TokenPlayer

Manipulating and Abusing Windows Access Tokens.

TokenPlayer is just a small tool i made to learn win32 api programming and understand better the access token model of windows.

Features:

• Stealing and Impersonating primary tokens.
• Impersonating Protected Processes.
• Bypassing UAC by using the Token-Duplication method.
• Making new tokens for network authentication by providing credentials (similar to runas /netonly) without the need for special rights or elevated context.
• Spoof the parent process ID and spawn a process with an alternative parent.
• Execute any application with provided parameters under an impersonated context.
• Can be used from non-interactive contexts (e.g. reverse shell) by using pipes for parent-child process communication.

Usage:

General options:
  --help                 Display help menu.

Impersonation Options:
  --impersonate          Impersonates the specified pid and spawns a new child
                         process under its context.
  --pid arg              Proccess ID to steal the token from.
  --spawn                Spawns a new command prompt under the context of the
                         stolen token.

Execution Options:
  --exec                 Execute an instance of a specified program under the
                         impersonated context.
  --pid arg              Proccess ID to steal the token from.
  --prog                 The full path to the program to be executed.
  --args                 Optional execution arguments for the specified
                         program.

Make Token Options:
  --maketoken            Create a new process under a set of creds for only
                         network authentication (Similar to runas /netonly).
  --username arg         Username
  --password arg         Password in plaintext format.
  --domain arg           The domain the user belongs, if domain isn't specified
                         the local machine will be used.

UAC Bypass Options:
  --pwnuac               Will try to bypass UAC using the token-duplication
                         method.
  --spawn                Spawns a new elevated prompt.
  --prog arg             The full path to the program to be executed.
  --args arg             Optional execution arguments for the specified
                         program.

Parent Process Spoofing Options:
  --spoofppid            Spawn a new instance of an application with spoofed
                         parent process.
  --ppid arg             The PID of the parent process.
  --prog arg             The full path to the program to be executed.
  --args arg             Optional execution arguments for the specified
                         program.

Usage 1: Token Impersonation

Using same console:

Spawning a new console:

Usage 2: Executing an application (e.g. rev shell)

Usage 3: Make Token

Usage 4: UAC Bypass

Usage 5: PPID Spoofing

Compile Instructions

To compile it yourself you will need to install the boost library, because it uses it for parsing and handling the command line arguments. Also you'll need to specify the external library's folder on the project's settings.

References

• Windows Access Tokens and Alternate Credentials
• Understanding and Defending Against Access Token Theft
• T1134: Primary Access Token Manipulation
• Privilege escalation through Token Manipulation
• Creating a Child Process with Redirected Input and Output
• Reading Your Way Around UAC (Part 1)
• Reading Your Way Around UAC (Part 2)
• Reading Your Way Around UAC (Part 3)
• UAC-TokenMagic.ps1
• UAC-TokenDuplication
• RunasCs
• Access Token Manipulation: Parent PID Spoofing
• Alternative methods of becoming SYSTEM