internal static extern bool LogonUser(
[MarshalAs(UnmanagedType.LPStr)] string pszUserName,
[MarshalAs(UnmanagedType.LPStr)] string pszDomain,
[MarshalAs(UnmanagedType.LPStr)] string pszPassword,
Winbase.LOGON_TYPE dwLogonType,
Winbase.LOGON_PROVIDER dwLogonProvider,
out IntPtr phToken
);
public static extern bool LogonUser(
string lpszUsername,
string lpszDomain,
string lpszPassword,
Winbase.LOGON_TYPE dwLogonType,
Winbase.LOGON_PROVIDER dwLogonProvider,
out IntPtr phToken
);
internal static extern bool LogonUserExExW(
[MarshalAs(UnmanagedType.LPWStr)] string pszUserName,
[MarshalAs(UnmanagedType.LPWStr)] string pszDomain,
[MarshalAs(UnmanagedType.LPWStr)] string pszPassword,
Winbase.LOGON_TYPE dwLogonType,
Winbase.LOGON_PROVIDER dwLogonProvider,
ref Ntifs._TOKEN_GROUPS pTokenGroups,
out IntPtr phToken,
IntPtr ppLogonSid,
IntPtr ppProfileBuffer,
IntPtr pdwProfileLength,
IntPtr QuotaLimits
);
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
public void LogonUser(string domain, string username, string password, Winbase.LOGON_TYPE logonType, string command, string arguments)
{
if (!advapi32.LogonUser(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken))
{
Misc.GetWin32Error("LogonUser");
return;
}
Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
{
if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId))
{
Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
}
}
if (string.IsNullOrEmpty(command))
{
SetWorkingTokenToRemote();
ImpersonateUser();
}
else
{
Create createProcess;
if (0 == Process.GetCurrentProcess().SessionId)
{
createProcess = CreateProcess.CreateProcessWithLogonW;
}
else
{
createProcess = CreateProcess.CreateProcessWithTokenW;
}
createProcess(hExistingToken, command, arguments);
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
{
string username;
if (!cLP.GetData("username", out username))
{
return;
}
string domain = ".";
string password = string.Empty;
Winbase.LOGON_TYPE logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_INTERACTIVE;
if (username.Contains('\\') && !username.ToLower().StartsWith("nt service"))
{
string[] split = username.Split('\\').ToArray();
domain = split.FirstOrDefault();
username = split.LastOrDefault();
if (!cLP.GetData("password", out password))
{
return;
}
Console.WriteLine("User Logon");
}
else if (username.Contains('\\') && username.ToLower().StartsWith("nt service"))
{
string[] split = username.Split('\\').ToArray();
username = split.LastOrDefault();
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT SERVICE";
Console.WriteLine("Service Logon");
}
else
{
switch (username.ToLower().Trim())
{
case "localservice":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
case "localsystem":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
case "networkservice":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
default:
cLP.GetData("password", out password);
break;
}
}
using (TokenManipulation t = new TokenManipulation(hToken))
{
string groups;
if (cLP.GetData("groups", out groups))
{
t.LogonUser(domain, username, password, groups, logonType, cLP.Command, cLP.Arguments);
}
else
{
t.LogonUser(domain, username, password, logonType, cLP.Command, cLP.Arguments);
}
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
public void LogonUser(string domain, string username, string password, string groups, Winbase.LOGON_TYPE logonType, string command, string arguments)
{
SetWorkingTokenToSelf();
CreateTokens ct = new CreateTokens(hWorkingToken);
Ntifs._TOKEN_GROUPS tokenGroups;
Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(','));
/*
* TokenInformation ti = new TokenInformation(hWorkingToken);
* ti.GetTokenGroups();
* Ntifs._TOKEN_GROUPS tokenGroups = ti.tokenGroups;
*
* int extraGroups = tokenGroups.GroupCount;
*
* uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY);
*
* Ntifs._TOKEN_GROUPS tokenGroupsCopy = new Ntifs._TOKEN_GROUPS();
* tokenGroupsCopy.Initialize();
*
* for (int i = 0; i < tokenGroups.GroupCount; i++)
* {
* tokenGroupsCopy.Groups[i] = tokenGroups.Groups[i];
* }
*
* foreach (string group in groups.Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries))
* {
* Console.WriteLine(group);
* string d = Environment.MachineName;
* string groupname = group;
* if (group.Contains(@"\"))
* {
* string[] split = group.Split('\\');
* d = split[0];
* groupname = split[1];
* }
* Console.WriteLine(groupname);
* string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value;
* Console.WriteLine(sid);
* tokenGroupsCopy.Groups[++extraGroups].Sid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
* Console.WriteLine(extraGroups);
* CreateTokens.InitializeSid(sid, ref tokenGroupsCopy.Groups[extraGroups].Sid);
* tokenGroupsCopy.Groups[extraGroups].Attributes = groupsAttributes;
* }
* tokenGroupsCopy.GroupCount = extraGroups;
*/
if (!advapi32.LogonUserExExW(
username, domain, password,
logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT,
ref tokenGroups, out hExistingToken,
IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero))
{
Misc.GetWin32Error("LogonUserExExW");
return;
}
Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
{
SetWorkingTokenToRemote();
if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId))
{
Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
}
}
if (string.IsNullOrEmpty(command))
{
SetWorkingTokenToRemote();
ImpersonateUser();
}
else
{
Create createProcess;
if (0 == Process.GetCurrentProcess().SessionId)
{
createProcess = CreateProcess.CreateProcessWithLogonW;
}
else
{
createProcess = CreateProcess.CreateProcessWithTokenW;
}
createProcess(hExistingToken, command, arguments);
}
}
