1
00:00:00,180 --> 00:00:04,200
Our next attack type is called token impersonation.

2
00:00:04,230 --> 00:00:06,090
So what are tokens.

3
00:00:06,090 --> 00:00:10,320
Well you could think of tokens basically as cookies for your computer.

4
00:00:10,320 --> 00:00:16,560
There are these temporary keys allow you access to a system or network without actually having to provide

5
00:00:16,560 --> 00:00:17,470
your credentials.

6
00:00:17,490 --> 00:00:20,360
So like a cookie now there are two types.

7
00:00:20,370 --> 00:00:24,820
There's what is called a delegate or an impersonal token.

8
00:00:24,820 --> 00:00:34,740
So for the delegate token that is used when you log into a machine or you have remote desktop for example

9
00:00:35,250 --> 00:00:41,970
or if you have an impersonal token if you're having like a network drive attached or some sort of domain

10
00:00:41,970 --> 00:00:46,270
log on script that's where you would see an impersonate token in this course.

11
00:00:46,290 --> 00:00:51,570
It's much easier to just demonstrate a delegate token because all we have to do is log into a machine

12
00:00:51,840 --> 00:00:53,190
and then that token exists.

13
00:00:53,250 --> 00:00:54,480
So we're going to do that.

14
00:00:54,510 --> 00:00:59,670
So let's take a quick overview before we go into the live demonstration of why this is bad and what

15
00:00:59,670 --> 00:01:01,320
this really is.

16
00:01:01,320 --> 00:01:08,010
So here we have our user and we have we've gotten a shell and we're in a shell in return fritter.

17
00:01:08,580 --> 00:01:15,540
We've loaded a tool here called Incognito which is built into Metis flight and we're just going to list

18
00:01:15,540 --> 00:01:18,360
our tokens of our user here.

19
00:01:18,360 --> 00:01:22,410
Marvel f Castle appears we're on the Frank Cassell machine.

20
00:01:22,410 --> 00:01:26,940
Now we're going to go ahead and try to impersonate that user.

21
00:01:26,940 --> 00:01:33,480
So we're going to say is impersonate token Marvel f Castle kind of like this we'll go into a shell and

22
00:01:33,480 --> 00:01:33,970
guess what.

23
00:01:34,000 --> 00:01:36,240
Or Marvel Frank Castle.

24
00:01:36,240 --> 00:01:37,360
Cool.

25
00:01:37,360 --> 00:01:39,390
So let's go ahead and try to run something.

26
00:01:39,390 --> 00:01:45,000
Do not worry about what this is right now but we're going to use invoke Mimi Katz and this is a power

27
00:01:45,000 --> 00:01:47,940
shell script that is trying to dump hashes.

28
00:01:47,940 --> 00:01:48,160
OK.

29
00:01:48,180 --> 00:01:55,710
We're trying to do an LSA dump here and dump all the hashes off the domain controller and what's going

30
00:01:55,710 --> 00:02:03,740
to happen is it's going to say hey access denied you do not have this kind of access OK.

31
00:02:03,740 --> 00:02:11,060
But what if for some reason the user was a domain admin and that token was available.

32
00:02:11,210 --> 00:02:18,320
Now you can see the domain admin has logged into this machine the tokens now available and we're going

33
00:02:18,320 --> 00:02:20,360
to impersonate this token.

34
00:02:20,630 --> 00:02:26,390
So we're going to say in person a token Marvel administrator we go into a shell and you can see that

35
00:02:26,690 --> 00:02:32,920
Marvel administrator is now available to us we try running this command again.

36
00:02:33,150 --> 00:02:34,770
And guess what.

37
00:02:34,770 --> 00:02:43,080
It succeeds this time allowing us to dump all the hashes in the network including the cover ticket grounding

38
00:02:43,090 --> 00:02:45,190
ticket hash which we haven't covered yet.

39
00:02:45,190 --> 00:02:46,040
We'll get there.

40
00:02:46,120 --> 00:02:48,010
But this is a big win.

41
00:02:48,010 --> 00:02:55,690
So the difference is that if you can navigate to a machine and you find a token of a domain administrator

42
00:02:55,690 --> 00:02:59,300
that you can impersonate you have domain admin.

43
00:02:59,410 --> 00:03:01,850
There are a lot of things that you can do with that domain Alvin.

44
00:03:02,020 --> 00:03:08,680
So you want to bounce around and look for these token impersonation attacks and really see if you can't

45
00:03:08,680 --> 00:03:10,840
find that domain admin on a machine.

46
00:03:10,840 --> 00:03:16,090
So this is when I was talking about in the last video when it came down to moving laterally and there's

47
00:03:16,150 --> 00:03:19,470
always potential difference in a new machine.

48
00:03:19,540 --> 00:03:24,940
So we might go from machine one where we're afraid Castle and there's nothing great we passed that password

49
00:03:24,940 --> 00:03:32,410
pass the hash round we get onto machine to run Spider Man's machine and there is the administrator just

50
00:03:32,410 --> 00:03:37,420
sitting there with a token and then we impersonate that token and then we are now a domain administrator

51
00:03:37,420 --> 00:03:39,040
we can act on their behalf.

52
00:03:39,490 --> 00:03:41,740
So pretty cool feature here.

53
00:03:41,800 --> 00:03:45,520
So let's go ahead and do a live demonstration of this so we can get a hands on and then we'll talk about

54
00:03:45,520 --> 00:03:46,570
mitigation strategies.