1
00:00:00,330 --> 00:00:02,340
In token impersonation.

2
00:00:03,290 --> 00:00:09,650
You can grab a Kerberos Tolkan on the target's machine and then use it in the place of authentication

3
00:00:09,890 --> 00:00:13,430
to assume the identity of the user that originally created that token.

4
00:00:14,820 --> 00:00:19,680
Token impersonation is very beneficial for penetration tests.

5
00:00:20,590 --> 00:00:24,460
And can be one of the territory's most powerful features, if you look at it.

6
00:00:25,790 --> 00:00:27,860
So let's consider the following scenario.

7
00:00:28,890 --> 00:00:35,370
For example, if you are performing a penetration test and then you successfully compromise the system

8
00:00:35,550 --> 00:00:37,830
and establish an interpreter console.

9
00:00:38,880 --> 00:00:44,370
A domain administrator account has logged on within the last 10 hours to the compromise machine.

10
00:00:45,420 --> 00:00:52,530
So in this account, logs on a across Tolkan is passed to the server and is valid for a certain period

11
00:00:52,530 --> 00:00:53,110
of time.

12
00:00:54,350 --> 00:01:01,640
You exploit this system via the valid and active Kerberos token and through interpreter, you successfully

13
00:01:01,850 --> 00:01:06,770
assume the role of a domain administrator without needing the password.

14
00:01:07,990 --> 00:01:14,470
So then you hack a domain administrator account or go after a domain controller.

15
00:01:15,500 --> 00:01:19,070
And this is probably one of the easiest ways to gain access into a system.

16
00:01:20,180 --> 00:01:28,750
And just another example of why interpretor is so useful, I almost made this not a family friendly

17
00:01:28,760 --> 00:01:29,210
course.

18
00:01:32,040 --> 00:01:37,080
In MSA, you can accomplish this by using the Incognito extension.

19
00:01:38,260 --> 00:01:44,920
Incognito was originally a standalone application that allowed you to impersonate user tokens when successfully

20
00:01:44,920 --> 00:01:46,030
compromising a system.

21
00:01:47,320 --> 00:01:52,870
And it was so good that it was integrated into motorsport as an extension to interpretor.

22
00:01:53,790 --> 00:01:58,950
So in order to load interpretor extension, the load command is used.

23
00:02:00,020 --> 00:02:05,060
Type lowed L to Leslieville extensions for the current session.

24
00:02:06,320 --> 00:02:08,270
And you can use any of these extensions.

25
00:02:09,400 --> 00:02:11,110
So let's load incognito.

26
00:02:13,350 --> 00:02:17,190
OK, incognito, successfully loaded into my session.

27
00:02:18,160 --> 00:02:20,860
So every extension has its own commands.

28
00:02:21,840 --> 00:02:26,850
So does Incognito, you can type in help incognito.

29
00:02:28,270 --> 00:02:33,910
To view additional commands that will come with it and also every command has a help menu.

30
00:02:34,940 --> 00:02:36,890
So in the lab that we've set up.

31
00:02:37,820 --> 00:02:43,040
You're not going to have a domain, so I won't use the first three commands.

32
00:02:43,960 --> 00:02:46,090
OK, so let's list tokens.

33
00:02:47,840 --> 00:02:53,900
And this is the help menu, and now I'm going to list tokens with the new parameter.

34
00:02:54,890 --> 00:02:59,600
Now, let's again look at who I am on the system to give you a clear idea.

35
00:03:01,660 --> 00:03:03,370
Right, to list tokens you.

36
00:03:06,010 --> 00:03:10,420
So in a nutshell, the tokens are acting just like Web cookies.

37
00:03:11,390 --> 00:03:18,410
There are temporary key that allows you to access the system and network without having to provide credentials

38
00:03:18,590 --> 00:03:20,240
every time you access a file.

39
00:03:21,100 --> 00:03:28,960
Incognito exploits this the same way cookie stealing works by replaying that temporary key whenever

40
00:03:28,960 --> 00:03:29,920
asked to authenticate.

41
00:03:30,790 --> 00:03:36,160
Now there are two types of tokens delegate and impersonate.

42
00:03:37,120 --> 00:03:40,420
Delegate tokens are created for interactive longans.

43
00:03:41,550 --> 00:03:46,320
Such as logging into the machine or connecting to it via remote desktop.

44
00:03:47,320 --> 00:03:51,190
Impersonate tokens are for non interactive sessions.

45
00:03:52,190 --> 00:03:56,750
Such as attaching a network drive or a domain log on script.

46
00:03:57,820 --> 00:03:59,890
So what are the other great things about Tolkien's?

47
00:04:00,830 --> 00:04:03,860
Do they persist until a reboot?

48
00:04:04,840 --> 00:04:12,490
When a user logs on, their delegate token is reported as an impersonate token, but will still hold

49
00:04:12,520 --> 00:04:14,260
all the rights of a delegate token.

50
00:04:15,310 --> 00:04:18,490
So right now I will impersonate the token of a vagrant user.

51
00:04:19,610 --> 00:04:28,730
To do this, I'm going to use impersonate token as my command, impersonate toljan and then paste the

52
00:04:28,730 --> 00:04:29,900
vagrant user here.

53
00:04:31,370 --> 00:04:34,880
Don't forget to add a backslash here and hit enter.

54
00:04:36,470 --> 00:04:38,010
And the message is positive.

55
00:04:38,480 --> 00:04:40,550
So check if it's true.

56
00:04:42,020 --> 00:04:43,040
Yet UUID.

57
00:04:44,210 --> 00:04:48,660
It is really true you impersonate the vagrant user.

58
00:04:49,640 --> 00:04:57,020
So once you have an interpreter session, you can impersonate valid tokens on the system and become

59
00:04:57,020 --> 00:05:02,090
that specific user without ever having to worry about credentials, even hashes.

60
00:05:03,270 --> 00:05:09,030
So now you can continue with this user or you can go back to your actual user.

61
00:05:09,890 --> 00:05:12,110
And then to do this, there's another command.

62
00:05:13,080 --> 00:05:17,820
Rev to self to just type, rev to self.

63
00:05:20,790 --> 00:05:23,730
And then you are in the authority system again.

64
00:05:24,850 --> 00:05:31,810
Now, during a penetration test, this is especially useful since tokens have the possibility of allowing

65
00:05:31,820 --> 00:05:40,300
local and or domain privilege escalation, enabling you alternate avenues with potentially elevated

66
00:05:40,300 --> 00:05:43,150
privileges to multiple systems.

67
00:05:43,150 --> 00:05:44,860
And that's what makes you a pro.