Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  1. Red Team
  2. Active Directory

Understanding Runas

During security assessments, it's common to have network access and come across Active Directory (AD) credentials. However, there may be limitations, such as lacking the means or privileges to create a new domain-joined machine. In such scenarios, the ability to use these discovered credentials on a Windows machine you control is essential.

One way to achieve this is by using "Runas," a legitimate Windows binary, to inject the credentials into memory. A typical Runas command takes the following form:

runas.exe /netonly /user:<domain>\<username> cmd.exe

Let's break down the parameters:

  • /netonly: Since we are not part of the domain, this parameter allows us to load the credentials for network authentication without directly authenticating against a domain controller. Commands executed locally on the computer will run in the context of the standard Windows account, but any network connections will use the specified credentials.

  • /user: Here, we provide the domain and the username. It's generally a good practice to use the Fully Qualified Domain Name (FQDN) rather than just the NetBIOS name of the domain for better resolution.

  • cmd.exe: This specifies the program we want to execute once the credentials are injected. While it can be changed to other programs, using "cmd.exe" is a safer choice because it provides flexibility to launch other processes with the injected credentials.

Upon running this command, you will be prompted to provide the password. Notably, with the /netonly parameter, the credentials won't be directly verified by a domain controller, making them accept any password. It's still necessary to confirm that the network credentials are successfully loaded and accurate.

Once the password is provided, a new command prompt window opens. To verify that the credentials work, listing the SYSVOL directory is a reliable approach. Any AD account, regardless of its privileges, can read the contents of the SYSVOL directory.

You can perform the following steps to validate the credentials and access SYSVOL:

  1. Set the DNS server to the Domain Controller (DC) IP address:

    $dnsip = "<DC IP>"
$index = Get-NetAdapter -Name ‘[INTERFACE]’ | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

  2. View the SYSVOL directory:

    dir \\DCHOSTNAME\SYSVOL\

Additional enumeration and assessment can be conducted using Microsoft Management Console (MMC) to gain further insights into the compromised system and network.

PreviousPass the hash with evil WinRMNextMalware

Last updated 1 year ago