TokenPlayer
Manipulating and Abusing Windows Access Tokens.
TokenPlayer is just a small tool i made to learn win32 api programming and understand better the access token model of windows.
Features:
- Stealing and Impersonating primary tokens.
- Impersonating Protected Processes.
- Bypassing UAC by using the Token-Duplication method.
- Making new tokens for network authentication by providing credentials (similar to runas /netonly) without the need for special rights or elevated context.
- Spoof the parent process ID and spawn a process with an alternative parent.
- Execute any application with provided parameters under an impersonated context.
- Can be used from non-interactive contexts (e.g. reverse shell) by using pipes for parent-child process communication.
Usage:
General options:
--help Display help menu.
Impersonation Options:
--impersonate Impersonates the specified pid and spawns a new child
process under its context.
--pid arg Proccess ID to steal the token from.
--spawn Spawns a new command prompt under the context of the
stolen token.
Execution Options:
--exec Execute an instance of a specified program under the
impersonated context.
--pid arg Proccess ID to steal the token from.
--prog The full path to the program to be executed.
--args Optional execution arguments for the specified
program.
Make Token Options:
--maketoken Create a new process under a set of creds for only
network authentication (Similar to runas /netonly).
--username arg Username
--password arg Password in plaintext format.
--domain arg The domain the user belongs, if domain isn't specified
the local machine will be used.
UAC Bypass Options:
--pwnuac Will try to bypass UAC using the token-duplication
method.
--spawn Spawns a new elevated prompt.
--prog arg The full path to the program to be executed.
--args arg Optional execution arguments for the specified
program.
Parent Process Spoofing Options:
--spoofppid Spawn a new instance of an application with spoofed
parent process.
--ppid arg The PID of the parent process.
--prog arg The full path to the program to be executed.
--args arg Optional execution arguments for the specified
program.
Usage 1: Token Impersonation
Using same console:
Spawning a new console:
Usage 2: Executing an application (e.g. rev shell)
Usage 3: Make Token
Usage 4: UAC Bypass
Usage 5: PPID Spoofing
Compile Instructions
To compile it yourself you will need to install the boost library, because it uses it for parsing and handling the command line arguments. Also you'll need to specify the external library's folder on the project's settings.
References
- Windows Access Tokens and Alternate Credentials
- Understanding and Defending Against Access Token Theft
- T1134: Primary Access Token Manipulation
- Privilege escalation through Token Manipulation
- Creating a Child Process with Redirected Input and Output
- Reading Your Way Around UAC (Part 1)
- Reading Your Way Around UAC (Part 2)
- Reading Your Way Around UAC (Part 3)
- UAC-TokenMagic.ps1
- UAC-TokenDuplication
- RunasCs
- Access Token Manipulation: Parent PID Spoofing
- Alternative methods of becoming SYSTEM