Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

Add the Impersonate module #601

Merged
merged 8 commits into from
Nov 7, 2022
Merged

Add the Impersonate module #601

merged 8 commits into from
Nov 7, 2022

Conversation

Dfte
Copy link
Contributor

@Dfte Dfte commented Jul 4, 2022
edited
Loading

Module usage

List available tokens

cme smb -u USERNAME -p PASSWOD -M impersonate

Impersonate user token

  • To list tokens: cme smb -u USERNAME -p PASSWORD -M impersonate -o MODULE=list
  • To run comand as user: cme smb -u USERNAME -p PASSWORD -M impersonate -o MODULE=exec TOKEN=<TOKEN_ID> CMD=whoami
  • To escalate dom admin: cme smb -u USERNAME -p PASSWORD -M impersonate -o MODULE=adduser TOKEN=<TOKEN_ID> CMD="username password 'group admin du dom' \domaincontroller"

@mpgn mpgn added the module label Jul 8, 2022
@mpgn mpgn added the in review label Oct 27, 2022
@mpgn
Copy link
Contributor

mpgn commented Oct 27, 2022
edited
Loading

I did test it but while I'm connected as administrator on my DC, the impersonate binary didn't find any session.
On my other server, only the command 'whoami' or dir is working, I have the feeling whoami /all is failing because of the space.

image

@mpgn mpgn added the bug label Oct 27, 2022
@Dfte
Update impersonate.py
2dcd33e 
Adding double quotes for spaced cmd
@Dfte
Copy link
Contributor Author

Dfte commented Oct 27, 2022

I have added double quotes to make sure that commands with spaces are run correctly. Also I have change the binary a bit to evade EDR's. !)

@mpgn mpgn removed the bug label Oct 27, 2022
@mpgn
Copy link
Contributor

mpgn commented Oct 27, 2022

I've rework the options :)
Very stable on my side !!

I will not merge until the code of impersonate is public so I can build it myself.

image

@mpgn mpgn added delayed and removed in review labels Oct 27, 2022
@Dfte
Copy link
Contributor Author

Dfte commented Oct 27, 2022

I'm thinking about adding an optional FILE option to specify a recompiled version just in case the embedded gets flagged.
Anyway, I'll release the code of the original binary with the blog post (about a week I'd say) :)!

@mpgn
Copy link
Contributor

mpgn commented Oct 27, 2022

Yes, an option with a file will be perfect, check the module procdump for example :)

@Dfte
Addind the IMP_EXE option
1bfb3a8 
Guess this will be the final one :P
@Dfte
Update impersonate.py
5d4f3b5 
I'll add technical links to the blog post explaining token manipulation internals as well as the source code of the original binary when the blog post will be released (should be on monday)
@Dfte
Copy link
Contributor Author

Dfte commented Oct 31, 2022

Here is the code of the embedded binary https://github.com/sensepost/impersonate/tree/main/CME_module :)

@mpgn mpgn added awesome sauce! all good tested in my lab and removed delayed labels Nov 2, 2022
@mpgn mpgn mentioned this pull request Nov 2, 2022
Closed
@mpgn mpgn merged commit 60e3dda into byt3bl33d3r:master Nov 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
all good tested in my lab awesome sauce! module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Dfte @mpgn