cwinapiwinlogoncreateprocessasuser

Get session token as administrator without using password


I'm using LogonUser to get a HANDLE to the target session token and use it for the function CreateProcessAsUser.

status = LogonUserW(sessiondata->UserName.Buffer, sessiondata->LogonDomain.Buffer,NULL,LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &targettoken);

My executable is going to be executed by Administrator, but even though I'm administrator, I can't get the handle to the token and always get 1326 error: Logon failure: unknown user name or bad password.. I put NULL as lpszPassword with the hope that it checks if I'm administrator and give me the privilege to get the access token.

Of course I should not be using LogonUser for this purpose, so what do you suggest ?

I expected to get a HANDLE to the access token because of my high-level privilege(Administrator) without giving the password.


Solution

  • My executable is a simple application which is intended to get screenshots from all logon sessions

    Hey, we can forget about getting the user's login token. There's actually a fairly good way to do this.

    1. Enumerate all processes.
    2. If the process is a WINLOGON process and the session id is not zero
    3. Steal its token
    4. Start a process using that token; pass it a file on the command line
    5. That process takes a screenshot and saves it to a file
    6. When all your processes have finished, pick up your files.

    The token from WINLOGON has administrative rights and is on the correct session to see the user's desktop. If you don't create any windows you aren't vulnerable to the user messing with you. (In fact this token creates windows at a higher integrity level. Normal shatter attacks don't work however you can still receive fake keyboard or mouse input if you create windows.)

    Most likely, you will only get a screenshot from the currently active screen and any active remote desktop sessions. Other sessions stop their redraw and drop their screen buffers to save memory.

    It's most likely your user does not have SeAssignPrimaryTokenPrivilege and SeTcbPrivilege. I have given these to my user in the past; however the easiest way to get them is to become local system by setting up and launching as a service, then removing the service after its done.

    OP commented that he got to SYSTEM by PsExec and was able to get the token. PsExec does CreateService under the hood so it's all the same.