Content is available under Creative Commons Attribution.


Impersonating credentials in windows and the pain it brings.

Impersonation is an ability of executing a piece of program code, thread or full process on behalf of other user. It’s like “pretending” to be other user. Sounds cool, doesn’t it? But one may ask why we need it and isn’t it a big security issue? Well, let’s have a closer look and see what it gives us first of all.

Consider you are a system administrator and you have just configured firewall in a way not to allow some users connect to the internet. Now you probably would like to test your configuration and basically what you need is to pretend to be a user which has prohibited access rights and try to connect to the internet. If you are on Unix/Linux like systems then you can use “su” in order to, let’s say, ping some host on behalf of the user you want. On Windows there is su alternative which is called “runas”. It’s not as powerful and user friendly as su, but at least it gives you a way of impersonation (we will discuss details later). In terms of security it seems to be an issue from the first glance, but it’s not true. If you are using su on Linux or runas on Windows you should provide username and password of the user you would like to pretend to be.

In addition to su there is a sudo in Linux. The difference is that su is asking for password of target user, but sudo is asking for password of the current user (the user who is doing sudo). In other words you need to provide your own password in order to execute something on behalf of root or other user. You may think that you always know your own password and you can always pretend to be another user and even to be a root when you want to. Well, that’s only true if you are a sudoer. There is configuration file for sudo command which defines the users who can use sudo, and that file is writable only for root user. Also, that file allows specifying some additional options – i.e. user X is only able to run program Y etc.

Now imagine you are doing some scripting and need to impersonate some user. As I have already mentioned if you are using runas (on Windows) or su (on Linux/Unix) you need to provide target user password, and if you are using sudo you need to provide your own password. Ok, let’s check user manuals of these commands in order to find out how we can pass password by command line. Surprise, surprise… there is no way of passing passwords. Why? Because it would result to creating lots of scripts which contain open passwords in them. And this is a big security risk. That’s why neither su (sudo) nor ranas accept password by command line.

You are thinking about piping passwords to these commands, aren’t you? You are executing, let’s say, runas and it asks you to input the password. So, what if you provide the password in stdin of runas like this?

> echo YOUR_PASS | runas /user:Admin test.bat

Excellent idea, but it will not work in fact. This is because runas (su and sudo as well) are not reading passwords from stdin. They are reading it from terminal. In other words they want user to input the password on keyboard manually. Though, sudo has a special option (-S) which means read password from stdin instead of reading it from the terminal. So, this will work:

# echo myPassword | sudo -S ls /tmp

So, on Linux there is a way of impersonating using scripts and by providing passwords in there. But if you are writing for instance batch script on Windows and you need to impersonate without asking user to input the password, then you are in trouble.

Leave a Reply

by: Epic Force