-
Notifications
You must be signed in to change notification settings - Fork 25
/
msimpersonate.py
73 lines (66 loc) · 4.53 KB
/
msimpersonate.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Self Sign the executable - https://themayor.notion.site/Certificate-Signing-Payloads-482f2b500abd42efaa0b17f74e3c73ce
from ctypes import Structure, byref, windll
from ctypes.wintypes import HANDLE, DWORD, LPWSTR, WORD, BYTE
from subprocess import HIGH_PRIORITY_CLASS
import sys
import time
# https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-process_information
# https://docs.python.org/3/library/ctypes.html#structures-and-unions
# https://docs.python.org/3/library/ctypes.html#ctypes.Structure
'''Here the PROCESS_INFORMATION structure is defined which will be needed for the new process and thread.'''
class PROCINFO(Structure):
_fields_ = [('Process', HANDLE), ('Thread', HANDLE), ('ProcessId', DWORD), ('ThreadId', DWORD)]
# https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfow
'''STARTUPINFOW structure defines the window station, desktop, handles and appearance. None of these are utilized in the tool,
but are required for functionality.'''
class STARTINFOW(Structure):
_fields_ = [('cb', DWORD), ('Reserved', LPWSTR), ('Desktop', LPWSTR), ('Title', LPWSTR), ('X', DWORD), ('Y', DWORD), ('XSize', DWORD), ('YSize', DWORD), ('XCountChars', DWORD), ('YCountChars', DWORD), ('FillAttribute', DWORD), ('Flags', DWORD), ('ShowWindow', WORD), ('Reserved2', WORD), ('Reserved2', BYTE), ('StdInput', HANDLE), ('StdOutput', HANDLE), ('StdError', HANDLE)]
# https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw
'''Here the CreateProcessWithLogonW function is defined which will be used to create the new process and thread.
startupInfo is a pointer to the STARTINFOW structure which is defined above.
proc_info is a pointer to the PROCINFO structure which is defined above.'''
def CreateProcessWithLogonW(Username, Domain, Password, LogonFlags, ApplicationName, CommandLine, CreationFlags, Environment, CurrentDirectory, startupInfo):
startupInfo = STARTINFOW()
proc_info = PROCINFO()
valid = windll.advapi32.CreateProcessWithLogonW(Username, Domain, Password, LogonFlags, ApplicationName, CommandLine, CreationFlags, Environment, CurrentDirectory, startupInfo, byref(proc_info))
if valid:
return proc_info
elif not valid:
print('[!] CreateProcessWithLogonW failed with error code: ' + str(windll.kernel32.GetLastError()))
time.sleep(1)
print('[!] Attempting authentication with netlogon.')
print('[!] This will spawn a new process, but based on how netlogon works, it may not be valid.')
sleepy_time = random.randint(1, 10)
print('[!] Sleeping for {} seconds'.format(sleepy_time))
time.sleep(sleepy_time)
valid = windll.advapi32.CreateProcessWithLogonW(Username, Domain, Password, 2, ApplicationName, CommandLine, CreationFlags, Environment, CurrentDirectory, startupInfo, byref(proc_info))
print('''[!] Netlogon created the new process. Test it to make sure it's a valid session.''')
return proc_info
else:
sys.exit(1)
def banner():
print('█▀▄▀█ █▀ ▄▄ █ █▀▄▀█ █▀█ █▀▀ █▀█ █▀ █▀█ █▄░█ ▄▀█ ▀█▀ █▀▀\n'
'█░▀░█ ▄█ █ █░▀░█ █▀▀ ██▄ █▀▄ ▄█ █▄█ █░▀█ █▀█ ░█░ ██▄ A project by The Mayor\n')
if __name__ == '__main__':
banner()
try:
user_name = sys.argv[1]
domain = sys.argv[2]
password = sys.argv[3]
command = sys.argv[4]
except Exception:
print("[!] USAGE: msimpersonate.py <username> <domain> <password> <command>\n")
sys.exit()
import random
sleepy_time = random.randint(1, 10)
print('[+] Sleeping for {} seconds...'.format(sleepy_time))
time.sleep(sleepy_time)
'''Here we call the CreateProcessWithLogonW function with the arguments and credentials to create a new process with the impersonated token.'''
proc = CreateProcessWithLogonW(user_name, domain, password, None, None, command, HIGH_PRIORITY_CLASS, None, "C:\\", None)
print("[+] Process created with PID: %d" % proc.ProcessId)
print("[+] Thread created with TID: %d" % proc.ThreadId)
print("[+] Closing process handle")
close_proc = windll.kernel32.CloseHandle(proc.Process)
print("[+] Closing thread handle")
close_hand = windll.kernel32.CloseHandle(proc.Thread)
print("[+] Done")