TokenSnatcher – Run As System

Run As System

Do you sometimes run into situations where being Administrator just doesn’t cut it?

  • Trying to access hidden registry keys?
  • Trying to remove the godforsaken c:\windows\csc folder?
  • Trying to stop a service just to get access denied?
  • etc. etc. etc.

One obvious solution would be to elevate your own credentials to System credentials. Running a process as System will allow you to do pretty much anything on the system (so take care!).

Most people facing this challenge will revert to PSexec.exe from Microsoft (formerly Sysinternals).

Here at Easy365Manager we have tremendous admiration for Mark Russinovich, the creator of PSexec. Contrary to TokenSnatcher the PSexec tool is very well tested and we highly recommend using that tool whenever possible.

However, PSexec does leave a footprint which includes the installation of a Windows service on your system. In some cases that may not be desired or possible.

Also, maybe you want to be someone other than System? With TokenSnatcher you can become anyone “dumb enough” to run a process on your system!

How Does TokenSnatcher Work?

TokenSnatcher is a pure executable that doesn’t install anything. It uses your Administrator credentials (you must have local system admin rights in order to run it) to scan all processes running on your system.

After scanning the processes TokenSnatcher will present you with a list of all the identities running processes on your system:

TokenSnatcher screenshot

Simply type the number of the process token (the identity) you want to snatch, and TokenSnatcher will spawn a new command prompt running as the selected identity.

To confirm your new identity in the spawned command prompt you can use Whoami /all. In the below output you can see that I chose to copy the token of a process running as System:

c:\>whoami /all USER INFORMATION ---------------- User Name SID =================== ======== nt authority\system S-1-5-18 GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============ ================================================== BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group Mandatory Label\System Mandatory Level Label S-1-16-16384 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ================================================================== ======== SeCreateTokenPrivilege Create a token object Enabled SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeCreatePermanentPrivilege Create permanent shared objects Enabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Enabled SeAuditPrivilege Generate security audits Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Disabled SeRelabelPrivilege Modify an object label Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

As seen in the output the process is now running as System.

Any program you start from the new command prompt will inherit the selected identity. If you e.g. start RegEdit you will now have RegEdit running as system which will reveal hidden registry keys not visible to the local administrator account.

Warning! Privilege Escalation

One thing to notice is that TokenSnatcher will allow you to steal ANY identity (token) running a process on your system. This includes the identities of your fellow administrators:

TokenSnatcher screenshot

On the system where I’m running TokenSnatcher you can see that Jolene is running PowerShell, Joe is running an MMC (in this case AD Users & Computers) and Jill is running a command prompt.

I can now steal their credentials simply (and only) because I am local system administrator (nothing else is required).

Wait!!! Does that mean:

  • Can you steal the identity of a domain admin? YES
  • Can the stolen credentials be used to mess around in Active Directory? YES
  • Can you access other servers remotely using the stolen identity? YES

Oh my … ! Really scary stuff!!!

If you think about it for a few seconds you will understand why you NEVER EVER should allow a lower level administrator to be local system administrator on a system where higher level administrators (or services) are running programs.

This aspect of Windows security is often overlooked!

It takes a lot of thoughtful planning to avoid exposing your admins from identify theft in a large complex network!

FYI, TokenSnatcher only uses standard, publicly available Windows API calls. Creatively? For sure! But no funny stuff or undocumented exploits are going on here.

Technical Deep Dive

If you really would like to dive down into the technicalities of TokenSnatcher, process tokens and security identity inheritance have a look at this video:

The video has a technical walkthrough of the theory behind privilege escalation on the Windows operating system.

After the theory you’ll find a demo of TokenSnatcher. Click here to go directly to the demo.

The information in the video should make nice input for your next security team meeting! 😉

Download TokenSnatcher

Please make sure to read and understand all of the above information before downloading and running TokenSnatcher.

Disclaimer: The software featured in this post is provided as-is. Use entirely at your own discretion.

Download TokenSnatcher

By downloading TokenSnatcher you agree to take full responsibility of any problems related to its use.
Did you like this post? Maybe your friends will too!