Damon Cortesi's blog

Musings of an entrepreneur.

Impersonation Without a Password

| Comments

After reading a couple posts about impersonation by Shawn Farkas and linked to by dominick baier, I’ve decided to post some information about impersonation as well. The only difference is that my impersonation doesn’t require a password.

You may remember a few months ago when I posted about mucking around with tokens. Well this is the reason I was doing so.

It seems that by using the ImpersonateLoggedOnUser function, you can impersonate the security context of a logged-on user…and all you need is their token!

How do you get a users token? Simple.

  1. Identify the PID of a user’s process you want to steal.
  2. Use OpenProcessToken to retrieve the target user’s token.
  3. Duplicate the user’s token using DuplicateTokenEx.
  4. Then just use CreateProcessAsUser with the token obtained from ImpersonateLoggedOnUser and you’re good to go!

See, that wasn’t so tough: AgentSmith.exe

There are a few disclaimers:

  1. This app needs to be run as SYSTEM. I usually just use the at command to schedule cmd.exe within the next minute to achieve this. Maybe in the future I will make this install itself as a service, but not for now.
  2. Don’t do anything bad. I am not responsible for what this might do to your system.
  3. As of right now, it currently just fires up a command prompt as the target user - it has been modified to allow for specific commands, but the CreateProcessAsUser function is kind of flaky with respect to the lpCommandLine parameter.