Windows Access Tokens

Microsoft uses access tokens which are objects to describe the privileges and properties of a user. This token can be used to access a specific host, data or service within an Active Directory or Azure cloud environment. Brute Ratel provides the make_token command to create a security token using LogonUserA and uses this token to further impersonate a user using ImpersonateLoggedOnUser WinAPI.

The command accepts 4 arguments:

  • type of token (local/network)
  • domain name
  • user name
  • password of the user

This command can be used to perform lateral movement such as access remote admin shares (C$), creating remote service, scheduled tasks and so on. The make_token command also supports creating local tokens instead of just network tokens. Local tokens allow you to access the directories of other users within the same Computer/host which would not be possible with network tokens.

To revert a token, simply use the revtoken command to revert the token back to the original user. This command can also be used from the Creds tab in Commander.