• Stars
    star
    226
  • Rank 176,514 (Top 4 %)
  • Language
    C++
  • License
    MIT License
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Manipulating and Abusing Windows Access Tokens.

TokenPlayer

Manipulating and Abusing Windows Access Tokens.

TokenPlayer is just a small tool i made to learn win32 api programming and understand better the access token model of windows.

Features:

  • Stealing and Impersonating primary tokens.
  • Impersonating Protected Processes.
  • Bypassing UAC by using the Token-Duplication method.
  • Making new tokens for network authentication by providing credentials (similar to runas /netonly) without the need for special rights or elevated context.
  • Spoof the parent process ID and spawn a process with an alternative parent.
  • Execute any application with provided parameters under an impersonated context.
  • Can be used from non-interactive contexts (e.g. reverse shell) by using pipes for parent-child process communication.

Usage:

General options:
  --help                 Display help menu.

Impersonation Options:
  --impersonate          Impersonates the specified pid and spawns a new child
                         process under its context.
  --pid arg              Proccess ID to steal the token from.
  --spawn                Spawns a new command prompt under the context of the
                         stolen token.

Execution Options:
  --exec                 Execute an instance of a specified program under the
                         impersonated context.
  --pid arg              Proccess ID to steal the token from.
  --prog                 The full path to the program to be executed.
  --args                 Optional execution arguments for the specified
                         program.

Make Token Options:
  --maketoken            Create a new process under a set of creds for only
                         network authentication (Similar to runas /netonly).
  --username arg         Username
  --password arg         Password in plaintext format.
  --domain arg           The domain the user belongs, if domain isn't specified
                         the local machine will be used.

UAC Bypass Options:
  --pwnuac               Will try to bypass UAC using the token-duplication
                         method.
  --spawn                Spawns a new elevated prompt.
  --prog arg             The full path to the program to be executed.
  --args arg             Optional execution arguments for the specified
                         program.

Parent Process Spoofing Options:
  --spoofppid            Spawn a new instance of an application with spoofed
                         parent process.
  --ppid arg             The PID of the parent process.
  --prog arg             The full path to the program to be executed.
  --args arg             Optional execution arguments for the specified
                         program.

Usage 1: Token Impersonation

Using same console:

Token Impersonation

Spawning a new console:

Token Impersonation In New Window

Usage 2: Executing an application (e.g. rev shell)

Executing Reverse Shell

Usage 3: Make Token

Make Token

Usage 4: UAC Bypass

UAC Bypass

Usage 5: PPID Spoofing

PPID Spoofing

Compile Instructions

To compile it yourself you will need to install the boost library, because it uses it for parsing and handling the command line arguments. Also you'll need to specify the external library's folder on the project's settings.

References