Friday, May 2, 2008

Token Passing with Incognito

I've seen a few people post a link to this paper and tool but no one actually showing it in use yet, so here is the first of some notes on it.

From the whitepaper:
"Domain Privilege Escalation refers to the ability to use a Delegate token to access other systems, which may otherwise be secure from direct attack. This is possible because Delegate tokens contain authentication credentials and so can be used to access external systems for which those credentials are valid.

In order to perform this type of attack, it is usually necessary to have administrative privileges on the compromised system. This is because impersonating a token requires the “SeImpersonate” privilege, as of Windows XP SP2, Windows 2003 and Windows 2000 SP4; additionally, Delegate tokens are normally the result of interactive logins and so administrative access is required in order to access the tokens present in all user processes on the system. Other privileges may also be required (such as “SeAssignPrimaryTokenPrivilege” and “SeCreateTokenPrivilege”) depending on the specific post-exploitation task performed.

There are, however, some exceptions to this. For example, if an attacker were to compromise a service account that was trusted for delegation then they may be able to perform this attack, since services are normally given the “SeImpersonate” privilege. Additionally, on systems before “SeImpersonate” was introduced it may be possible to perform this attack from a low privileged user account under certain circumstances.

A good example of a use case for this type of attack would be as part of compromising a critical database server. If an attacker were unable to compromise the database server directly then they could turn their attention to the DBA’s workstation, since their user account will often have legitimate access to the database servers themselves. If they successfully compromised the workstation then they could use the tokens present to access the database server."

If you actually read the whitepaper there are several scenarios. I am going to cover having a user account with administrative privileges, dumping available tokens, and becoming another user.

Let's get started. First we want to see who we are. Let's run the "set" command to see.

Let's also see what groups brian is in:

Then we run find_token (which any user can actually run) and then we use incognito to list tokens that are available to delegate and impersonate
Next we connect to the remote box, and use the impersonate token for HOUSEOFMUNCH\root and become that user.


pop a system shell and become a user

user the meterpreter incognito module

verify the terminal services stuff in the paper

see how dameware with windows authentication handles tokens

project website:
DEFCON 15 Presentation (pdf):
DEFCON 15 Presentation (video): Broke...WTF

Token Kidnapping by Cesar


Unknown said...

Sorry, I do not understand your idea very much. From the command "net user brian /domain", I can see your "brian" is in "Doamin
Admins" Group. And the members of "Domain Admins" Group are all Admins, they can almost run any command on every one machine
in the domain. Since we know the password of user "brian" and it is a Domain Administrator, why not can we control the Domain
Contorller from the command "net use \\ "AdminPW12!@" /u:brian", and copy a shell to the machine "" .

I don't know how the incognito tool promote the privilege of Administrator ,because the "brian" has been a Domain Administrator .

Sorry, my english is poor. Thanks!

CG said...

the point of the post is not that brian is a domain admin (yes a domain admin can do alot) its that we have become the "root" user via token stealing.

i think its more clear if you take a look at the example using the meterpreter incognito post.

Fizz said...

Good post, thanks!

I really didn't get the difference between Token Passing and Token Kidnapping... Is it actually the same thing?
And if not, did the Token Passing technique got fixed with MS09-012 patch (which patched Token Kidnapping)?

CG said...


1. i think they are the same thing

2. the patch (to my knowledge) fixes the issue Cesar found that will take you from unprivileged user to SYSTEM and not the token passing issue of going from SYSTEM to another user (if token is present)