域渗透之 Windows Access Token 攻击

Windows Access Token 简介

Windows Access Token 概念

Microsoft's official definition is as follows:

An access token is an object that describes the security context of a process or thread.The information in token includes the identity and privileges of the user account associated with the process or thread.

Windows Access Token, an object that describes a process or thread-safe context. After different users log in to the computer, an Access Token will be generated. This token will be used when the user creates a process or thread and is constantly copied. This explains that user A creates a process but the process does not have the permissions of user B. When the user logs out, the system will switch the main token to an imitation token, and will not clear the token, and will only clear after restarting the machine.

Access Tokens are divided into two types (main token, mock token)

Windows Access Token 分类

1. Primary token This token is usually used for local and remote RDP login

2. Impersonation token is usually used for various non-interactive logins, such as netuse, wmi, winrm, etc.

登录方式

Interactive login

console login (type 2)

rdp login (type 10)

psexec (type 2)

Network login

wmi (type 3)

winrm (type 3)

Windows Access Token 组成

Security Identifier (SID) for User Account

SID of the group to which the user belongs

Login SID used to identify the current login session

List of permissions owned by a user or user group

Owner SID

SID of the main group

Access control list

Source of access token

Is the token the main token or the mock token

Optional list of restricted SIDs

Current simulation level

Other statistics

关于 SID

Security identifiers, referred to as SID, are OwnerSid and GroupSid respectively. The so-called SID is that every time we create a user or group, the system will assign a unique SID to the user or group. When you reinstall the system, you will also get a unique SID. SID is unique and is not assigned to another user for use as the user is deleted. Remember, SID is always unique. SIF is determined by the sum of the CPU time spent by the computer name, current time, and current user state thread to ensure its uniqueness.

Example: S-1-5-21-1763234323-321265751-1234321321-500 (whoami/user)

Windows Access Token 产生过程

User authentication using credentials (user password) – Login session Create – Windows Return the user's sid and the user's sid – LSA Create an Access token – Use credentials to successfully authenticate – Login session — token — Process, thread

后渗透中的令牌模拟

cobalt strike 模拟令牌

Use steel_token to simulate token, rev2self to restore token

metasploit 模拟令牌

incognito module, same rev2self recovery token

获取任意进程的令牌权限

手动令牌模拟

Simulation process:

openprocess() – openprocessstoken() – impersonateloggedonuser() – duplicatetokenex() – createprocesswithtokenw()

openprocess

openprocesstoken

impersonateloggedonuser

duplicatetokenex

createprocesswithtokenw

Bypass Protect Process

Not all processes can be operated

Process : that only obtains system permissions

1

get-token where-object {$_.username-eq 'NT AUTHORITY\SYSTEM' -and $_ownername -ne 'NT AUTHORITY\SYSTEM'} | select-object processname, processid | format-table

Then after testing, it was found that tokens such as csrss, service, wininit, smss, etc. failed.

使用 Access Token 进行 BypassUAC

Fuzzy Security UAC bypass using Windows tokens

https://github.com/fuzzysecurity/powershell-suit/blob/master/UAC-TokenMagic.ps1