I'm using LogonUser to get a HANDLE to the target session token and use it for the function CreateProcessAsUser.
status = LogonUserW(sessiondata->UserName.Buffer, sessiondata->LogonDomain.Buffer,NULL,LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &targettoken);
My executable is going to be executed by Administrator, but even though I'm administrator, I can't get the handle to the token and always get 1326 error: Logon failure: unknown user name or bad password.. I put NULL as lpszPassword with the hope that it checks if I'm administrator and give me the privilege to get the access token.
Of course I should not be using LogonUser for this purpose, so what do you suggest ?
I expected to get a HANDLE to the access token because of my high-level privilege(Administrator) without giving the password.
My executable is a simple application which is intended to get screenshots from all logon sessions
Hey, we can forget about getting the user's login token. There's actually a fairly good way to do this.
Enumerate all processes.
If the process is a WINLOGON process and the session id is not zero
Steal its token
Start a process using that token; pass it a file on the command line
That process takes a screenshot and saves it to a file
When all your processes have finished, pick up your files.
The token from WINLOGON has administrative rights and is on the correct session to see the user's desktop. If you don't create any windows you aren't vulnerable to the user messing with you. (In fact this token creates windows at a higher integrity level. Normal shatter attacks don't work however you can still receive fake keyboard or mouse input if you create windows.)
Most likely, you will only get a screenshot from the currently active screen and any active remote desktop sessions. Other sessions stop their redraw and drop their screen buffers to save memory.
It's most likely your user does not have SeAssignPrimaryTokenPrivilege and SeTcbPrivilege. I have given these to my user in the past; however the easiest way to get them is to become local system by setting up and launching as a service, then removing the service after its done.
OP commented that he got to SYSTEM by PsExec and was able to get the token. PsExec does CreateService under the hood so it's all the same.
Related
I'm trying to launch a process from a system service using the token handle of the currently active user with elevated privileges (if user is in admin. group). My current attempt looks like this:
I'm getting the active session ID using WTSEnumerateSessionsW.
I'm getting the user token handle using WTSQueryUserToken.
I'm verifiying that the user is in the administrators group.
???
Launch the process with the user token using CreateProcessAsUserW
How do I need to modify the token so that the process will have elevated privileges? I'm aware that similar questions have been asked already, but none of them contain properly explained answers.
I am running a process with loacl admin privilege in Windows and trying to obtain a credential handle for another user using AcquireCredentialsHandle .
It is possible to pass in SEC_WINNT_AUTH_IDENTITY structure with user info ( e.g. user, domain, password) and obtain the handle. I have verified it. Without the SEC_WINNT_AUTH_IDENTITY passing only the pszPrincipal does not work.
I wonder is there any other way one can do it without providing the user password?
I am running the following scenario:
Client obtains a kerberos token using UPN and sends it to server
Server tries to acquire the credential handle (AcquireCredentialsHandle) using UPN of the client.
Any suggestions please?
You normally don't get to request a ticket on behalf of other users. That would be a very dangerous security issue.
There are two ways around this.
Use S4U2Self which is where the application requests a ticket to themselves using the passed in username, which will get them a ticket on behalf of the user to themselves. This lets you see things like user group membership. You need to be running as SYSTEM or have SeImpersonatePrivilege to do this.
Use S4U2Proxy aka protocol transition which is where the application requests a ticket for another service using the passed in username. This lets you impersonate the user based only on the name, and must be explicitly granted to the server and target by AD. This is an incredibly dangerous privilege because you're allowing your application to have the equivalent rights as a KDC.
Unfortunately this is a fairly complicated bit of code so it's not shareable in this post as-is. You can find a sample application here: https://github.com/SteveSyfuhs/DelegatedAuthentication
The gist of the process is:
Client sends username to service.
Service is configured for SeImpersonatePrivilege or SeTcbPrivilege (meaning running as SYSTEM)
Service calls LsaLogonUser and passes just the username, returning an NT token handle.
Service calls SetThreadToken with the token from (3).
Service calls AcquireCredentialsHandle without any credentials (uses default SSO creds).
Service calls InitializeSecurityContext
Service sends token to target server
I use IdentityServer4 and Xamarin.Forms. All work fine. But there is a question. When i log in and then exit the mobile application or re-build then, when I log in again, I automatically log in! Without asking for a username and password!
I want to note, I did not log out in IdentityServer, just closed app.
It seems that the server remembers the ip address of the application, and if a request for authorization repeatedly arrives from it, without prior log out, then it automatically log in.
This is my guess. I did not find it in the documentation. And did not find the corresponding records in the database
It's because of the cookie based authentication scheme that is set up on your Identity Server 4. You are logging in through your device browser client so after the user logs in the cookie is left and thus the skip of login screen next time there is an attempt to log in.
The document at http://www.salesforce.com/us/developer/docs/api_rest/index_Left.htm#CSHID=quickstart_code.htm|StartTopic=Content%2Fquickstart_code.htm|SkinName=webhelp says
Salesforce uses authentication to allow users to securely access data without having to reveal username and password credentials.
but as far as I can tell, the only command that I can run to get an access_token is using my colleague's username and password like so
curl -d "username=yyyyyyy" -d "password=xxxxxxx" -d "client_id=zzzzzz" -d "client_secret=dddddddddd" -v -d "grant_type=password" https://login.salesforce.com/services/oauth2/token
and I have to regenerate that as the access_token keeps expiring. If it didn't, my colleague could just generate the token once and hand it off to me and be done with it.
How can I do this so he never has to give me his username/password AND my app will keep on working and working until he deletes the application from salesforce (which would hopefully invalidate the client_id and client_secret).
(That is how most APIs work at least so users don't have to give developers their username and password nor do we need to store username and password on production machines.) So how do we get this to work? OR are the docs completely wrong and I do need the user's login/password to access data even though that one line says otherwise.
Okay, this was rather annoying. In OAuth2, the proper way for an app that wants access to all data regardless of user and whether that user is logged in is grant_type=client_credentials which does not exist on Salesforce.
The work around is as follows
In the GUI, edit your app and in the "API (Enable OAuth settings)", add "Access and manage your data(api) or Full Access AND Perform requests at any time on your behalf (Refresh token)"
In the GUI, set the callback url to https://localhost/oauth (this is a hack and we will use this to our advantage later)
Now, go to the url (fill in the params with your data) https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=YOURCLIENTID&redirect_uri=https%3A%2F%2Flocalhost%2Foauth
Your browser will redirect you to https://localhost/oauth?code=YOURCODE NOTE: This code can only be used ONCE before you need to repeat step 3 and run again.
Run a POST request using the code in step 4 (the YOURCODE) to url https://login.salesforce.com/services/oauth2/token with the data in the body of grant_type=authorization_code&code=YOURCODE&client_id=YOURCLIENTID&client_secret=YOURSECRET&redirect_uri=https%3A%2F%2Flocalhost%2Foauth
NOTE: There are some %3Ds in the YOURCODE....you do not need to modify them and convert them to = and you can just leave them as is.
This now results in returning a refresh token you can use and the current access token you can use.
Now, just save the refresh token to your database (I am hoping it pretty much lasts until someone deletes the application and time will tell I guess).
You can use a regular interactive OAuth login flow to get a refresh token which can be used to get new access tokens as needed. see https://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com for details.
I want to get the privileges of a selected user on a local machine. I know how to get them from the current user, so my problem is how to open a process as as a different user.
I'm currently looking for more info about CreateProcessAsUser()
thanks
You shouldnt create a process as a different user just to get his priviledges. To get an user priviledges you need an iudentity token. To start a process as an user you need an impersonate token. Idenity tokens are very low security risk, impersonation tokens on the other hand are very serious business. At the very least, you need to know the password of the user in order to impersonate (or have an impesonation capable context, like an SSPI exchange security context).
Use LookupAccountName to get the SID, LsaOpenPolicy and LsaEnumerateAccountRights.
Check this link for how to do this from a service within Delphi: Launch your application in Vista under the local system account without the UAC popup
To launch a process under the local
system account I perform the following
steps (from a service application):
Get the Active Console SessionId using WTSGetActiveConsoleSessionId
Since I need to launch the application under a system account, I
use the token from Winlogon, since
Winlogon runs under the system
account. So I obtain the process ID of
Winlogon and Duplicate the token.
Then I make sure I sent the startupinfo parameter lpDesktop to
winsta0\Default since I need to launch
my process there.
Then I use CreateProcessAsUser with Winlogon's duplicate token to
launch my process into session 1.
That's all. I am done.