# Token Impersonation ### **Introduction** Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process). This access token consists of: * user SIDs(security identifier) * group SIDs * privileges amongst other things. More detailed information can be found [here](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens). *** ### **Types of Access Tokens** There are two types of access tokens: #### Primary Access Tokens Those associated with a user account that are generated on log on #### Impersonation Tokens These allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process *** ### **Levels of Impersonation Tokens** Note : The security context is a data structure that contains users' relevant security information. #### SecurityAnonymous Current user/client cannot impersonate another user/client #### SecurityIdentification Current user/client can get the identity and privileges of a client, but cannot impersonate the client #### SecurityImpersonation Current user/client can impersonate the client's security context on the local system #### SecurityDelegation Current user/client can impersonate the client's security context on a remote system *** ### **Commonly Abused Privileges** The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges * #### SeImpersonatePrivilege * #### SeAssignPrimaryPrivilege * #### SeTcbPrivilege * #### SeBackupPrivilege * #### SeRestorePrivilege * #### SeCreateTokenPrivilege * #### SeLoadDriverPrivilege * #### SeTakeOwnershipPrivilege * #### SeDebugPrivilege There's more reading [here](https://www.exploit-db.com/papers/42556). *** ### **Exploitation of Impersonate Token Vuln** 1. View all the privileges using `whoami /priv` 2. Use the Metasploit's **incognito** module that will allow us to exploit this vulnerability. * `load incognito` 3. To check which tokens are available, enter the `list_tokens -g`. 4. Suppose **BUILTIN\Administrators** token is available. 5. Use the `impersonate_token "BUILTIN\Administrators"` command to impersonate the Administrators token. 6. You have successfully impersonated Admin Token, use `getuid` to find out your rights 7. Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). 8. Ensure that you migrate to a process with correct permissions (rights which **getuid** gives us) 1. The safest process to pick is the **services.exe** process. 2. First use the `ps` command to view processes and find the PID of the services.exe process. 3. Migrate to this process using the command `migrate PID-OF-PROCESS` *** ### **Using PrintSpoofer to Automatically Exploit SeImpersonatePrivilege** From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019. Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser() [Tool Url](https://github.com/itm4n/PrintSpoofer) ***