Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improved token management #996

Merged
merged 1 commit into from
Nov 9, 2022
Merged

improved token management #996

merged 1 commit into from
Nov 9, 2022

Conversation

MrAle98
Copy link
Contributor

@MrAle98 MrAle98 commented Nov 9, 2022
edited

Card

I noticed there are some issues in token management, in particular when it comes to creating a sacrificial logon session with make-token command. With this PR I may have solved the issue by forcing the goroutine to use always the same thread, in which it was called ImpersonateLoggedOnUser, only when necessary. In addition i modified the Rev2Self to also close the Handle to the token.

Details

If you try to run make-token and then rubeus --in-process triage you may notice that the LUID showed in the rubeus command changes unexpectedly.
Here an example:

sliver (SYMBOLIC_FLAME) > rubeus --in-process triage

[*] Tasked beacon SYMBOLIC_FLAME (4af33f0f)

[+] SYMBOLIC_FLAME completed task 4af33f0f

[*] rubeus output:

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0x91bb1

 ---------------------------------------------------------------------------------------------------------------------
 | LUID    | UserName                      | Service                                          | EndTime              |
 ---------------------------------------------------------------------------------------------------------------------
 | 0x91bb1 | nonPrivileged @ CONTOSO.LOCAL | krbtgt/CONTOSO.LOCAL                             | 11/9/2022 7:05:57 PM |
 | 0x91bb1 | nonPrivileged @ CONTOSO.LOCAL | LDAP/WIN-ICSQJ44N1F3.contoso.local/contoso.local | 11/9/2022 7:05:57 PM |
 ---------------------------------------------------------------------------------------------------------------------



sliver (SYMBOLIC_FLAME) > make-token -d CONTOSO -u user -p pass

[*] Tasked beacon SYMBOLIC_FLAME (636b9d85)

[+] SYMBOLIC_FLAME completed task 636b9d85



sliver (SYMBOLIC_FLAME) > rubeus --in-process triage

[*] Tasked beacon SYMBOLIC_FLAME (c5acf5d4)

[+] SYMBOLIC_FLAME completed task c5acf5d4

[*] rubeus output:

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0x522b1c

 ---------------------------------------
 | LUID | UserName | Service | EndTime |
 ---------------------------------------
 ---------------------------------------



sliver (SYMBOLIC_FLAME) > rubeus --in-process triage

[*] Tasked beacon SYMBOLIC_FLAME (fcacb96f)

[+] SYMBOLIC_FLAME completed task fcacb96f

[*] rubeus output:

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0x522b1c

 ---------------------------------------
 | LUID | UserName | Service | EndTime |
 ---------------------------------------
 ---------------------------------------



sliver (SYMBOLIC_FLAME) > rubeus --in-process triage

[*] Tasked beacon SYMBOLIC_FLAME (23bdad73)

[+] SYMBOLIC_FLAME completed task 23bdad73

[*] rubeus output:

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0x91bb1

 ---------------------------------------------------------------------------------------------------------------------
 | LUID    | UserName                      | Service                                          | EndTime              |
 ---------------------------------------------------------------------------------------------------------------------
 | 0x91bb1 | nonPrivileged @ CONTOSO.LOCAL | krbtgt/CONTOSO.LOCAL                             | 11/9/2022 7:05:57 PM |
 | 0x91bb1 | nonPrivileged @ CONTOSO.LOCAL | LDAP/WIN-ICSQJ44N1F3.contoso.local/contoso.local | 11/9/2022 7:05:57 PM |
 ---------------------------------------------------------------------------------------------------------------------



sliver (SYMBOLIC_FLAME) >

As you can see before make-token LUID is 0x91bb1. After running make-token a new LUID is created 0x522b1c running rubeus first time. The third time after make-token instead rubeus shows again that the LUID is 0x91bb1.
This probably happens because the goroutine executing the handler gets assigned a random thread. In order to solve the issue I use runtime.LockOSThread() in order to bound the goroutine to the same thread. Before calling runtime.LockOSThread() ImpersonateLoggedOnUser in order to set the token in the goroutine thread. The bounding of the goroutine to the same thread with runtime.LockOSThread() is applied only for sysHandlers when the variable priv.CurrenToken is different from 0.
With the modification in the PR here is the behaviour:

[server] sliver (VISUAL_SWATH) > rubeus -E -M --in-process triage

[*] Tasked beacon VISUAL_SWATH (fb1f829c)

[+] VISUAL_SWATH completed task fb1f829c

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0x91bb1

 ---------------------------------------------------------------------------------------------------------------------- 
 | LUID    | UserName                      | Service                                          | EndTime               |
 ---------------------------------------------------------------------------------------------------------------------- 
 | 0x91bb1 | nonPrivileged @ CONTOSO.LOCAL | krbtgt/CONTOSO.LOCAL                             | 11/9/2022 10:17:32 PM |
 | 0x91bb1 | nonPrivileged @ CONTOSO.LOCAL | LDAP/WIN-ICSQJ44N1F3.contoso.local/contoso.local | 11/9/2022 10:17:32 PM |
 ---------------------------------------------------------------------------------------------------------------------- 



[server] sliver (VISUAL_SWATH) > make-token -d CONTOSO -u user -p pass

[*] Tasked beacon VISUAL_SWATH (81e2e5b1)

[+] VISUAL_SWATH completed task 81e2e5b1



[server] sliver (VISUAL_SWATH) > rubeus --in-process triage

[*] Tasked beacon VISUAL_SWATH (da81fa98)

[+] VISUAL_SWATH completed task da81fa98

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0xa71711

 --------------------------------------- 
 | LUID | UserName | Service | EndTime |
 --------------------------------------- 
 --------------------------------------- 



[server] sliver (VISUAL_SWATH) > rubeus --in-process triage

[*] Tasked beacon VISUAL_SWATH (7e9a436a)

[+] VISUAL_SWATH completed task 7e9a436a

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0xa71711

 --------------------------------------- 
 | LUID | UserName | Service | EndTime |
 --------------------------------------- 
 --------------------------------------- 



[server] sliver (VISUAL_SWATH) > rubeus --in-process triage

[*] Tasked beacon VISUAL_SWATH (c58005ac)

[+] VISUAL_SWATH completed task c58005ac

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0xa71711

 --------------------------------------- 
 | LUID | UserName | Service | EndTime |
 --------------------------------------- 
 --------------------------------------- 



[server] sliver (VISUAL_SWATH) > rubeus --in-process triage

[*] Tasked beacon VISUAL_SWATH (087100d7)

[+] VISUAL_SWATH completed task 087100d7

[*] rubeus output:


[server] sliver (VISUAL_SWATH) > rubeus --in-process triage

[*] Tasked beacon VISUAL_SWATH (70d40f14)

[+] VISUAL_SWATH completed task 70d40f14

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0xa71711

 --------------------------------------- 
 | LUID | UserName | Service | EndTime |
 --------------------------------------- 
 --------------------------------------- 



[server] sliver (VISUAL_SWATH) > rubeus --in-process triage

[*] Tasked beacon VISUAL_SWATH (b774e545)

[+] VISUAL_SWATH completed task b774e545

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0xa71711

 --------------------------------------- 
 | LUID | UserName | Service | EndTime |
 --------------------------------------- 
 --------------------------------------- 


   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0xa71711

 --------------------------------------- 
 | LUID | UserName | Service | EndTime |
 --------------------------------------- 
 --------------------------------------- 



[server] sliver (VISUAL_SWATH) > rev2self

[*] Tasked beacon VISUAL_SWATH (51ac314f)

[+] VISUAL_SWATH completed task 51ac314f


[server] sliver (VISUAL_SWATH) > rubeus --in-process triage

[*] Tasked beacon VISUAL_SWATH (7a730884)

[+] VISUAL_SWATH completed task 7a730884

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1 


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0x91bb1

 ---------------------------------------------------------------------------------------------------------------------- 
 | LUID    | UserName                      | Service                                          | EndTime               |
 ---------------------------------------------------------------------------------------------------------------------- 
 | 0x91bb1 | nonPrivileged @ CONTOSO.LOCAL | krbtgt/CONTOSO.LOCAL                             | 11/9/2022 10:17:32 PM |
 | 0x91bb1 | nonPrivileged @ CONTOSO.LOCAL | LDAP/WIN-ICSQJ44N1F3.contoso.local/contoso.local | 11/9/2022 10:17:32 PM |
 ---------------------------------------------------------------------------------------------------------------------- 



[server] sliver (VISUAL_SWATH) >

You can see now that after make-token, when rubeus --in-process triage is executed the LUID remains 0xa71711. After rev2self the LUID displayed is the previous one.

In addition I've modified Rev2Self so that it closes the handle to the token, while I introduced TRev2Self that just calls syscalls.RevToSelf() from win32 API.

@MrAle98 MrAle98 requested a review from a team as a code owner November 9, 2022 14:37
@rkervella
Copy link
Member

Thanks, completely forgot to use runtime.LockOSThread in this case.

@rkervella rkervella merged commit c7e77c8 into BishopFox:master Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rkervella rkervella rkervella approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@MrAle98 @rkervella