RUNNAS - Tokenized Runas Utility - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » RUNNAS - Tokenized Runas Utility

Page 1 of 5

Topic Options

#154040 - 2005-12-24 02:20 PM

RUNNAS - Tokenized Runas Utility

Shawn

Administrator

Registered: 1999-08-13
Posts: 8611

Would like to introduce a new command line tool called RUNNAS.EXE (two n's) - its available only at KORG and you can get it here:

RUNNAS - Tokenized Runas Utility

It works much like Microsoft's standard runas.exe except for a few important features:

1) You can specify a password on the command line

2) You can tokenize the command line into a file.

3) You can execute the tokenized file.

This software is at first release and should be considered as beta. Please post any comments, suggestions or bugs to this space.

Documentation:

Code:


RUNNAS 1.14

Allows a user to run specific tools and programs with different permissions
than the user's current logon provides.

Note: This version of runnas is not guaranteed to be compatible with the
previous version. Please re-tokenize your files for added security.


SYNTAX:

runnas /user:<username> command [/password:<password>] [/noprofile]
       [/profile] [/env] [/netonly] [/logononly] [/wait] [/return]
       [/title:<title>] [/tokenize:<tokenfile>] [/crc] [/allowargs]
       [/<token>:<value>]

runnas tokenfile [/<token>:<value>] [/args:<arguments>] [/delete]


PARAMETERS:

    /user       <username> should be in form USER or DOMAIN\USER.
    command     Command line to run.  See below for examples
    /password   The clear-text password for the user account. If not
                specified, you will be prompted for the password.
    /noprofile  Specifies that the user's profile should not be loaded.
                This causes the application to load more quickly, but
                can cause some applications to malfunction.
    /profile    Specifies that the user's profile should be loaded.
                This is the default.
    /env        To use current environment instead of the user's
    /netonly    Use if the credentials specified are for remote
                access only.
    /logononly  Use if command is to be run during interactive logon only.
    /wait       Wait for the program to finish.
    /return     Return errorlevel of program. Use with /wait.
    /title      For console processes, this is the title displayed in the
                title bar if a new console window is created.
    /tokenize   Tokenize command line into <tokenfile>.
    /crc        Calculate CRC (Cyclic Redundancy Check) of command
                line executable and save it to <tokenfile>.
    /allowargs  Allow passing additional arguments to <tokenfile>.
    tokenfile   The name of a tokenized command line file.
    /<token>    Replace command line <token> with <value>.
    /args       Additional <arguments>. Valid only if tokenfile was
                created with /allowargs switch.
    /delete     Delete tokenfile when done.


NOTE:  Enter user's password when prompted.
NOTE:  USER\DOMAIN is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.
NOTE:  Most parameters can be shortened to 3 characters.


EXAMPLES:

> runnas /user:admin mmc
> runnas /user:admin "cmd /c dir c:\ & pause" /password:xxx

Create and execute a tokenfile:

> runnas /user:admin notepad.exe /password:xxx /tokenize:notepad.tok
> runnas notepad.tok

Pass quotes inside a quoted string (using \" metachar):

> runnas /user:admin "\"c:\program files\my app\app.exe\"" /pass:xxx

Pass arguments to a tokenfile:

> runnas /user:admin "notepad.exe" /pass:xxx /tok:notepad.tok /allowargs
> runnas notepad.tok /args:"file.txt"

Replace tokens in a tokenfile:

> runnas /user:admin "notepad.exe <p1>.<p2>" /pas:xxx /tok:notepad.tok
> runnas notepad.tok /p1:myfile /p2:txt


TERMS OF USE
------------

This software is provided "as is" and "with all faults". The author
makes no representations or warranties of any kind concerning the
quality, safety or suitabilty of the software, either express or
implied, including without limitation any implied warranties of
merchantability, or fitness for a particular purpose.

Top

#154041 - 2005-12-24 03:57 PM Re: RUNNAS - Tokenized Runas Utility
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Does this have anything to do with SANUR ( http://www.commandline.co.uk/sanur/ ) no longer being supported? Mind you, I don't recall SANUR obfuscating the password. Do you do anything to check if the executable name matches the internal name in case someone tries renaming it in an attempt to elevate one's rights? Do you check its CRC? _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154042 - 2005-12-24 04:20 PM Re: RUNNAS - Tokenized Runas Utility
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Hmmm... I should follow my own advice that I dish out. Instead of asking, why not just try it? How hard can it be? The answer is EASY! Sub in another proggy and it happily runs it! DOH! _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154043 - 2005-12-24 04:26 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	This has nothing to do with sanur or even runas for that matter. Its a simple stand-alone executable with zero dependencies. Does runas check for CRC etc ?
Top

#154044 - 2005-12-24 04:33 PM Re: RUNNAS - Tokenized Runas Utility
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	I have not played much with the MS RunAs. Does it have an option to save the commandline complete with password? What does the /SaveCred switch do? _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154045 - 2005-12-24 09:01 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	New version 1.1 ... fixed some command line args and added the /wait switch ... that instructs runnas to wait for the program to finish, and return the errorlevel of the started program, for example: runnas john.doe notepad /pass:xxxxxx /wait -Shawn
Top

#154046 - 2005-12-24 09:32 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11627 Loc: CA	SWEET Shawn. I like it so far. Have tested it on accounts with non admin privledges and the application will run but won't access areas they're not allowed to. Have used Admin rights with different account and it runs as expected too. As per one of Les' questions. Maybe add some code to hash/crc check that the executable has not been modified to include even a rename of the exe. I like the idea that the tokenize overwrites the previous entry, but using a switch would it be possible to chain a couple commands? So far it ROCKS dude. Will test some more on Monday at work. May have to take a look at some reverse engineering some to see how easily / difficult it might be to reverse the obfuscation. But don't think I'll get that much computing time in the next couple days.
Top

#154047 - 2005-12-24 09:34 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11627 Loc: CA	Mabye some built-in RUN ONCE code too so that the tokenized file and / or EXE can / would delete it'self with a 3 pass wipe? LOL I know that's a lot to ask.
Top

#154048 - 2005-12-24 11:16 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Added the /delete switch when running a tokenized file. This will delete the token file when finished (thx NTDOC). Example: runnas token.txt /delete
Top

#154049 - 2005-12-25 05:00 PM Re: RUNNAS - Tokenized Runas Utility
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	food for thought... Microsoft Elevated Privileges Application Launcher it fingerprints the exe _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154050 - 2005-12-26 04:29 PM Re: RUNNAS - Tokenized Runas Utility
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Shawn, As long there remains the possibility that this utility can be misused to elevate one's rights, I will be on you like a dog on a postman's leg. There are way too many admins that will not think through all the security implications and unleash this utility with a tokenized file thinking that it is secure. I don't mean to disparage DOC, but during an MSN chat, it became clear to me that he did not catch the drift of what I said in this thread and he is a smart person! In the interest of clarity, I will reiterate my concern. When you create a tokenized file that will run AppA.exe with elevated rights, all the user needs to do is to replace AppA.exe with another app that has the same name, and it will run with the same elevated rights! _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154051 - 2005-12-26 04:57 PM Re: RUNNAS - Tokenized Runas Utility
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Was thinking... the UserID is saved in the tokenized file as the human readable name and not the SID of the account. This can be a good thing in the case of local accounts that would have different SIDs but I wonder if there may be a desire to force it to the SID instead? Maybe an optional /SID parm? I cannot think right now of how someone might abuse this, but just because I'm paranoid, doesn't mean someone is NOT out to get me. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154052 - 2005-12-26 06:17 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11627 Loc: CA	Les, Correct was not thinking of your concern. Was thinking more in the terms of a user making a copy of the file, renaming it and then using it on his/her system with copies of tokenized files until he/she was able to inject their own program, but your concern is actually much more likely. I suppose I'm too used to analyzing from a more advanced level. As for the UserID being in the tokenized file as plain text not sure where you saw that. I'm certainly not seeing anything like that here. Well think Shawn has some good ideas about CRC checking the exectuable and if possible even the path. Told him to also include some semi-legal disclaimers along with the utility and even inside the utility because you know sooner or later someone is going to try and abuse the tool on purpose like a butt-head. Just like they did with WSH - actually a nice tool but then the scripting kiddies thought it would be cool to damage people's stuff with it.
Top

#154053 - 2005-12-26 06:27 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11627 Loc: CA	Shawn I was unable to run network accounts with the password stored in the tokenized file. It prompts for the password.
Top

#154054 - 2005-12-26 07:05 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	I'm coding in the CRC check and some other things ... the command line is starting to become a little "complex" ... will probably have to re-structure the command line args ... so until the next version come out ... lets re-try the network account thing then ... the tokenized file format will be changing then as well.
Top

#154055 - 2005-12-26 07:42 PM Re: RUNNAS - Tokenized Runas Utility
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	DOC, Did not mean for you to infer that the UserID was stored in clear text cuz it ain't but the human readable form of it is what is tokenized, not the SID of the account. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154056 - 2005-12-26 07:46 PM Re: RUNNAS - Tokenized Runas Utility
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Shawn, Since this util most likely will go through many iterations, there is a probability that the tokenized parm file will not always be backward compatible so I might suggest you write the version to the file and then check it at runtime. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154057 - 2005-12-26 08:23 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	I agree Les but I think it would be easier (on me) if the the token file could remain in flux until this util stabilizes a bit. I always wondered why Ruud could (would) never keep the Kixtart tokenized file versioned - now I understand why.
Top

#154058 - 2005-12-26 09:17 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11627 Loc: CA	Okay it may be a command line parsing issue because I can get some tasks to run using network credentials. As for the algorithm for the obfuscation it is not a basic number flipping routine and the average desktop user will not be reverse engineering it. That is not to say that someone with more advanced computer skills that takes on the task of trying to beat it won't figure it out in time. And one could also run this through an advanced debugger and extract the code. As with any tool like this, caution should be used when and where used.
Top

#154059 - 2005-12-27 06:13 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	New version with fix in regards to specifying domain accounts. Added the /user switch to make it more compatible with microsoft runas.
Top

Page 1 of 5

Previous Topic View All Topics

Index Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org