1
00:00:02,860 --> 00:00:08,290
So here's Incognito, which was originally a standalone application that allowed you to impersonate

2
00:00:08,290 --> 00:00:11,710
user tokens when successfully compromising a system.

3
00:00:13,110 --> 00:00:17,250
This was integrated into media, sport and ultimately into interpretor.

4
00:00:18,290 --> 00:00:24,230
Tokens are temporary key that allows you to access the system and network without having to provide

5
00:00:24,230 --> 00:00:26,570
credentials each time you access a file.

6
00:00:27,590 --> 00:00:32,690
Incognito exploits tokens by replaying that temporary key when asked to authenticate.

7
00:00:33,630 --> 00:00:41,610
And there are two types of tokens, delegate and impersonate delegate tokens are created for interactive

8
00:00:41,610 --> 00:00:46,380
log-on, such as logging into the machine or connecting to it via remote desktop.

9
00:00:47,130 --> 00:00:54,750
Impersonate tokens are for non interactive sessions, such as attaching a network drive or a domain

10
00:00:54,750 --> 00:00:55,680
log on script.

11
00:00:56,580 --> 00:01:03,330
One great thing about tokens is they persist until a reboot when a user logs off, their delegate token

12
00:01:03,330 --> 00:01:09,150
is reported as an impersonate token but will still hold all the rights of a delegate token.

13
00:01:10,330 --> 00:01:16,630
And once you have a maturity session, you can impersonate valid tokens on the system and become that

14
00:01:16,630 --> 00:01:22,390
specific user without ever having to worry about credentials or for that matter, even hashes.

15
00:01:23,290 --> 00:01:28,990
During a penetration test, this is especially useful due to the fact that tokens have the possibility

16
00:01:28,990 --> 00:01:35,980
of allowing local and or domain privilege escalation, enabling you alternate avenues with potentially

17
00:01:35,980 --> 00:01:38,850
elevated privileges to multiple systems.

18
00:01:41,330 --> 00:01:48,110
So here we are in a metaphorical session in Colly session is on Windows XP, victim incognito module

19
00:01:48,110 --> 00:01:55,820
is not loaded by default, so type load incognito to load it, help incognito to list a variety of options

20
00:01:55,820 --> 00:01:59,870
we have for Incognito and brief descriptions of each option.

21
00:02:01,110 --> 00:02:08,130
And what we will need to do first is identify if there are any valid tokens on this system, so we'll

22
00:02:08,130 --> 00:02:11,040
use the list tokens command to list the tokens.

23
00:02:12,130 --> 00:02:15,280
Well, let's use it with you parameter.

24
00:02:17,140 --> 00:02:20,830
Let's impersonate the administrator using impersonate token.

25
00:02:26,090 --> 00:02:28,490
Now, don't forget to put a double backslash.

26
00:02:30,020 --> 00:02:36,380
And after successfully impersonating a token, we check our current user I.D. by executing the get UID

27
00:02:36,380 --> 00:02:36,860
command.

28
00:02:38,050 --> 00:02:44,230
Now open a shell on the victim and look at who we are with the who am I command?

29
00:02:45,900 --> 00:02:53,550
Well, now we have another method to see who we are through the environmental variables, echo user

30
00:02:53,550 --> 00:02:55,170
domain, user name.

31
00:02:56,200 --> 00:03:03,670
We are administrator, user on the CEO XP system now control see to terminate the Shell command.

32
00:03:04,570 --> 00:03:09,850
Now I will use the Rev to self-command to be the system user again.

33
00:03:10,960 --> 00:03:18,550
To get you I.D. to check it, OK, so we are the system user again, so now I'll open the shell again

34
00:03:18,940 --> 00:03:21,220
and look who I am once more.

35
00:03:24,840 --> 00:03:28,200
Well, a system user looks just like this.