Access Tokens
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Each user logged onto the system holds an access token with security information for that logon session. The system creates an access token when the user logs on. Every process executed on behalf of the user has a copy of the access token. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.
You can see this information executing whoami /all
or using Process Explorer from Sysinternals (select process and access"Security" tab):
When a local administrator logins, two access tokens are created: One with admin rights and other one with normal rights. By default, when this user executes a process the one with regular (non-administrator) rights is used. When this user tries to execute anything as administrator ("Run as Administrator" for example) the UAC will be used to ask for permission. If you want to learn more about the UAC read this page.
If you have valid credentials of any other user, you can create a new logon session with those credentials :
The access token has also a reference of the logon sessions inside the LSASS, this is useful if the process needs to access some objects of the network. You can launch a process that uses different credentials for accessing network services using:
This is useful if you have useful credentials to access objects in the network but those credentials aren't valid inside the current host as they are only going to be used in the network (in the current host your current user privileges will be used).
There are two types of tokens available:
Primary Token: It serves as a representation of a process's security credentials. The creation and association of primary tokens with processes are actions that require elevated privileges, emphasizing the principle of privilege separation. Typically, an authentication service is responsible for token creation, while a logon service handles its association with the user's operating system shell. It is worth noting that processes inherit the primary token of their parent process at creation.
Impersonation Token: Empowers a server application to adopt the client's identity temporarily for accessing secure objects. This mechanism is stratified into four levels of operation:
Anonymous: Grants server access akin to that of an unidentified user.
Identification: Allows the server to verify the client's identity without utilizing it for object access.
Impersonation: Enables the server to operate under the client's identity.
Delegation: Similar to Impersonation but includes the ability to extend this identity assumption to remote systems the server interacts with, ensuring credential preservation.
Using the incognito module of metasploit if you have enough privileges you can easily list and impersonate other tokens. This could be useful to perform actions as if you where the other user. You could also escalate privileges with this technique.
Learn which token privileges can be abused to escalate privileges:
Abusing TokensTake a look to all the possible token privileges and some definitions on this external page.
Learn more about tokens in this tutorials: https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa and https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)