//////////////////////////////////////////////////////////////////////////////// // Displays the users associated with a token //////////////////////////////////////////////////////////////////////////////// public void GetTokenPrimaryGroup() { uint returnLength; advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, IntPtr.Zero, 0, out returnLength); hTokenPrimaryGroup = Marshal.AllocHGlobal((int)returnLength); try { if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, hTokenPrimaryGroup, returnLength, out returnLength)) { Misc.GetWin32Error("GetTokenInformation (TokenPrimaryGroup) - Pass 2"); return; } tokenPrimaryGroup = (Winnt._TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(hTokenPrimaryGroup, typeof(Winnt._TOKEN_PRIMARY_GROUP)); if (IntPtr.Zero == tokenPrimaryGroup.PrimaryGroup) { Misc.GetWin32Error("PtrToStructure"); } } catch (Exception ex) { Misc.GetWin32Error("GetTokenInformation (TokenPrimaryGroup) - Pass 2"); Console.WriteLine(ex.Message); return; } string primaryGroupSid, primaryGroupName; _ReadSidAndName(tokenPrimaryGroup.PrimaryGroup, out primaryGroupSid, out primaryGroupName); Console.WriteLine("[+] Primary Group: "); Console.WriteLine("{0,-50} {1}", primaryGroupSid, primaryGroupName); return; }
public static extern uint NtCreateToken( out IntPtr TokenHandle, uint DesiredAccess, ref wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes, Winnt._TOKEN_TYPE TokenType, ref Winnt._LUID AuthenticationId, //From NtAllocateLocallyUniqueId ref long ExpirationTime, ref Ntifs._TOKEN_USER TokenUser, ref Ntifs._TOKEN_GROUPS_DYNAMIC TokenGroups, ref Winnt._TOKEN_PRIVILEGES_ARRAY TokenPrivileges, ref Ntifs._TOKEN_OWNER TokenOwner, ref Winnt._TOKEN_PRIMARY_GROUP TokenPrimaryGroup, ref Winnt._TOKEN_DEFAULT_DACL TokenDefaultDacl, ref Winnt._TOKEN_SOURCE TokenSource );
private bool CreateTokenPrimaryGroup(string firstLocalgroupUserInfo, out Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup) { Console.WriteLine("_TOKEN_PRIMARY_GROUP"); tokenPrimaryGroup = new Winnt._TOKEN_PRIMARY_GROUP() { PrimaryGroup = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(System.IntPtr))) }; if (!string.IsNullOrEmpty(firstLocalgroupUserInfo)) { IntPtr hSid = IntPtr.Zero; _LookupSid(null, firstLocalgroupUserInfo, ref hSid); tokenPrimaryGroup = (Winnt._TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(hSid, typeof(Winnt._TOKEN_PRIMARY_GROUP)); } else { //Everyone //Winnt.SECURITY_NULL_SID_AUTHORITY //InitializeSid(Winnt.SECURITY_NT_AUTHORITY, new uint[] { 32, 544, 0, 0, 0, 0, 0, 0 }, ref tokenPrimaryGroup.PrimaryGroup); } return(true); }
internal bool CreateTokenGroups(string domain, string userName, out Ntifs._TOKEN_GROUPS tokenGroups, out Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup, string[] groups) { uint LG_INCLUDE_INDIRECT = 0x0001; Console.WriteLine("[*] _TOKEN_GROUPS"); tokenGroups = new Ntifs._TOKEN_GROUPS(); tokenGroups.Initialize(); tokenPrimaryGroup = new Winnt._TOKEN_PRIMARY_GROUP(); #region NetUserGetLocalGroups //Console.WriteLine(" - NetUserGetLocalGroups"); lmaccess._LOCALGROUP_USERS_INFO_0[] localgroupUserInfo = new lmaccess._LOCALGROUP_USERS_INFO_0[0]; IntPtr bufPtr; uint ntRetVal = netapi32.NetUserGetLocalGroups( domain, userName.ToLower(), 0, LG_INCLUDE_INDIRECT, out bufPtr, -1, ref localEntriesRead, ref localTotalEntriesRead ); if (0 != ntRetVal) { Misc.GetNtError("NetUserGetLocalGroups", ntRetVal); Misc.GetNtError("[-] {0}", ntRetVal); //return false; } localgroupUserInfo = new lmaccess._LOCALGROUP_USERS_INFO_0[localEntriesRead]; Console.WriteLine("[+] Local Groups: {0}", localEntriesRead); for (int i = 0; i < localEntriesRead; i++) { var itemPtr = new IntPtr(bufPtr.ToInt64() + (Marshal.SizeOf(typeof(lmaccess._LOCALGROUP_USERS_INFO_0)) * i)); localgroupUserInfo[i] = (lmaccess._LOCALGROUP_USERS_INFO_0)Marshal.PtrToStructure(itemPtr, typeof(lmaccess._LOCALGROUP_USERS_INFO_0)); Console.WriteLine(" [+] {0}", localgroupUserInfo[i].lgrui0_name); } #endregion #region NetUserGetGroups //Console.WriteLine(" - NetUserGetGroups"); lmaccess._GROUP_USERS_INFO_0[] globalGroupUserInfo;// = new lmaccess._GROUP_USERS_INFO_0[0]; ntRetVal = netapi32.NetUserGetGroups( domain, userName.ToLower(), 0, out bufPtr, -1, ref globalEntriesRead, ref globalEotalEntriesRead ); if (0 != ntRetVal) { Misc.GetNtError("NetUserGetGroups", ntRetVal); Misc.GetNtError("[-] {0}", ntRetVal); //return false; } globalGroupUserInfo = new lmaccess._GROUP_USERS_INFO_0[globalEntriesRead]; Console.WriteLine("[+] Global Groups: {0}", globalEntriesRead); for (int i = 0; i < localEntriesRead; i++) { var itemPtr = new IntPtr(bufPtr.ToInt64() + (Marshal.SizeOf(typeof(lmaccess._GROUP_USERS_INFO_0)) * i)); globalGroupUserInfo[i] = (lmaccess._GROUP_USERS_INFO_0)Marshal.PtrToStructure(itemPtr, typeof(lmaccess._GROUP_USERS_INFO_0)); Console.WriteLine(" [+] {0}", globalGroupUserInfo[i].grui0_name); } #endregion #region Default Admin Entries uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY); /* * This works, but don't do it this way * //Everyone * _InitializeSid(Winnt.SECURITY_WORLD_SID_AUTHORITY, new uint[] { 0, 0, 0, 0, 0, 0, 0, 0 }, ref tokenGroups.Groups[0].Sid); * tokenGroups.Groups[0].Attributes = groupsAttributes; */ //Console.WriteLine("[+] Extra Groups"); //Everyone InitializeSid("S-1-1-0", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //Administrators - Make this a flag InitializeSid("S-1-5-114", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //INTERACTIVE InitializeSid("S-1-5-4", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //CONSOLE LOGON InitializeSid("S-1-2-1", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //Authenticated Users InitializeSid("S-1-5-11", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //This Organization InitializeSid("S-1-5-15", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //Local account InitializeSid("S-1-5-113", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //LOCAL InitializeSid("S-1-2-0", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //NTLM Authentication InitializeSid("S-1-5-64-10", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //High Integrity Token InitializeSid("S-1-16-12288", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; #endregion #region Custom Groups //Custom groups foreach (string group in groups) { string d = Environment.MachineName; string groupname = group; if (group.Contains(@"\")) { string[] split = group.Split('\\'); d = split[0]; groupname = split[1]; } string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value; InitializeSid(sid, ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; } #endregion #region Local & Global Entries for (int i = 0; i < localEntriesRead; i++) { int offset = i + extraGroups; //Console.WriteLine("[*] Adding: {0}", localgroupUserInfo[i].lgrui0_name); if (!_LookupSid(string.Empty, localgroupUserInfo[i].lgrui0_name, ref tokenGroups.Groups[offset].Sid)) { return(false); } tokenGroups.Groups[offset].Attributes = groupsAttributes; } for (int i = 0; i < globalEntriesRead; i++) { int offset = i + extraGroups + (int)localEntriesRead; //Console.WriteLine("[*] Adding: {0}", globalGroupUserInfo[i].grui0_name); if (!_LookupSid(string.Empty, globalGroupUserInfo[i].grui0_name, ref tokenGroups.Groups[offset].Sid)) { return(false); } if (0 == i) { tokenPrimaryGroup.PrimaryGroup = tokenGroups.Groups[offset].Sid; } tokenGroups.Groups[offset].Attributes = groupsAttributes; } #endregion tokenGroups.GroupCount = (int)(localEntriesRead + globalEntriesRead + extraGroups); Console.WriteLine("[*] Adding Groups"); for (int i = 0; i < tokenGroups.GroupCount; i++) { string sid, account; TokenInformation._ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account); Console.WriteLine(" ({0}) {1,-50} {2}", i, sid, account); } return(true); }