No Tokens

[juliourena]

Hi!

I'm trying to replicate the token impersonation, I tried in 3 different machines, and I got the same result, no token at all. I also tried using the CrackMapExec module and also got the same result.

Here some pictures.

Machine No. 1 DC01

systeminfo

Host Name:                 DC01
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00429-00521-62775-AA135
Original Install Date:     7/13/2022, 1:51:51 PM
System Boot Time:          11/7/2022, 5:19:04 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-06:00) Central Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,380 MB
Virtual Memory: Max Size:  6,655 MB
Virtual Memory: Available: 4,809 MB
Virtual Memory: In Use:    1,846 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    inlanefreight.htb
Logon Server:              \\DC01
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: KB5009472
                           [02]: KB4535680
                           [03]: KB4589208
                           [04]: KB5010427
                           [05]: KB5009642
Network Card(s):           2 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet1
                                 Status:          Hardware not present
                           [02]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.129.0.1
                                 IP address(es)
                                 [01]: 10.129.203.121
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Machine No. 2

systeminfo

Host Name:                 DESKTOP-MFERMN4
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19044 N/A Build 19044
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00330-80000-00000-AA982
Original Install Date:     6/19/2020, 11:47:17 AM
System Boot Time:          10/18/2022, 3:20:29 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 113 Stepping 0 AuthenticAMD ~3793 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.18452719.B64.2108091906, 8/9/2021
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-04:00) Georgetown, La Paz, Manaus, San Juan
Total Physical Memory:     8,191 MB
Available Physical Memory: 4,454 MB
Virtual Memory: Max Size:  11,135 MB
Virtual Memory: Available: 5,981 MB
Virtual Memory: In Use:    5,154 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 25 Hotfix(s) Installed.
                           [01]: KB5017262
                           [02]: KB4534170
                           [03]: KB4537759
                           [04]: KB4545706
                           [05]: KB4560366
                           [06]: KB4561600
                           [07]: KB4566785
                           [08]: KB4570334
                           [09]: KB4577266
                           [10]: KB4577586
                           [11]: KB4580325
                           [12]: KB4584229
                           [13]: KB4589212
                           [14]: KB5003791
                           [15]: KB5012170
                           [16]: KB5018410
                           [17]: KB5006753
                           [18]: KB5007273
                           [19]: KB5011651
                           [20]: KB5014032
                           [21]: KB5014035
                           [22]: KB5014671
                           [23]: KB5015895
                           [24]: KB5016705
                           [25]: KB5005699
Network Card(s):           2 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.49.254
                                 IP address(es)
                                 [01]: 192.168.49.203
                                 [02]: fe80::1c37:a16f:1336:d524
                           [02]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet1
                                 Status:          Hardware not present
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Please let me know if I can provide more information.

Best regards!

[kinomakino]

I tried with the exe and first run. dont show the tokens. second run, show. try :-)

[juliourena]

I tried many times, but I still got the same issue, that's why I decide to compile the binary instead of using the CME module.

[Dfte]

This is indeed very strange. You're the second person to tell me that however I have no idea, as of now, why there is no token.

Are there special GPO's on your AD ?

[juliourena]

No, just a default domain. I tried in a machine without DC, my personal computer, and I got the same result.

[Dfte]

I'm sorry but I can't reproduce this behaviour. I have installed a new Windows 10 pro, fully updated, defender updated as well and it does work :/

[trusiik]

Hi, I'm experiencing same issue. Compiled version in Debug mode shows this error. Not sure if its relevant though :)

[Dfte]

That one is interesting, it implies that the secured string copy fails because of a buffer being too small. However I have no idea how it is possible. I might push a debug version on this repo and ask you guys to help me since I can't reproduce the issue.

Is that ok for you ?

[trusiik]

sure

[Dfte]

Hey hey! For information I have been able to reproduce the bug on a Windows Pro N version. So I'll take a deeper look and try to hack something :P !

[Dfte]

Just a quick update to let you know I have patched the bug and upgraded the binary in the mean time. I'll publish a PR as soon as possible with an update on the blog post :) !

[Dfte]

With the update you will hopefully be able to list all tokens and now you can even see their integrity in order to choose the most important ones:

I still have to patch the CME module tho. Let me know if you still have issues :)!