Impersonating Domain Accounts with Incognito (and avoiding 0xC0000142)

This series is getting more and more sketchy. Please don't do anything illegal or unethical with things you learn from me. I am, of course, not responsible if you mess something up or get in trouble as a result of following my instructions.

So, now that you have local admin access and can check out the Active Directory (and override Group Policy if you want to), you might have set your sights on becoming a full-power domain administrator.

To accomplish this, we will use a tool called Incognito to seize control of an in-process access token belonging to a domain admin (or anybody else). Download Incognito v2 from the bottom of the official page. Your antivirus will probably try to stop you from extracting the ZIP; disable it temporarily and then add the resulting directory to its exception list. I recommend placing this directory on your PATH environment variable because we'll be jumping all around the drive while spawning new CMD windows.

Using Incognito is simple: you type incognito list_tokens -u to see all the available tokens, then incognito execute followed by the account you want to take and then a program to run (I recommend cmd).

This works great for seizing access tokens of local users, but since Windows XP it doesn't work for domain accounts. Specifically, Incognito will claim to succeed, but CSRSS will throw 0xC0000142 (init error). This is because only NetworkService can duplicate domain tokens, and NetworkService is itself protected similarly. (Note: not technically correct. This is true enough, and the real explanation is lengthy and unnecessary.)

To get around 0xC0000142, you must be able to act as part of the operating system. Fortunately, since you're local admin, you can do that kind of thing. Run secpol.msc and find "Act as part of the operating system" in User Rights Assignment under Local Policies. Add yourself to this list.

Now, you're ready to take all the access tokens. For a token to be in the system, the target account must be signed in or have used UAC to launch an application that is running. (Convince a domain admin to install something for you?) Let's say the target account is called NAIVE\unsuspecting. I would run incognito execute NAIVE\unsuspecting cmd. This produces a command prompt as the user. There, you can reset the password of a domain admin (preferably one that isn't used anymore) with something like net user oldadmin somepassword /domain. Alternatively, launch MMC, connect to the domain controller, and add yourself (or a less obviously named new account) to the Administrators group.

And there you have it. Very easy to do; the hard part is getting a domain admin token on the system.