1
00:00:00,820 --> 00:00:06,250
‫So here's Incognito, which was originally a standalone application that allowed you to impersonate

2
00:00:06,250 --> 00:00:09,670
‫user tokens when successfully compromising a system.

3
00:00:11,000 --> 00:00:15,140
‫This was integrated into Métis Point and ultimately into interpretor.

4
00:00:16,190 --> 00:00:22,130
‫Tokens are temporary key that allows you to access the system and network without having to provide

5
00:00:22,130 --> 00:00:24,470
‫credentials each time you access a file.

6
00:00:25,490 --> 00:00:30,590
‫Incognito exploits tokens by replaying that temporary key when asked to authenticate.

7
00:00:31,540 --> 00:00:39,520
‫And there are two types of tokens, delegate and impersonate delegate tokens are created for interactive

8
00:00:39,520 --> 00:00:44,290
‫log-on, such as logging into the machine or connecting to it via remote desktop.

9
00:00:45,040 --> 00:00:52,660
‫Impersonate tokens are for non interactive sessions, such as attaching a network drive or a domain

10
00:00:52,660 --> 00:00:53,590
‫log on script.

11
00:00:54,460 --> 00:01:01,240
‫One great thing about tokens is they persist until a reboot when a user logs off, their delegate token

12
00:01:01,240 --> 00:01:07,060
‫is reported as an impersonate token but will still hold all the rights of a delegate token.

13
00:01:08,230 --> 00:01:14,320
‫And once you have a interpreter session, you can impersonate valid tokens on the system and become

14
00:01:14,320 --> 00:01:20,260
‫that specific user without ever having to worry about credentials or for that matter, even hashes.

15
00:01:21,170 --> 00:01:26,900
‫During a penetration test, this is especially useful due to the fact that tokens have the possibility

16
00:01:26,900 --> 00:01:33,890
‫of allowing local and or domain privilege escalation, enabling you alternate avenues with potentially

17
00:01:33,890 --> 00:01:36,740
‫elevated privileges to multiple systems.

18
00:01:39,230 --> 00:01:45,980
‫So here we are in a metaphorical session in Colly session is on Windows XP, victim incognito module

19
00:01:45,980 --> 00:01:53,240
‫is not loaded by the phone, so type loaded incognito to load it, help incognito to list a variety

20
00:01:53,240 --> 00:01:57,770
‫of options we have for Incognito and brief descriptions of each option.

21
00:01:59,000 --> 00:02:06,020
‫And what we will need to do first is identify if there are any valid tokens on this system, so we'll

22
00:02:06,020 --> 00:02:08,930
‫use the list tokens command to list the tokens.

23
00:02:10,030 --> 00:02:13,180
‫Well, let's use it with you parameter.

24
00:02:15,040 --> 00:02:18,730
‫Let's impersonate the administrator using impersonate token.

25
00:02:23,990 --> 00:02:26,390
‫Now, don't forget to put a double backslash.

26
00:02:27,910 --> 00:02:34,270
‫And after successfully impersonating a token, we check our current user I.D. by executing the get UID

27
00:02:34,270 --> 00:02:34,750
‫command.

28
00:02:35,950 --> 00:02:42,130
‫Now open a shell on the victim and look at who we are with the who am I command?

29
00:02:43,790 --> 00:02:51,440
‫Well, now we have another method to see who we are through the environmental variables, echo user

30
00:02:51,440 --> 00:02:53,060
‫domain, user name.

31
00:02:54,100 --> 00:03:01,570
‫We are administrator, user on the CEO XP system now control see to terminate the Shell command.

32
00:03:02,470 --> 00:03:07,750
‫Now I will use the Rev to self-command to be the system user again.

33
00:03:08,860 --> 00:03:10,750
‫To get you I.D. to check it.

34
00:03:11,230 --> 00:03:19,120
‫OK, so we are the system user again, so now I'll open the shell again and look who I am once more.

35
00:03:22,740 --> 00:03:26,100
‫Well, the system user looks just like this.