Tokenvator v2.1.1 releases: A tool to elevate privilege with Windows Tokens

Tokenvator

A tool to elevate privilege with Windows Tokens

This tool has two methods of operation – interactive and argument modes

Interactive Mode:
C:> tokenvator.exe
(Tokens) > steal_token 908 cmd.exe
(Tokens) >

Arguments Mode:
C:> tokenvator.exe steal_token 908 cmd.exe
C:>

Methods

  • GetSystem

    • Optional Parameters: Process ID, Command
    • Examples:
      (Tokens) > GetSystem
      or
      (Tokens) > GetSystem 504
      or
      (Tokens) > GetSystem 504 regedit.exe
  • GetTrustedInstaller

    • Optional Parameters: Command
    • Examples:
      (Tokens) > GetTrustedInstaller
      or
      (Tokens) > GetTrustedInstaller regedit.exe
  • Steal_Token

    • Parameters: Process ID
    • Optional Parameters: Command
    • Examples:
      (Tokens) > StealToken 1008
      or
      (Tokens) > StealToken calc regedit.exe
      or
      (Tokens) > StealToken 1008 regedit.exe
  • BypassUAC

    • Parameters: Process ID
    • Optional Parameters: Command
    • Examples:
      (Tokens) > BypassUAC 1008
      or
      (Tokens) > BypassUAC regedit.exe
      or
      (Tokens) > BypassUAC 1008 regedit.exe
  • List_Privileges

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > List_Privileges
  • Set_Privileges

    • Parameters: Privilege
    • Optional Parameters: –
    • Examples:
      (Tokens) > Set_Privileges SeSecurityPrivilege
  • List_Processes

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > List_Processes
  • List_Processes_WMI

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > List_Processes_WMI
  • Find_User_Processes

    • Parameters: Username
    • Optional Parameters: –
    • Examples:
      (Tokens) > Find_User_Processes domain\user
  • Find_User_Processes_WMI

    • Parameters: Username
    • Optional Parameters: –
    • Examples:
      (Tokens) > Find_User_Processes_WMI domain\user
  • List_User_Sessions

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > List_User_Sessions
  • WhoAmI

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > WhoAmI
  • RevertToSelf

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > RevertToSelf
  • Run

    • Parameters: Command
    • Optional Parameters: –
    • Examples:
      (Tokens) > Run cmd.exe

Changelog v2.1.1

  • Update to add support for interactive sub-processes
    (Tokens) > run cmd.exe
    [+] Starting cmd.exe
    [*] Note: The prompt is currently missing for input
    
    Microsoft Windows [Version 10.0.17763.379]
    (c) 2018 Microsoft Corporation. All rights reserved.
    
    whoami
    C:\Tokenvator\Tokenvator\bin\Release-Net45>whoami
    windows10pro\0xbadjuju
    
    dir
    C:\Tokenvator\Tokenvator\bin\Release-Net45>dir
     Volume in drive C has no label.
     Volume Serial Number is A624-B8DD
    
     Directory of C:\Tokenvator\Tokenvator\bin\Release-Net45
    
    03/22/2019  11:38 AM    <DIR>          .
    03/22/2019  11:38 AM    <DIR>          ..
    09/15/2018  02:29 AM         3,010,560 System.Management.Automation.dll
    02/21/2019  11:45 AM               161 Tokenvator.exe.config
    03/22/2019  11:28 AM           112,128 Tokenvator.pdb
    03/22/2019  11:28 AM           117,760 Tokenvator.exe
                   4 File(s)      3,240,609 bytes
                   2 Dir(s)  84,676,734,976 bytes free
    
    exit
    C:\Tokenvator\Tokenvator\bin\Release-Net45>exit
    
    (Tokens) > run powershell.exe
    [+] Starting powershell.exe
    [*] Note: The prompt is currently missing for input
    
    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    gci
    PS C:\Tokenvator\Tokenvator\bin\Release-Net45> gci
    
    
        Directory: C:\Tokenvator\Tokenvator\bin\Release-Net45
    
    
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----        9/15/2018   2:29 AM        3010560 System.Management.Automation.dll
    -a----        2/21/2019  10:45 AM            161 Tokenvator.exe.config
    -a----        3/22/2019  11:28 AM         112128 Tokenvator.pdb
    -a----        3/22/2019  11:28 AM         117760 Tokenvator.exe
    
    
    exit
    PS C:\Tokenvator\Tokenvator\bin\Release-Net45> exit

Download

Copyright (C) Alexander Leary (@0xbadjuju), NetSPI – 2018

Source: https://github.com/0xbadjuju/

Share