🗼Token Impersonation
Nice page about token impersonation with example:
🥔pageImpersonation and Potato AttacksThis technique that allows an attacker to steal the access token of a logged-on user on the system without knowing their credentials and impersonate them to perform operations with their privileges.
There are two types of tokens related to the token impersonation technique —
Delegation and Impersonation:
Delegation refers to the process of granting permissions or access rights to a user or service, allowing them to act on behalf of another user or service.
Impersonation, on the other hand, refers to the process of a user or service pret to be another user or service in order to gain access to resources.
We can now impersonate this user
Attempt to dump hashes as non-Domain Admin with mimikatz->
If we had a domain admin token available, we could impersonate it like this:
First you spot the token
we could now try to dump hashes as domain admin with mimikatz:
that would give the following output:
If we found some way to impersonate a domain admin account, we could use remote commands to go further:
The first command, net user /add felix Mot2pAsse /domain, creates a new user account named "felix" with the password "Mot2pAsse" on the Windows domain. This command creates a new security principal in the domain, which can be used to authenticate and authorize access to resources.
The second command, net group "Domain Admins" felix /ADD /DOMAIN, adds the user "felix" to the "Domain Admins" group on the Windows domain. This group is a built-in group that is granted administrative privileges on the domain, allowing members to manage domain-wide settings and resources. By adding the user "felix" to this group, you are granting them administrative privileges on the domain.
And if this user add is successful, we could go and run secretsdump.py ->
It would look something like this:
Example in this box:
🌋pageSaunaLast updated
