WTS Impersonator
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
The WTS Impersonator tool exploits the "\pipe\LSM_API_service" RPC Named pipe to stealthily enumerate logged-in users and hijack their tokens, bypassing traditional Token Impersonation techniques. This approach facilitates seamless lateral movements within networks. The innovation behind this technique is credited to Omri Baso, whose work is accessible on GitHub.
The tool operates through a sequence of API calls:
Enumerating Users: Local and remote user enumeration is possible with the tool, using commands for either scenario:
Locally:
Remotely, by specifying an IP address or hostname:
Executing Commands: The exec
and exec-remote
modules require a Service context to function. Local execution simply needs the WTSImpersonator executable and a command:
Example for local command execution:
PsExec64.exe can be used to gain a service context:
Remote Command Execution: Involves creating and installing a service remotely similar to PsExec.exe, allowing execution with appropriate permissions.
Example of remote execution:
User Hunting Module: Targets specific users across multiple machines, executing code under their credentials. This is especially useful for targeting Domain Admins with local admin rights on several systems.
Usage example:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)