I'm trying to launch a process from a system service using the token handle of the currently active user with elevated privileges (if user is in admin. group). My current attempt looks like this:
I'm getting the active session ID using WTSEnumerateSessionsW.
I'm getting the user token handle using WTSQueryUserToken.
I'm verifiying that the user is in the administrators group.
???
Launch the process with the user token using CreateProcessAsUserW
How do I need to modify the token so that the process will have elevated privileges? I'm aware that similar questions have been asked already, but none of them contain properly explained answers.
Related
I'm using LogonUser to get a HANDLE to the target session token and use it for the function CreateProcessAsUser.
status = LogonUserW(sessiondata->UserName.Buffer, sessiondata->LogonDomain.Buffer,NULL,LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &targettoken);
My executable is going to be executed by Administrator, but even though I'm administrator, I can't get the handle to the token and always get 1326 error: Logon failure: unknown user name or bad password.. I put NULL as lpszPassword with the hope that it checks if I'm administrator and give me the privilege to get the access token.
Of course I should not be using LogonUser for this purpose, so what do you suggest ?
I expected to get a HANDLE to the access token because of my high-level privilege(Administrator) without giving the password.
My executable is a simple application which is intended to get screenshots from all logon sessions
Hey, we can forget about getting the user's login token. There's actually a fairly good way to do this.
Enumerate all processes.
If the process is a WINLOGON process and the session id is not zero
Steal its token
Start a process using that token; pass it a file on the command line
That process takes a screenshot and saves it to a file
When all your processes have finished, pick up your files.
The token from WINLOGON has administrative rights and is on the correct session to see the user's desktop. If you don't create any windows you aren't vulnerable to the user messing with you. (In fact this token creates windows at a higher integrity level. Normal shatter attacks don't work however you can still receive fake keyboard or mouse input if you create windows.)
Most likely, you will only get a screenshot from the currently active screen and any active remote desktop sessions. Other sessions stop their redraw and drop their screen buffers to save memory.
It's most likely your user does not have SeAssignPrimaryTokenPrivilege and SeTcbPrivilege. I have given these to my user in the past; however the easiest way to get them is to become local system by setting up and launching as a service, then removing the service after its done.
OP commented that he got to SYSTEM by PsExec and was able to get the token. PsExec does CreateService under the hood so it's all the same.
I'm developping a UI to manage Azure Active directory user's groups.
I noticed that for an already connected user, the change in the list of groups he bolongs to doesn't affect his credentials until he logout and log on again.
Is it possible to make a connected user session end (for exemple just after the change of his groups list) ? or make its session immediately take into account the change in its credentials ?
You have to wait until the user signs in again to update the information. If needed though, you can revoke the user's access and then allow it again. You do have to wait for the token to expire though, unless you revoke the tokens themselves.
Revoke-AzureADUserAllRefreshToken
-ObjectId <String>
[<CommonParameters>]
I am running a process with loacl admin privilege in Windows and trying to obtain a credential handle for another user using AcquireCredentialsHandle .
It is possible to pass in SEC_WINNT_AUTH_IDENTITY structure with user info ( e.g. user, domain, password) and obtain the handle. I have verified it. Without the SEC_WINNT_AUTH_IDENTITY passing only the pszPrincipal does not work.
I wonder is there any other way one can do it without providing the user password?
I am running the following scenario:
Client obtains a kerberos token using UPN and sends it to server
Server tries to acquire the credential handle (AcquireCredentialsHandle) using UPN of the client.
Any suggestions please?
You normally don't get to request a ticket on behalf of other users. That would be a very dangerous security issue.
There are two ways around this.
Use S4U2Self which is where the application requests a ticket to themselves using the passed in username, which will get them a ticket on behalf of the user to themselves. This lets you see things like user group membership. You need to be running as SYSTEM or have SeImpersonatePrivilege to do this.
Use S4U2Proxy aka protocol transition which is where the application requests a ticket for another service using the passed in username. This lets you impersonate the user based only on the name, and must be explicitly granted to the server and target by AD. This is an incredibly dangerous privilege because you're allowing your application to have the equivalent rights as a KDC.
Unfortunately this is a fairly complicated bit of code so it's not shareable in this post as-is. You can find a sample application here: https://github.com/SteveSyfuhs/DelegatedAuthentication
The gist of the process is:
Client sends username to service.
Service is configured for SeImpersonatePrivilege or SeTcbPrivilege (meaning running as SYSTEM)
Service calls LsaLogonUser and passes just the username, returning an NT token handle.
Service calls SetThreadToken with the token from (3).
Service calls AcquireCredentialsHandle without any credentials (uses default SSO creds).
Service calls InitializeSecurityContext
Service sends token to target server
I want to get the privileges of a selected user on a local machine. I know how to get them from the current user, so my problem is how to open a process as as a different user.
I'm currently looking for more info about CreateProcessAsUser()
thanks
You shouldnt create a process as a different user just to get his priviledges. To get an user priviledges you need an iudentity token. To start a process as an user you need an impersonate token. Idenity tokens are very low security risk, impersonation tokens on the other hand are very serious business. At the very least, you need to know the password of the user in order to impersonate (or have an impesonation capable context, like an SSPI exchange security context).
Use LookupAccountName to get the SID, LsaOpenPolicy and LsaEnumerateAccountRights.
Check this link for how to do this from a service within Delphi: Launch your application in Vista under the local system account without the UAC popup
To launch a process under the local
system account I perform the following
steps (from a service application):
Get the Active Console SessionId using WTSGetActiveConsoleSessionId
Since I need to launch the application under a system account, I
use the token from Winlogon, since
Winlogon runs under the system
account. So I obtain the process ID of
Winlogon and Duplicate the token.
Then I make sure I sent the startupinfo parameter lpDesktop to
winsta0\Default since I need to launch
my process there.
Then I use CreateProcessAsUser with Winlogon's duplicate token to
launch my process into session 1.
That's all. I am done.
I can check user in active directory, if he exist then I give him permission to open app window, but what if an application has many levels of permission? Do I create special groups of permission in active direcotry and check if user belongs to one of them? . Can application log in automaticaly, or there is always need to enter password?
Active Directory can fulfill two related but seperate functions for an application: Authorization and Authentication.
Authentication is validating that the person using your application is a valid user. If you have the user's credentials (i.e. the application prompts the user for their username and password), you can authenticate them against AD by attempting a connection using their username/password.
Authorization is what lets you determine the level of permissions a particular user has in your application. Active Directory groups are a relatively straightforward and flexible way to implement the various permissions levels. Typically, I will create very fine-grained permissions groups that represent each securable action users can perform in the application (i.e. CanDeleteWidgets, CanAddWidgets, CanEditWidgets ). Then create functional or role groups where you place the users for that role (i.e. Managers, Coordinators, Technicians, etc). Finally, you just nest the role groups into the permissions groups so if, for example, the business requirement is that Managers can delete widgets, you would add the Managers group as a member of the CanDeleteWidgets group. While this may seem more complex, it makes it extremely simple to respond to changing business security requirements (i.e. "Technicians need to be able to delete widgets" - Piece of cake. Add the Technicians role group to the CanDeleteWidgets permissions group and you're done).
As far as logging in automatically, yes, there are a number of ways you can automatically log in a user. For winforms apps, you should just be able to grab the currently logged in user and use that. For web apps, if you can use integrated authentication, you end up with the same thing. Your web server will handle the authentication piece and send over the DOMAIN\USERNAME of the user in a server header variable.