Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

One Token to Rule Them All

Luke Jennings
Chaos Communication Congress 24th (24C3) 2007
Indexed on
Mar 27, 2013
File name
File size
24.4 MB

The defense techniques employed by large software manufacturers are getting better. This is particularly true of Microsoft who have improved the security of the software they make tremendously since their Trustworthy Computing initiative. Gone are the days of being able to penetrate any Microsoft system by firing off the RPC-DCOM exploit. The consequence of this is that post-exploitation has become increasingly important in order to "squeeze all the juice" out of every compromised system. Windows access tokens are integral to Microsoft's concept of single sign-on in an active directory environment. Compromising a system that has privileged tokens can allow for both local and domain privilege escalation. This talk aims to demonstrate just how devastating attacks of this form can be and introduces a new, open-source tool for penetration testers that provides powerful post-exploitation options for abusing tokens found residing on compromised systems. The functionality of this tool is also provided as a Meterpreter module for the Metasploit Framework to allow its use to be combined with the existing power of Metasploit. In addition, a complete methodology will be given for its use in penetration testing. This will include identifying tokens that can be used to access an otherwise secure target and then locating other systems that may house those tokens. A new vulnerability will also be revealed that appears to have been silently patched by Microsoft. The impact of this vulnerability is that privileged tokens can be found on systems long after the corresponding users have logged off. The talk will focus on introducing the audience to the concept of windows access tokens and how they are utilised within windows with a particular focus on their importance within windows forest/domain environments. The talk will then move on to demonstrate how their functionality can be abused for powerful post-exploitation options, culminating in a live demo of my tool being used to escalate privileges significantly after system compromises both locally and across a domain. Interesting, important and unexpected nuances of how these tokens behave will then be discussed to demonstrate how risk could be unknowingly exposed even by those who think they already have a grasp of these issues. The talk will then move focus towards the advantages of combining these techniques with the existing post-exploitation focussed meterpreter, which comes with the metasploit framework. Another live demo will then be given, showing how these techniques can be utilised from within a meterpreter session after having exploited a system with metasploit. The focus of the talk will then be shifted again to discuss how systems housing tokens with desirable privileges can be located on large networks, such that penetration attempts can be focussed on these. A live demo will be given of how this can achieved with my tool and then it will be discussed how these techniques can be incorporated into standard penetration testing methodologies such that it will often be possible to expose gaping holes in networks that would have otherwise been considered relatively secure. Finally, defence strategies will be dicussed in order for the audience to understand how best to defend themselves against these attacks.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !