internal static extern bool LogonUser( [MarshalAs(UnmanagedType.LPStr)] string pszUserName, [MarshalAs(UnmanagedType.LPStr)] string pszDomain, [MarshalAs(UnmanagedType.LPStr)] string pszPassword, Winbase.LOGON_TYPE dwLogonType, Winbase.LOGON_PROVIDER dwLogonProvider, out IntPtr phToken );
public static extern bool LogonUser( string lpszUsername, string lpszDomain, string lpszPassword, Winbase.LOGON_TYPE dwLogonType, Winbase.LOGON_PROVIDER dwLogonProvider, out IntPtr phToken );
internal static extern bool LogonUserExExW( [MarshalAs(UnmanagedType.LPWStr)] string pszUserName, [MarshalAs(UnmanagedType.LPWStr)] string pszDomain, [MarshalAs(UnmanagedType.LPWStr)] string pszPassword, Winbase.LOGON_TYPE dwLogonType, Winbase.LOGON_PROVIDER dwLogonProvider, ref Ntifs._TOKEN_GROUPS pTokenGroups, out IntPtr phToken, IntPtr ppLogonSid, IntPtr ppProfileBuffer, IntPtr pdwProfileLength, IntPtr QuotaLimits );
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// public void LogonUser(string domain, string username, string password, Winbase.LOGON_TYPE logonType, string command, string arguments) { if (!advapi32.LogonUser(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken)) { Misc.GetWin32Error("LogonUser"); return; } Console.WriteLine("[+] Logged On {0}", username.TrimEnd()); if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType) { if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId)) { Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token"); } } if (string.IsNullOrEmpty(command)) { SetWorkingTokenToRemote(); ImpersonateUser(); } else { Create createProcess; if (0 == Process.GetCurrentProcess().SessionId) { createProcess = CreateProcess.CreateProcessWithLogonW; } else { createProcess = CreateProcess.CreateProcessWithTokenW; } createProcess(hExistingToken, command, arguments); } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken) { string username; if (!cLP.GetData("username", out username)) { return; } string domain = "."; string password = string.Empty; Winbase.LOGON_TYPE logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_INTERACTIVE; if (username.Contains('\\') && !username.ToLower().StartsWith("nt service")) { string[] split = username.Split('\\').ToArray(); domain = split.FirstOrDefault(); username = split.LastOrDefault(); if (!cLP.GetData("password", out password)) { return; } Console.WriteLine("User Logon"); } else if (username.Contains('\\') && username.ToLower().StartsWith("nt service")) { string[] split = username.Split('\\').ToArray(); username = split.LastOrDefault(); logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE; domain = "NT SERVICE"; Console.WriteLine("Service Logon"); } else { switch (username.ToLower().Trim()) { case "localservice": username = "******"; logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE; domain = "NT AUTHORITY"; break; case "localsystem": username = "******"; logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE; domain = "NT AUTHORITY"; break; case "networkservice": username = "******"; logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE; domain = "NT AUTHORITY"; break; default: cLP.GetData("password", out password); break; } } using (TokenManipulation t = new TokenManipulation(hToken)) { string groups; if (cLP.GetData("groups", out groups)) { t.LogonUser(domain, username, password, groups, logonType, cLP.Command, cLP.Arguments); } else { t.LogonUser(domain, username, password, logonType, cLP.Command, cLP.Arguments); } } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// public void LogonUser(string domain, string username, string password, string groups, Winbase.LOGON_TYPE logonType, string command, string arguments) { SetWorkingTokenToSelf(); CreateTokens ct = new CreateTokens(hWorkingToken); Ntifs._TOKEN_GROUPS tokenGroups; Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup; ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(',')); /* * TokenInformation ti = new TokenInformation(hWorkingToken); * ti.GetTokenGroups(); * Ntifs._TOKEN_GROUPS tokenGroups = ti.tokenGroups; * * int extraGroups = tokenGroups.GroupCount; * * uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY); * * Ntifs._TOKEN_GROUPS tokenGroupsCopy = new Ntifs._TOKEN_GROUPS(); * tokenGroupsCopy.Initialize(); * * for (int i = 0; i < tokenGroups.GroupCount; i++) * { * tokenGroupsCopy.Groups[i] = tokenGroups.Groups[i]; * } * * foreach (string group in groups.Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries)) * { * Console.WriteLine(group); * string d = Environment.MachineName; * string groupname = group; * if (group.Contains(@"\")) * { * string[] split = group.Split('\\'); * d = split[0]; * groupname = split[1]; * } * Console.WriteLine(groupname); * string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value; * Console.WriteLine(sid); * tokenGroupsCopy.Groups[++extraGroups].Sid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr))); * Console.WriteLine(extraGroups); * CreateTokens.InitializeSid(sid, ref tokenGroupsCopy.Groups[extraGroups].Sid); * tokenGroupsCopy.Groups[extraGroups].Attributes = groupsAttributes; * } * tokenGroupsCopy.GroupCount = extraGroups; */ if (!advapi32.LogonUserExExW( username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero)) { Misc.GetWin32Error("LogonUserExExW"); return; } Console.WriteLine("[+] Logged On {0}", username.TrimEnd()); if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType) { SetWorkingTokenToRemote(); if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId)) { Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token"); } } if (string.IsNullOrEmpty(command)) { SetWorkingTokenToRemote(); ImpersonateUser(); } else { Create createProcess; if (0 == Process.GetCurrentProcess().SessionId) { createProcess = CreateProcess.CreateProcessWithLogonW; } else { createProcess = CreateProcess.CreateProcessWithTokenW; } createProcess(hExistingToken, command, arguments); } }