Beispiel #1
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        public static void GetSystem(String input, IntPtr hToken)
        {
            CheckPrivileges.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out Boolean exists, out Boolean enabled);
            String item = NextItem(ref input);

            if (exists)
            {
                if ("getsystem" == item)
                {
                    using (Tokens t = new Tokens())
                    {
                        t.GetSystem();
                    }
                }
                else
                {
                    using (Tokens t = new Tokens())
                    {
                        t.GetSystem(item + " " + input);
                    }
                }
            }
            else
            {
                if ("getsystem" == item)
                {
                    NamedPipes.GetSystem();
                }
                else
                {
                    NamedPipes.GetSystem(input, item + " " + input);
                }
            }
        }
        ////////////////////////////////////////////////////////////////////////////////
        // Finds a process per user discovered
        // ToDo: check if token is a primary token
        ////////////////////////////////////////////////////////////////////////////////
        public static Dictionary <String, UInt32> EnumerateTokens(Boolean findElevation)
        {
            Dictionary <String, UInt32> users = new Dictionary <String, UInt32>();

            foreach (Process p in Process.GetProcesses())
            {
                IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, true, (UInt32)p.Id);
                if (IntPtr.Zero == hProcess)
                {
                    continue;
                }
                IntPtr hToken;
                if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
                {
                    continue;
                }
                kernel32.CloseHandle(hProcess);
                if (findElevation)
                {
                    if (!CheckPrivileges.CheckElevation(hToken))
                    {
                        continue;
                    }
                }

                UInt32 dwLength = 0;
                Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
                //Split up impersonation and primary tokens
                if (Winnt.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
                {
                    continue;
                }

                if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
                {
                    if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
                    {
                        Console.WriteLine("GetTokenInformation: {0}", Marshal.GetLastWin32Error());
                        continue;
                    }
                }
                kernel32.CloseHandle(hToken);

                String userName = String.Empty;
                if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
                {
                    continue;
                }

                if (!users.ContainsKey(userName))
                {
                    users.Add(userName, (UInt32)p.Id);
                }
            }
            return(users);
        }
        ////////////////////////////////////////////////////////////////////////////////
        // Find processes for a user via Tokens
        ////////////////////////////////////////////////////////////////////////////////
        public static Dictionary <UInt32, String> EnumerateUserProcesses(Boolean findElevation, String userAccount)
        {
            Dictionary <UInt32, String> users = new Dictionary <UInt32, String>();

            Process[] pids = Process.GetProcesses();
            Console.WriteLine("[*] Examining {0} processes", pids.Length);
            foreach (Process p in pids)
            {
                IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, true, (UInt32)p.Id);
                if (IntPtr.Zero == hProcess)
                {
                    continue;
                }
                IntPtr hToken;
                if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
                {
                    continue;
                }
                kernel32.CloseHandle(hProcess);

                if (findElevation && !CheckPrivileges.CheckElevation(hToken))
                {
                    continue;
                }

                UInt32 dwLength = 0;
                Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
                if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
                {
                    if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
                    {
                        continue;
                    }
                }
                kernel32.CloseHandle(hToken);

                if (Winnt.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
                {
                    continue;
                }


                String userName = String.Empty;
                if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
                {
                    continue;
                }
                if (userName.ToUpper() == userAccount.ToUpper())
                {
                    users.Add((UInt32)p.Id, p.ProcessName);
                    if (findElevation)
                    {
                        return(users);
                    }
                }
            }
            Console.WriteLine("[*] Discovered {0} processes", users.Count);

            Dictionary <UInt32, String> sorted = new Dictionary <UInt32, String>();

            foreach (var user in users.OrderBy(u => u.Value))
            {
                sorted.Add(user.Key, user.Value);
            }

            return(sorted);
        }
Beispiel #4
0
        internal void Run()
        {
            try
            {
                Console.Write(context);
                String input;
                if (activateTabs)
                {
                    input = console.ReadLine();
                }
                else
                {
                    input = Console.ReadLine();
                }

                IntPtr tempToken = IntPtr.Zero;
                kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out IntPtr hToken);
                switch (NextItem(ref input))
                {
                case "info":
                    if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken))
                    {
                        hToken = tempToken;
                    }
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenUser(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenOwner(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenGroups(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetElevationType(hToken, out Winnt._TOKEN_TYPE tokenType);
                    CheckPrivileges.PrintElevation(hToken);
                    break;

                case "list_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.EnumerateTokenPrivileges(hToken);
                    break;

                case "enable_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
                    break;

                case "disable_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
                    break;

                case "remove_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
                    break;

                case "nuke_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken);
                    break;

                case "terminate":
                    if (GetProcessID(input, out processID, out command))
                    {
                        IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID);
                        if (IntPtr.Zero == hProcess)
                        {
                            Tokens.GetWin32Error("OpenProcess");
                            break;
                        }
                        Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
                        if (!kernel32.TerminateProcess(hProcess, 0))
                        {
                            Tokens.GetWin32Error("TerminateProcess");
                            break;
                        }
                        Console.WriteLine("[+] Process Terminated");
                    }
                    break;

                case "sample_processes":
                    users = Enumeration.EnumerateTokens(false);
                    Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
                    Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
                    }
                    break;

                case "sample_processes_wmi":
                    users = Enumeration.EnumerateTokensWMI();
                    Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
                    Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
                    }
                    break;

                case "find_user_processes":
                    processes = Enumeration.EnumerateUserProcesses(false, input);
                    Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
                    Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "find_user_processes_wmi":
                    processes = Enumeration.EnumerateUserProcessesWMI(input);
                    Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
                    Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "list_filters":
                    using (Filters filters = new Filters())
                    {
                        filters.First();
                        filters.Next();
                    }
                    break;

                case "list_filter_instances":
                    using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input)))
                    {
                        filterInstance.First();
                        filterInstance.Next();
                    }
                    break;

                case "detach_filter":
                    Filters.FilterDetach(input);
                    break;

                case "unload_filter":
                    Filters.Unload(NextItem(ref input));
                    break;

                case "sessions":
                    Enumeration.EnumerateInteractiveUserSessions();
                    break;

                case "getsystem":
                    GetSystem(input, hToken);
                    break;

                case "gettrustedinstaller":
                    GetTrustedInstaller(input);
                    break;

                case "steal_token":
                    StealToken(input);
                    break;

                case "steal_pipe_token":
                    StealPipeToken(input);
                    break;

                case "bypassuac":
                    BypassUAC(input);
                    break;

                case "whoami":
                    Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
                    break;

                case "reverttoself":
                    String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed";
                    Console.WriteLine(message);
                    break;

                case "run":
                    Run(input);
                    break;

                case "runpowershell":
                    RunPowerShell(input);
                    break;

                case "exit":
                    Environment.Exit(0);
                    break;

                case "help":
                    String item = NextItem(ref input);
                    if ("help" != item)
                    {
                        Help(item);
                    }
                    else
                    {
                        Help();
                    }
                    break;

                default:
                    Help();
                    break;
                }
                if (IntPtr.Zero != hToken)
                {
                    kernel32.CloseHandle(hToken);
                }
                Console.WriteLine();
            }
            catch (Exception error)
            {
                Console.WriteLine(error.ToString());
                Tokens.GetWin32Error("MainLoop");
            }
            finally
            {
            }
        }