Let user choose the logon type

BishopFox · Nov 3, 2022 · e9945d7 · e9945d7
1 parent c91740d
commit e9945d7
Show file tree

Hide file tree

Showing 11 changed files with 867 additions and 824 deletions.
diff --git a/client/command/commands.go b/client/command/commands.go
@@ -2120,6 +2120,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("u", "username", "", "username of the user to impersonate")
 			f.String("p", "password", "", "password of the user to impersonate")
 			f.String("d", "domain", "", "domain of the user to impersonate")
+			f.String("T", "logon-type", "LOGON_NEW_CREDENTIALS", "logon type to use")
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
 		HelpGroup: consts.SliverWinHelpGroup,

diff --git a/client/command/help/long-help.go b/client/command/help/long-help.go
@@ -471,6 +471,16 @@ The [[.Bold]]psexec[[.Normal]] command will use the credentials of the Windows u
 `
 	makeTokenHelp = `[[.Bold]]Command:[[.Normal]] make-token -u USERNAME -d DOMAIN -p PASSWORD
 [[.Bold]]About:[[.Normal]] Creates a new Logon Session from the specified credentials and impersonate the resulting token.
+You can specify a custon Logon Type using the [[.Bold]]--logon-type[[.Normal]] flag, which defaults to [[.Bold]]LOGON32_LOGON_NEW_CREDENTIALS[[.Normal]].
+Valid types are:
+
+LOGON_INTERACTIVE
+LOGON_NETWORK
+LOGON_BATCH
+LOGON_SERVICE
+LOGON_UNLOCK
+LOGON_NETWORK_CLEARTEXT
+LOGON_NEW_CREDENTIALS
 `
 
 	getEnvHelp = `[[.Bold]]Command:[[.Normal]] getenv [name]

diff --git a/client/command/privilege/make-token.go b/client/command/privilege/make-token.go
@@ -28,6 +28,16 @@ import (
 	"google.golang.org/protobuf/proto"
 )
 
+var logonTypes = map[string]uint32{
+	"LOGON_INTERACTIVE":       2,
+	"LOGON_NETWORK":           3,
+	"LOGON_BATCH":             4,
+	"LOGON_SERVICE":           5,
+	"LOGON_UNLOCK":            7,
+	"LOGON_NETWORK_CLEARTEXT": 8,
+	"LOGON_NEW_CREDENTIALS":   9,
+}
+
 // MakeTokenCmd - Windows only, create a token using "valid" credentails
 func MakeTokenCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	session, beacon := con.ActiveTarget.GetInteractive()
@@ -38,6 +48,12 @@ func MakeTokenCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	username := ctx.Flags.String("username")
 	password := ctx.Flags.String("password")
 	domain := ctx.Flags.String("domain")
+	logonType := ctx.Flags.String("logon-type")
+
+	if _, ok := logonTypes[logonType]; !ok {
+		con.PrintErrorf("Invalid logon type: %s\n", logonType)
+		return
+	}
 
 	if username == "" || password == "" {
 		con.PrintErrorf("Pou must provide a username and password\n")
@@ -48,10 +64,11 @@ func MakeTokenCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	con.SpinUntil("Creating new logon session ...", ctrl)
 
 	makeToken, err := con.Rpc.MakeToken(context.Background(), &sliverpb.MakeTokenReq{
-		Request:  con.ActiveTarget.Request(ctx),
-		Username: username,
-		Domain:   domain,
-		Password: password,
+		Request:   con.ActiveTarget.Request(ctx),
+		Username:  username,
+		Domain:    domain,
+		Password:  password,
+		LogonType: logonTypes[logonType],
 	})
 	ctrl <- true
 	<-ctrl

diff --git a/implant/sliver/handlers/handlers_windows.go b/implant/sliver/handlers/handlers_windows.go
@@ -424,7 +424,7 @@ func makeTokenHandler(data []byte, resp RPCResponse) {
 		return
 	}
 	makeTokenResp := &sliverpb.MakeToken{}
-	err = priv.MakeToken(makeTokenReq.Domain, makeTokenReq.Username, makeTokenReq.Password)
+	err = priv.MakeToken(makeTokenReq.Domain, makeTokenReq.Username, makeTokenReq.Password, makeTokenReq.LogonType)
 	if err != nil {
 		makeTokenResp.Response = &commonpb.Response{
 			Err: err.Error(),

diff --git a/implant/sliver/priv/priv_windows.go b/implant/sliver/priv/priv_windows.go
@@ -224,8 +224,12 @@ func impersonateUser(username string) (token windows.Token, err error) {
 
 // MakeToken uses LogonUser to create a new logon session with the supplied username, domain and password.
 // It then impersonates the resulting token to allow access to remote network resources as the specified user.
-func MakeToken(domain string, username string, password string) error {
+func MakeToken(domain string, username string, password string, logonType uint32) error {
 	var token windows.Token
+	// Default to LOGON32_LOGON_NEW_CREDENTIALS
+	if logonType == 0 {
+		logonType = windows.LOGON32_LOGON_NEW_CREDENTIALS
+	}
 
 	pd, err := windows.UTF16PtrFromString(domain)
 	if err != nil {
@@ -239,7 +243,7 @@ func MakeToken(domain string, username string, password string) error {
 	if err != nil {
 		return err
 	}
-	err = syscalls.LogonUser(pu, pd, pp, syscalls.LOGON32_LOGON_NEW_CREDENTIALS, syscalls.LOGON32_PROVIDER_DEFAULT, &token)
+	err = syscalls.LogonUser(pu, pd, pp, logonType, syscalls.LOGON32_PROVIDER_DEFAULT, &token)
 	if err != nil {
 		// {{if .Config.Debug}}
 		log.Printf("LogonUser failed: %v\n", err)

diff --git a/protobuf/clientpb/client.pb.go b/protobuf/clientpb/client.pb.go
diff --git a/protobuf/commonpb/common.pb.go b/protobuf/commonpb/common.pb.go
diff --git a/protobuf/dnspb/dns.pb.go b/protobuf/dnspb/dns.pb.go
diff --git a/protobuf/rpcpb/services.pb.go b/protobuf/rpcpb/services.pb.go