Post-Exploitation: Token Impersonation Lab Report

Author: Basit Hassan 

Date: 2025-10-13

Environment: The same AD environment i have been simulating from the begining of this journey.

Scope:Scope: Demonstration in a lab environment of token impersonation using Meterpreter incognito.


Overview

I used the credential of a user I obtained in an earlier post and launched Metasploit’s psexec module against a target in my simulated AD lab. From the psexec exploit I obtained a Meterpreter session on the host. Inside Meterpreter I loaded the incognito extension and ran list_tokens -u to enumerate available user tokens. I identified a privileged token corresponding to an Administrator account and used impersonate_token to assume that context. I then spawned a shell under the impersonated token and verified privileges with whoami, which confirmed LABDOMAIN\\Administrator (sanitized).

Walkthrough

  1. Launched msfconsole on the attacker VM.

  2. Used psexec (via Metasploit) with valid credentials to get a Meterpreter session on the target VM.

  3. In the Meterpreter session: load incognito and list_tokens to enumerate tokens.

  4. Found an Administrator token and used impersonate_token  to assume the admin context.

  5. Spawned a shell under the impersonated token and verified privileges with whoami.





i was able to get administration shell the highest priviledge i will ever get this is the domain contoller admin

Important: This impersonation succeeded because the Administrator account already had an active session token on the target (the admin had previously logged in). If the machine had been restarted — clearing session tokens — the impersonation would not have worked until an Administrator session existed again.

Mitigation & Hardening Recommendations

  1. Least privilege: Remove unnecessary privileges like SeImpersonatePrivilege from non-privileged service accounts.

  2. LSA Protection & Credential Guard: Enable LSA protection and Microsoft Defender Credential Guard where possible.

  3. Rotate local admin credentials: Use LAPS (Local Administrator Password Solution) to manage/rotate local admin passwords.

  4. EDR & Monitoring: Deploy EDR that detects LSASS memory reads, token duplication, and common post-exploitation tools (Meterpreter, Mimikatz).

  5. Network segmentation & MFA: Limit lateral movement opportunities and require multi-factor authentication for privileged accounts.

  6. Harden service accounts: Ensure service accounts do not hold interactive or excessive privileges and rotate their credentials regularly.

Comments

Post a Comment

Popular posts from this blog

Using Hydra to Brute-Force SSH And WI-Fi Login Portal

Image
  Welcome back again to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post, i'll demonstrate how to use Hydra , a powerful brute-forcing tool, to test login credentials on a SSH server and a WI-FI admin portal. This test was done on my own network and machine to show how attackers operate and how to protect against them. What is Hydra? Hydra is a powerful tool used by penetration testers to automate brute-force attacks on various protocols like SSH, FTP, HTTP, and more. In this blog, we’ll learn how to use Hydra to brute-force SSH logins and web-based login forms safely in a lab environment. 🔓 What is a Brute-Force Attack? A brute-force attack is a method use to gain unauthorized access to account and systems by trying co...
Read more

Discover AWS Organization ID Via S3 Bucket

Image
  Welcome to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post is about AWS pentesting using an assume breached scenario, where the target  organization provide you with low level credentials,command line interface credentials that you can connect to the AWS CLI (Command Line Interface) with.  Let The Hacking Begin!!!! we will be using platform called CYBR click on the url and create a free account and do this lab along side with me  https://cybr.com/hands-on-labs/lab/discover-aws-organization-id-via-s3-bucket/  this is how the interface looks like below 👇👇after creating  an account and starting the lab  once it's ready you are going to get an Access key ID and a Secret Access key. So now if you are n...
Read more

SMB Relay Attack in AD Lab (Step-by-Step)

Image
Welcome back again to my cybersecurity blog! I'm Basit Hassan, a Vulnerability Assessment and Penetration Tester passionate about ethical hacking. On this blog, I’ll be sharing tutorials, walkthroughs, and real-world exploitation techniques that I’ve personally tested all designed to help you get started and grow in the penetration testing field. Today’s post , I’ll demonstrate how I leveraged SMB Relay attacks in my Active Directory lab to understand how attackers exploit network misconfigurations and relay authentication requests. This simulation was done in my own isolated lab environment to show how these attacks work  and more importantly, how to secure your network against them.  What is an SMB Relay Attack? SMB Relay is a man-in-the-middle (MITM) attack technique where an attacker intercepts and relays authentication requests from one system to another, without cracking any password. Instead of capturing and brute-forcing hashes, SMB Relay forwards the authenticatio...
Read more