├── README.md ├── doc └── Windows_Tokens_Impersonation_PE_Quentin_HARDY_2020_v1.0.pdf └── src ├── constants.py ├── escalation.py ├── examples ├── canGetAdminAccess.py ├── impersonateThisToken.py ├── impersonateViaCreds.py ├── manageTokenPrivileges.py ├── namedPipeImpersonationSystemViaPrinterBug.py ├── namedPipeImpersonationSystemViaRPCSS.py ├── namedPipeImpersonationSystemViaSCM.py ├── namedPipeImpersonationSystemViaTaskScdh.py ├── namedPipeImpersonationSystemViaWmiJobCmd.py ├── namedPipeImpersonationViaAService.py ├── namedPipeImpersonationViaSpoofPPIDWithLSASS.py ├── printAllTokensAccessible.py ├── printAllTokensAccessibleLSASS.py ├── printAllTokensAccessibleRecursive.py ├── printCurrentThreadEffectiveToken.py ├── printSystemTokensAccessible.py ├── printTokensAccessibleByAccountName.py ├── printTokensAccessibleByPID.py ├── printTokensAccessibleFilterCanImpersonate.py ├── printTokensAccessibleFilterSystem.py ├── pyToExePrinterBug.py ├── pyToExeRPCSS.py ├── searchAndImpersonateFirstSystemToken.py └── spoofPPIDlsass.py ├── external └── dlls │ ├── MS-RPRN_x64.dll │ └── MS-RPRN_x86.dll ├── impersonate.py ├── msrprn.py ├── requirements.txt ├── scm.py ├── taskschd.py ├── tmipe.py ├── tokenmanager.py ├── utils.py ├── windef.py ├── windefsd.py └── winproc.py /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/README.md -------------------------------------------------------------------------------- /doc/Windows_Tokens_Impersonation_PE_Quentin_HARDY_2020_v1.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/doc/Windows_Tokens_Impersonation_PE_Quentin_HARDY_2020_v1.0.pdf -------------------------------------------------------------------------------- /src/constants.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/constants.py -------------------------------------------------------------------------------- /src/escalation.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/escalation.py -------------------------------------------------------------------------------- /src/examples/canGetAdminAccess.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/canGetAdminAccess.py -------------------------------------------------------------------------------- /src/examples/impersonateThisToken.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/impersonateThisToken.py -------------------------------------------------------------------------------- /src/examples/impersonateViaCreds.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/impersonateViaCreds.py -------------------------------------------------------------------------------- /src/examples/manageTokenPrivileges.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/manageTokenPrivileges.py -------------------------------------------------------------------------------- /src/examples/namedPipeImpersonationSystemViaPrinterBug.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/namedPipeImpersonationSystemViaPrinterBug.py -------------------------------------------------------------------------------- /src/examples/namedPipeImpersonationSystemViaRPCSS.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/namedPipeImpersonationSystemViaRPCSS.py -------------------------------------------------------------------------------- /src/examples/namedPipeImpersonationSystemViaSCM.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/namedPipeImpersonationSystemViaSCM.py -------------------------------------------------------------------------------- /src/examples/namedPipeImpersonationSystemViaTaskScdh.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/namedPipeImpersonationSystemViaTaskScdh.py -------------------------------------------------------------------------------- /src/examples/namedPipeImpersonationSystemViaWmiJobCmd.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/namedPipeImpersonationSystemViaWmiJobCmd.py -------------------------------------------------------------------------------- /src/examples/namedPipeImpersonationViaAService.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/namedPipeImpersonationViaAService.py -------------------------------------------------------------------------------- /src/examples/namedPipeImpersonationViaSpoofPPIDWithLSASS.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/namedPipeImpersonationViaSpoofPPIDWithLSASS.py -------------------------------------------------------------------------------- /src/examples/printAllTokensAccessible.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printAllTokensAccessible.py -------------------------------------------------------------------------------- /src/examples/printAllTokensAccessibleLSASS.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printAllTokensAccessibleLSASS.py -------------------------------------------------------------------------------- /src/examples/printAllTokensAccessibleRecursive.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printAllTokensAccessibleRecursive.py -------------------------------------------------------------------------------- /src/examples/printCurrentThreadEffectiveToken.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printCurrentThreadEffectiveToken.py -------------------------------------------------------------------------------- /src/examples/printSystemTokensAccessible.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printSystemTokensAccessible.py -------------------------------------------------------------------------------- /src/examples/printTokensAccessibleByAccountName.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printTokensAccessibleByAccountName.py -------------------------------------------------------------------------------- /src/examples/printTokensAccessibleByPID.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printTokensAccessibleByPID.py -------------------------------------------------------------------------------- /src/examples/printTokensAccessibleFilterCanImpersonate.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printTokensAccessibleFilterCanImpersonate.py -------------------------------------------------------------------------------- /src/examples/printTokensAccessibleFilterSystem.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/printTokensAccessibleFilterSystem.py -------------------------------------------------------------------------------- /src/examples/pyToExePrinterBug.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/pyToExePrinterBug.py -------------------------------------------------------------------------------- /src/examples/pyToExeRPCSS.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/pyToExeRPCSS.py -------------------------------------------------------------------------------- /src/examples/searchAndImpersonateFirstSystemToken.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/searchAndImpersonateFirstSystemToken.py -------------------------------------------------------------------------------- /src/examples/spoofPPIDlsass.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/examples/spoofPPIDlsass.py -------------------------------------------------------------------------------- /src/external/dlls/MS-RPRN_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/external/dlls/MS-RPRN_x64.dll -------------------------------------------------------------------------------- /src/external/dlls/MS-RPRN_x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/external/dlls/MS-RPRN_x86.dll -------------------------------------------------------------------------------- /src/impersonate.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/impersonate.py -------------------------------------------------------------------------------- /src/msrprn.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/msrprn.py -------------------------------------------------------------------------------- /src/requirements.txt: -------------------------------------------------------------------------------- 1 | anytree 2 | pywin32 3 | -------------------------------------------------------------------------------- /src/scm.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/scm.py -------------------------------------------------------------------------------- /src/taskschd.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/taskschd.py -------------------------------------------------------------------------------- /src/tmipe.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/tmipe.py -------------------------------------------------------------------------------- /src/tokenmanager.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/tokenmanager.py -------------------------------------------------------------------------------- /src/utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/utils.py -------------------------------------------------------------------------------- /src/windef.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/windef.py -------------------------------------------------------------------------------- /src/windefsd.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/windefsd.py -------------------------------------------------------------------------------- /src/winproc.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quentinhardy/pytmipe/HEAD/src/winproc.py --------------------------------------------------------------------------------