1
00:00:00,850 --> 00:00:06,220
‫So here's Incognito, which was originally a standalone application that allowed you to impersonate

2
00:00:06,220 --> 00:00:09,640
‫user tokens when successfully compromising a system.

3
00:00:11,030 --> 00:00:15,140
‫This was integrated into Metasploit and ultimately into mature freighter.

4
00:00:16,190 --> 00:00:22,100
‫Tokens are temporary key that allows you to access the system and network without having to provide

5
00:00:22,100 --> 00:00:24,470
‫credentials each time you access a file.

6
00:00:25,520 --> 00:00:30,590
‫Incognito exploits tokens by replaying that temporary key when asked to authenticate.

7
00:00:31,570 --> 00:00:39,490
‫And there are two types of tokens delegate and impersonate delegate tokens are created for interactive

8
00:00:39,490 --> 00:00:45,820
‫log on, such as logging into the machine or connecting to it via remote desktop impersonate.

9
00:00:45,820 --> 00:00:53,590
‫Tokens are for non-interactive sessions, such as attaching a network drive or a domain log on script.

10
00:00:54,460 --> 00:00:58,210
‫One great thing about tokens is they persist until a reboot.

11
00:00:58,720 --> 00:01:05,290
‫When a user logs off, their delegate token is reported as an impersonate token, but will still hold

12
00:01:05,320 --> 00:01:07,030
‫all the rights of a delegate token.

13
00:01:08,260 --> 00:01:14,320
‫Now, once you have a interpreter session, you can impersonate valid tokens on the system and become

14
00:01:14,320 --> 00:01:20,260
‫that specific user without ever having to worry about credentials or, for that matter, even hashes.

15
00:01:21,170 --> 00:01:26,870
‫During a penetration test, this is especially useful due to the fact that tokens have the possibility

16
00:01:26,870 --> 00:01:33,860
‫of allowing local and or domain privilege escalation, enabling you alternate avenues with potentially

17
00:01:33,860 --> 00:01:36,680
‫elevated privileges to multiple systems.

18
00:01:39,290 --> 00:01:45,980
‫So here we are in a mature produce session in Cali, session is on Windows XP victim incognito module

19
00:01:45,980 --> 00:01:53,720
‫is not loaded by default, so type load incognito to load it help incognito to list a variety of options

20
00:01:53,720 --> 00:01:57,740
‫we have for incognito and brief descriptions of each option.

21
00:01:59,030 --> 00:02:06,020
‫And what we will need to do first is identify if there are any valid tokens on this system, so we'll

22
00:02:06,020 --> 00:02:08,900
‫use the list tokens command to list the tokens.

23
00:02:10,030 --> 00:02:13,180
‫Well, let's use it with you parameter.

24
00:02:15,040 --> 00:02:18,700
‫Let's impersonate the administrator using Impersonate token.

25
00:02:23,990 --> 00:02:26,360
‫Now, don't forget to put a double backslash.

26
00:02:27,940 --> 00:02:34,150
‫And after successfully impersonating a token, we check our current user ID by executing the Get UID

27
00:02:34,240 --> 00:02:34,750
‫command.

28
00:02:35,950 --> 00:02:41,530
‫Now open a shell on the victim and look at who we are with the who am I?

29
00:02:41,570 --> 00:02:42,070
‫Common.

30
00:02:43,790 --> 00:02:51,890
‫Well, now we have another method to see who we are through the environmental variables echo user domain

31
00:02:52,310 --> 00:02:53,030
‫username.

32
00:02:54,070 --> 00:03:01,570
‫We are administrator user on the SEAL XP system now control C to terminate the shell command.

33
00:03:02,470 --> 00:03:07,720
‫Now I'll use the Rev 12 command to be the system user again.

34
00:03:08,830 --> 00:03:10,720
‫To get your I.D. to check it.

35
00:03:11,260 --> 00:03:13,780
‫OK, so we are this system user again.

36
00:03:14,590 --> 00:03:19,120
‫So now I'll open the shell again and look who I am once more.

37
00:03:22,740 --> 00:03:26,070
‫Well, the system user looks just like this.