RedTeam
5.Machine
3.Active-Directory
General
Exploitation
1.Initial-exploitation
3.tokens and Migration

General

In Windows, a token is an object that represents the security context of a process or thread. It contains information about the security attributes of the process or thread, such as its user and group identities, as well as its access rights and privileges.

Token migration refers to the process of transferring a token from one process or thread to another. This can be used to elevate the privileges of a process or thread, allowing it to perform actions that it would not otherwise have permission to perform.

Token migration can be exploited in several ways:

  • Elevating the privileges of a process: An attacker could use token migration to transfer a high-privilege token to a low-privilege process, thereby allowing the process to perform actions that it would not normally have permission to perform.

  • Bypassing access controls: An attacker could use token migration to bypass access controls and gain access to resources or systems that are normally restricted.

  • Executing code with elevated privileges: An attacker could use token migration to execute code with higher privileges than the user's account, potentially allowing the code to perform actions that the user does not have permission to perform.

Commands

Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).

Commands

list_tokens -g                         ---> List available tokens
impersonate_token "Token of choice"    ---> Use the selected authority token

Extra (Once authority, transfer process (since you might not have possibility to do everything)

ps                                     ---> list everything running on the machine
target services.exe
migrate `<services number>`

This access token consists of:

  • user SIDs(security identifier)
  • group SIDs
  • privileges

amongst other things. More detailed information can be found here (opens in a new tab).

There are two types of access tokens:

  • primary access tokens: those associated with a user account that are generated on log on
  • impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process

Type of impersonation token - SecurityAnonymous: current user/client cannot impersonate another user/client - SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client - SecurityImpersonation: current user/client can impersonate the client's security context on the local system - SecurityDelegation: current user/client can impersonate the client's security context on a remote system

More about Token Impersonation Token impersonation is a security feature in the Windows operating system that allows a process to assume the security context of another process. This allows a process to execute with the permissions of the other process, which can be useful for tasks that require higher privileges. ă…¤ There are two types of token impersonation in Windows: ă…¤ 1. Impersonation: This allows a process to temporarily assume the security context of another process within the same logon session. The process can perform operations with the privileges of the other process, but the security context is not permanently changed. ă…¤
2. Duplication: This allows a process to create a copy of another process's security token, which can then be used to create a new process that runs with the permissions of the original process. The new process has a permanently changed security context. ă…¤ Token impersonation is typically used to allow a process to perform tasks that require higher privileges than it would normally have. It is an important security feature that helps to prevent unauthorized access to resources and to protect against certain types of attacks. ă…¤ We can think of this like in linux when you change the process id to use the right of an other process to execute something, The difference is in this situation is will temporary use the right of the other process to execute something. Token Impersonation only give you temporary higher privilege and is not used to gain acces to specific ressource (like server) over the user permission that your impersonating...

where the security context is a data structure that contains users' relevant security information.

The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriver
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

There's more reading here (opens in a new tab).