Token Impersonation

Introduction

Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).

This access token consists of:

• user SIDs(security identifier)

• group SIDs

• privileges amongst other things. More detailed information can be found here.

Types of Access Tokens

There are two types of access tokens:

Primary Access Tokens

Those associated with a user account that are generated on log on

Impersonation Tokens

These allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process

Levels of Impersonation Tokens

Note : The security context is a data structure that contains users' relevant security information.

SecurityAnonymous

Current user/client cannot impersonate another user/client

SecurityIdentification

Current user/client can get the identity and privileges of a client, but cannot impersonate the client

SecurityImpersonation

Current user/client can impersonate the client's security context on the local system

SecurityDelegation

Current user/client can impersonate the client's security context on a remote system

Commonly Abused Privileges

The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges

• SeImpersonatePrivilege

• SeAssignPrimaryPrivilege

• SeTcbPrivilege

• SeBackupPrivilege

• SeRestorePrivilege

• SeCreateTokenPrivilege

• SeLoadDriverPrivilege

• SeTakeOwnershipPrivilege

• SeDebugPrivilege

  There's more reading here.

Exploitation of Impersonate Token Vuln

1. View all the privileges using whoami /priv

2. Use the Metasploit's incognito module that will allow us to exploit this vulnerability.

   • load incognito

3. To check which tokens are available, enter the list_tokens -g.

4. Suppose BUILTIN\Administrators token is available.

5. Use the impersonate_token "BUILTIN\Administrators" command to impersonate the Administrators token.

6. You have successfully impersonated Admin Token, use getuid to find out your rights

7. Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).

8. Ensure that you migrate to a process with correct permissions (rights which getuid gives us)

   1. The safest process to pick is the services.exe process.

   2. First use the ps command to view processes and find the PID of the services.exe process.

   3. Migrate to this process using the command migrate PID-OF-PROCESS

Using PrintSpoofer to Automatically Exploit SeImpersonatePrivilege

From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.

Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()

Tool Url