Impersonation

Make or Steal a Token | https://github.com/Leo4j/Token-Impersonation

The Impersonation module in Amnesiac enables users to perform token impersonation, allowing them to make or steal tokens for specific purposes.

Token stealing can be valuable in situations where you want to escalate privileges within Active Directory, move laterally within a network, or perform actions that require the privileges associated with the stolen token.

The Impersonation module leverages Token-Impersonation capabilities behind the scenes to facilitate token-related tasks. It offers users the ability to make new tokens, or steal existing ones. To load this module, simply type Impersonation, which will also provide you with usage instructions.

The module allows users to:

• Create a new token by specifying the target username, domain, and password

• Steal an existing token by specifying the PID from which they want to acquire the token

• Revert to their previous token after token manipulation

• Check for local admin access on target machines using SMB protocol or PSRemoting

Important Considerations:

The logon session created has the same local identifier as the caller. If you run commands that access local resources (like whoami), they will appear to be run under the original user context.

This is because, locally, nothing has changed. The LUID is the same as the caller, so it appears as though you're still the original user.

However, the alternate credentials are used when accessing a remote resource.

Tokens created or stolen using the Impersonation module are session-specific and do not have system-wide privileges. This also means that the created token is not applicable to anything you may want to run on the current machine.

Check Access

Using the LocalAdminAccess module in conjunction with token impersonation is not advisable and will result in failures. Instead, utilize the Access_Check command to verify local admin access.

The Access_Check command provides a means to verify access to network machines using the alternate credentials obtained through token impersonation. You can use this command with both the SMB protocol and PSRemoting.

For both methods, you also have the option to specify a target domain and domain controller.

For PSRemoting, you also have the option to execute commands on the target machine.

Get a Shell

The Shell_tknadmin command is used to obtain a shell on target machines where the current user has local admin privileges, specifically through PSRemoting. This method allows you to establish a shell session on target systems where your alternate credentials grant administrative access. Users also have the option to specify a target domain and domain controller.