public static LUID GetCurrentLUID()
{
// helper that returns the current logon session ID by using GetTokenInformation w/ TOKEN_INFORMATION_CLASS
var luid = new LUID();
bool Result;
Interop.TOKEN_STATISTICS TokenStats = new Interop.TOKEN_STATISTICS();
int TokenInfLength;
Result = Interop.GetTokenInformation(WindowsIdentity.GetCurrent().Token, Interop.TOKEN_INFORMATION_CLASS.TokenStatistics, out TokenStats, Marshal.SizeOf(TokenStats), out TokenInfLength);
if (Result)
{
luid = new LUID(TokenStats.AuthenticationId);
}
else
{
var lastError = Interop.GetLastError();
Console.WriteLine("[X] GetTokenInformation error: {0}", lastError);
}
return(luid);
}
public static LUID CreateProcessNetOnly(string commandLine, bool show = false, string username = null, string domain = null, string password = null, byte[] kirbiBytes = null)
{
// creates a hidden process with random /netonly credentials,
// displayng the process ID and LUID, and returning the LUID
// Note: the LUID can be used with the "ptt" action
Interop.PROCESS_INFORMATION pi;
var si = new Interop.STARTUPINFO();
si.cb = Marshal.SizeOf(si);
if (!show)
{
// hide the window
si.wShowWindow = 0;
si.dwFlags = 0x00000001;
}
Console.WriteLine("[*] Showing process : {0}", show);
var luid = new LUID();
if (username == null)
{
username = Helpers.RandomString(8);
}
if (domain == null)
{
domain = Helpers.RandomString(8);
}
if (password == null)
{
password = Helpers.RandomString(8);
}
Console.WriteLine("[*] Username : {0}", username);
Console.WriteLine("[*] Domain : {0}", domain);
Console.WriteLine("[*] Password : {0}", password);
// 0x00000002 == LOGON_NETCREDENTIALS_ONLY
// 4 == CREATE_SUSPENDED.
if (!Interop.CreateProcessWithLogonW(username, domain, password, 0x00000002, null, commandLine, 4, 0, Environment.CurrentDirectory, ref si, out pi))
{
var lastError = Interop.GetLastError();
Console.WriteLine("[X] CreateProcessWithLogonW error: {0}", lastError);
return(new LUID());
}
Console.WriteLine("[+] Process : '{0}' successfully created with LOGON_TYPE = 9", commandLine);
Console.WriteLine("[+] ProcessID : {0}", pi.dwProcessId);
var hToken = IntPtr.Zero;
// TOKEN_QUERY == 0x0008, TOKEN_DUPLICATE == 0x0002
var success = Interop.OpenProcessToken(pi.hProcess, 0x000A, out hToken);
if (!success)
{
var lastError = Interop.GetLastError();
Console.WriteLine("[X] OpenProcessToken error: {0}", lastError);
return(new LUID());
}
if (kirbiBytes != null)
{
IntPtr hDupToken = IntPtr.Zero;
success = Interop.DuplicateToken(hToken, 2, ref hDupToken);
if (!success)
{
Console.WriteLine("[!] CreateProcessNetOnly() - DuplicateToken failed!");
return(new LUID());
}
try
{
success = Interop.ImpersonateLoggedOnUser(hDupToken);
if (!success)
{
Console.WriteLine("[!] CreateProcessNetOnly() - ImpersonateLoggedOnUser failed!");
return(new LUID());
}
LSA.ImportTicket(kirbiBytes, new LUID());
}
finally
{
Interop.RevertToSelf();
// clean up the handles we created
Interop.CloseHandle(hDupToken);
}
}
Interop.ResumeThread(pi.hThread);
bool Result;
Interop.TOKEN_STATISTICS TokenStats = new Interop.TOKEN_STATISTICS();
int TokenInfLength;
Result = Interop.GetTokenInformation(hToken, Interop.TOKEN_INFORMATION_CLASS.TokenStatistics, out TokenStats, Marshal.SizeOf(TokenStats), out TokenInfLength);
Interop.CloseHandle(hToken);
if (Result)
{
luid = new LUID(TokenStats.AuthenticationId);
Console.WriteLine("[+] LUID : {0}", luid);
}
else
{
var lastError = Interop.GetLastError();
Console.WriteLine("[X] GetTokenInformation error: {0}", lastError);
Interop.CloseHandle(hToken);
return(new LUID());
}
return(luid);
}
