search

zblurx / impersonate-rs

Rusty Impersonate
94 stars 9 forks source link

Add adduser command #3

Open thatssorude opened 1 year ago

thatssorude commented 1 year ago

I tried start it as system and as administrator(with high IL), and program doesnt work at all

I got:

C:\Users\Administrator\Desktop>irs.exe exec --pid 1096 --command whoami
[2023-06-15T10:33:34Z INFO  irs::utils::impersonate] Impersonate user PENTAGON\Administrator
[2023-06-15T10:33:34Z ERROR irs] [!] Failed to run impersonate(): ConvertStringSecurityDescriptorToSecurityDescriptorA Error: The parameter is incorrect. (os error 87)

And when trying to impersonate system process:

C:\Users\Administrator\Desktop>irs.exe exec --pid 2284 --command "whoami"
[2023-06-15T10:34:55Z ERROR irs] [!] Failed to run impersonate(): OpenProcessToken Error: The handle is invalid. (os error 6)

Builded with instruction that you provided on linux machine Maybe something wrong with build?Can you provide release binaries so i can test? I have no idea how to debug rust code, so just let you know about trouble

zblurx commented 1 year ago

Hey,

Please provide TRACE informations by adding -vv to your commands. Also, do you have and EDR running on the computer ? I also need irs.exe list informations.

I'm sorry but I'm not planning to provide a release binary.

thatssorude commented 1 year ago

irs list: image

exec with -vv trying to impersonate administrator process: image

exec with -vv trying to impersonate SYSTEM process: image

Also, do you have and EDR running on the computer ?

On that machine (DC) only windows defender, but i also tested on domain-joined win10 where windef is disabled It is not in english localization, so I attached screenshots from the domain controller to make the errors clearer, but the errors are exactly the same

zblurx commented 1 year ago

Thanks you. Just pushed an commit where I change a bit the flags on the OpenProcess and the SecurityDescriptor generation. Hope it will fix your problem

thatssorude commented 1 year ago

Can confirm that it works on my side too Thank you ❤️

Im very sorry that this is not PR, but just asking, but can you also add: 1)Marking that some process running under NETWORK session, since that session cannot be used in domain activity on other hosts due lack of credentials in memory(thats okay, but i think it would make more sense)

2) Add "adduser" functionality from original impersonate Its very simple and extremely useful I also improve that functionality in my c# soft in such way: instead of asking attacker for domain admins group i firstly getting domain sid, then get names of group with 512 RID(domain admins) and 519 RID (enterprise admins) and then trying to add user to both groups Instead of promting DC, i just getting current domain name and use it, since domain.local will be resolved to current DC Or maybe this option should stay since admin of parent domain can go to child domain and trying adding enterprise admin on child domain DC will be failed?Just thought about that, oops

I'm really sorry that it looks like begging instead of PR, but I (yet!) don't know rust lang at all and it would be cool if your software had such functionality too

Anyway, thanks for fix, issue can be closed

zblurx commented 1 year ago

Great! Agreed on both. I'm keeping the issue open to keep track on it.