various other System Commands of interest.
rev2self- to revert back to the previous user account.
steal_token- steals impersonation token from the target.
clearev- deletes the event logs
getprivs- enables all privileges available to the current process.
For more detailed explanation regarding Impersonation, Access tokens or Impersonation tokens, in Windows, follow the below references:
