Tthiffer main goal is to duplicate tokens that are located in the system and assign that token to a new spawned application so, if you get into a system, you can steal remote user credentials. This tool is used most times in penetration tests to steal tokens from logged admin or domain sessions and spawn a shell with their credentials.
This tool was originally released at the NoConName Security congress (Spanish paper)



This tool will list all the tokens asocciated to a proccess and spawn a shell on the selected target.




Token Thiffer calls the api CreateProcessAsUser() o execute a new proccess, and the new proccess will inherit the duplicated token.


The online video that shows how to use pinjector is available here for download
Like Process Injector, this is one of the most used tools by me on a penetration test against a Microsoft enviroment. One of the best advantages is that you dont need a real process to inject and an application spawned on that system is persistent against logoff.
You can browse online the source code.

Usage Information:

C:\Software\AUDITORIA\Hacking>tthieffer -h
Token Thieffer for Windows (c) 2006
Author: Andres Tarasco ( atarasco @ sia . es )
URL: http://www.514.es

Usage:
TThieffer.exe -a (Show all duplicable tokens)
-e "command" (changes default command)
-? (Shows this help)



Download (Windows executable + Source code)