WWHF @ Mile High 2025

The Impersonator Shell started as a combination of two popular hacker tools: Netcat and Printspoofer. The exploit is named after the Windows privilege that Printspoofer uses to get administrative access to Windows machines, the SeImpersonate privilege. This shell abuses the SeImpersonate privilege to create an administrative reverse or bind shell.  Users running server software on Windows hosts will commonly have the SEImpersonate enabled. Security engineers who can obtain RCE on said servers can also obtain an administrative shell by abusing the SEImpersonate privilege. Instead of uploading Netcat and the corresponding kernel exploit, security engineers can use the Impersonator shell. If the inbuilt exploit does not work, security engineers will be provided a non-administrative shell. The Impersonator shell can connect to a Metasploit listener and be upgraded to a meterpreter shell. The Impersonator Shell can also leverage native Windows API functions to grab a process and capture information about the token associated with the process.  People who attend this talk can expect to learn the inner mechanics of reverse shells and bind shells, Offensive Windows API use, and the basics of exploit coding in the C programming language all under the umbrella of the newly created Impersonator shell.