mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-23 19:43:31 +00:00
133 lines
12 KiB
Markdown
133 lines
12 KiB
Markdown
# Access Tokens
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|
|
|
|
## Access Tokens
|
|
|
|
Each **user logged** onto the system **holds an access token with security information** for that logon session. The system creates an access token when the user logs on. **Every process executed** on behalf of the user **has a copy of the access token**. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.
|
|
|
|
You can see this information executing `whoami /all`
|
|
|
|
```
|
|
whoami /all
|
|
|
|
USER INFORMATION
|
|
----------------
|
|
|
|
User Name SID
|
|
===================== ============================================
|
|
desktop-rgfrdxl\cpolo S-1-5-21-3359511372-53430657-2078432294-1001
|
|
|
|
|
|
GROUP INFORMATION
|
|
-----------------
|
|
|
|
Group Name Type SID Attributes
|
|
============================================================= ================ ============================================================================================================= ==================================================
|
|
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
|
|
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
|
|
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
|
|
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
|
|
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
|
|
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
|
|
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
|
|
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
|
|
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
|
|
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
|
|
MicrosoftAccount\cpolop@outlook.com User S-1-11-96-3623454863-58364-18864-2661722203-1597581903-3158937479-2778085403-3651782251-2842230462-2314292098 Mandatory group, Enabled by default, Enabled group
|
|
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
|
|
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
|
|
NT AUTHORITY\Cloud Account Authentication Well-known group S-1-5-64-36 Mandatory group, Enabled by default, Enabled group
|
|
|
|
|
|
PRIVILEGES INFORMATION
|
|
----------------------
|
|
|
|
Privilege Name Description State
|
|
============================= ==================================== ========
|
|
SeShutdownPrivilege Shut down the system Disabled
|
|
SeChangeNotifyPrivilege Bypass traverse checking Enabled
|
|
SeUndockPrivilege Remove computer from docking station Disabled
|
|
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
|
|
SeTimeZonePrivilege Change the time zone Disabled
|
|
```
|
|
|
|
or using _Process Explorer_ from Sysinternals (select process and access"Security" tab):
|
|
|
|
![](<../../.gitbook/assets/image (321).png>)
|
|
|
|
### Local administrator
|
|
|
|
When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** (non-administrator) **rights is used**. When this user tries to **execute** anything **as administrator** ("Run as Administrator" for example) the **UAC** will be used to ask for permission.\
|
|
If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs.md#uac)**.**
|
|
|
|
### Credentials user impersonation
|
|
|
|
If you have **valid credentials of any other user**, you can **create** a **new logon session** with those credentials :
|
|
|
|
```
|
|
runas /user:domain\username cmd.exe
|
|
```
|
|
|
|
The **access token** has also a **reference** of the logon sessions inside the **LSASS**, this is useful if the process needs to access some objects of the network.\
|
|
You can launch a process that **uses different credentials for accessing network services** using:
|
|
|
|
```
|
|
runas /user:domain\username /netonly cmd.exe
|
|
```
|
|
|
|
This is useful if you have useful credentials to access objects in the network but those credentials aren't valid inside the current host as they are only going to be used in the network (in the current host your current user privileges will be used).
|
|
|
|
### Types of tokens
|
|
|
|
There are two types of tokens available:
|
|
|
|
* **Primary token**: Primary tokens can only be **associated to processes**, and they represent a process's security subject. The creation of primary tokens and their association to processes are both privileged operations, requiring two different privileges in the name of privilege separation - the typical scenario sees the authentication service creating the token, and a logon service associating it to the user's operating system shell. Processes initially inherit a copy of the parent process's primary token.
|
|
* **Impersonation token**: Impersonation is a security concept implemented in Windows NT that **allows** a server application to **temporarily** "**be**" **the client** in terms of access to secure objects. Impersonation has **four possible levels**:
|
|
|
|
* **anonymous**, giving the server the access of an anonymous/unidentified user
|
|
* **identification**, letting the server inspect the client's identity but not use that identity to access objects
|
|
* **impersonation**, letting the server act on behalf of the client
|
|
* **delegation**, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials).
|
|
|
|
The client can choose the maximum impersonation level (if any) available to the server as a connection parameter. Delegation and impersonation are privileged operations (impersonation initially was not, but historical carelessness in the implementation of client APIs failing to restrict the default level to "identification", letting an unprivileged server impersonate an unwilling privileged client, called for it). **Impersonation tokens can only be associated to threads**, and they represent a client process's security subject. Impersonation tokens are usually created and associated to the current thread implicitly, by IPC mechanisms such as DCE RPC, DDE and named pipes.
|
|
|
|
#### Impersonate Tokens
|
|
|
|
Using the _**incognito**_\*\* module\*\* of metasploit if you have enough privileges you can easily **list** and **impersonate** other **tokens**. This could be useful to perform **actions as if you where the other user**. You could also **escalate privileges** with this technique.
|
|
|
|
### Token Privileges
|
|
|
|
Learn which **token privileges can be abused to escalate privileges:**
|
|
|
|
{% content-ref url="privilege-escalation-abusing-tokens/" %}
|
|
[privilege-escalation-abusing-tokens](privilege-escalation-abusing-tokens/)
|
|
{% endcontent-ref %}
|
|
|
|
Take a look to [**all the possible token privileges and some definitions on this external page**](https://github.com/gtworek/Priv2Admin).
|
|
|
|
## References
|
|
|
|
Learn more about tokens in this tutorials: [https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa](https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa) and [https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|