Impersonate Local Microsoft Users with msImpersonate

What is msImpersonate?

What’s up nerds! Captain AMayorica hooked us up again with another Microsoft tool. With this tool you can impersonate local or network users with valid credentials.

The tool ‘utilizes the Python library called ctypes to interact with the Windows OS and when you combine that library with the CreateProcessWithLogonW function it allows testers to spawn Command Prompts, Powershell and other services on the target machine as the target user.

Please note that this tool is not a brute force tool. In order to use this tool proper recon should be utilized to insure you already have valid credentials to login. From your test box you need to run the python script and use valid user creds to login, then you will be allowed to spawn command prompt or Powershell, as well as run a number of different services. This tool also can not be used for privesc or persistance, but with a few other tools pivoting can be achieved.

Installing msImpersonate v1.0

This tool is meant to be executed from a Windows environment and needs to have Python3 already installed on the machine. To begin download the ZIP file from the GitHub repository and extract them to a location of your choosing. Proper usage of the tool can be used as the following:

python3 msimpersonate.py <username> <domain> <password> <command to run>

The domain can be left blank if using local credentials to authenticate.

msImpersonate is a Python-native user impersonation tool that is capable of impersonating local or network user accounts with valid credentials. The tool was built with internal penetration tests in mind, allowing for local authentication, or network and domain authentication from the tester’s dropbox. The tool utilizes Python’s ctypes library to interact with the Windows operating system. Together with the CreateProcessWithLogonW function, it is possible to spawn Command Prompts, Powershell, and other services as the target user.

msImpersonate will first attempt to authenticate on the local machine. If this is not successful, the tool will attempt to authenticate using netlogon from the CreateProcessWithLogonW function. I may or may not re-add functionality that allows the tester to determine whether to attempt local or network authentication.

Note that the netlogon parameter cannot differentiate between valid and invalid credentials. As such, any network authentication and service spawn will require further inspection to ensure that the credentials utilized are indeed valid or not.

This tool is meant to be executed from WINDOWS and will require Python3 to be installed on the machine

Usage

Installing msImpersonate

Download the ZIP file from the repository and extract the contents where desired.

Execute an impersonation attack

python3 msimpersonate.py <username> <domain> <password> <command to run>

Note that domain can be blank if authenticating locally using the following:

python3 msimpersonate.py <username> ' ' <password> <command to run>

Notes

Here is your obligatory don’t do anything stupid with my tool. If you do it’s your fault.

Conclusion

All in all this tool gets a 4/5 bunnies. Its easy to setup and easy to use and there are plans for added functionality in the future. We look forward to seeing more tools from Dievus in the future.

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive discount here

Help support LHN by buying a T-shirt or a mug?

Check out our selection here

Do you know of another GitHub related hacking tool?

Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.

Related posts

How to Improve Your Cyber Resilience by Strengthening User Privileges

The Dark Side of Viral Content: How Negative Reviews Can Snowball

Testing Gaming Monetization: Walking the Line Between Profit and Player Experience