Seven Layers delivers comprehensive, dependable, and cost-effective solutions tailored to our clients’ needs and budgets. We offer cutting edge defensive security strategies to provide you with the ability to protect key systems and information – and can pair those with traditional information technology services to keep your business up and running, so you can focus on the business that is important to you.

    We provide penetration testing services and vulnerability assessments for peace of mind, risk management, and regulatory compliance. And because your employees are often your first line of defense - or weakness – we offer employee education in computer security and corporate security policies.

    Our support services cover your full suite of end user desktops, in-house servers, cloud-based servers, and cloud services. This includes seamless support for employees in all locations, whether they are in corporate offices, or are remote users. We will manage and develop content management systems, customized software and web applications, as well as working with off the shelf applications.


     

    Token impersonation is a technique that allows one user to impersonate another user -- assuming they have the privileges to do so.  In this post, we're going to use Meterpreter but this can be done with other tools as well.  I believe PowerSploit has Invoke-TokenManipulation.ps1 which will do something along the same lines.  Aside from an improper configuration, we could run into this situation where a service account has privileges, we take over that service account, and from there, we can elevate to administrator or NT AUTHORITY\SYSTEM.

    We drop onto a machine, we run whoami /priv and we discover:



    SeImpersonatePrivilege set to Enabled.

    We fire up Metasploit and we toss back a shell:


    According to Offensive Security:  "Incognito was originally a stand-alone application that allowed you to impersonate user tokens when successfully compromising a system. This was integrated into Metasploit and ultimately into Meterpreter."

    We launch incognito and we list available tokens:


    Excellent!  Administrators is available.  We impersonate the token for Administrators and when we try to move into the shell, we sort of get denied:


    i say sort of but we don't get a shell -- we just don't get an error.  The problem is that we're stuck between two worlds and we need to migrate into another process.  We list processes:


    We migrate into one currently in use by NT AUTHORITY\SYSTEM and when we execute shell:


    We've successfully managed to complete the impersonation. 


    Cybersecurity solutions for small businesses.

    info@sevenlayers.com
    877.468.0911

    © 2021 Seven Layer Networks, Inc. | All rights reserved.