search
githubEdit

Cross Domain

hashtag
Cross Domain Usage

PsMapExec has the ability to impersonate users on one domain to access resources on a different domain.

When accessing resources across domain and impersonating a user we need two parameters:

  1. UserDomain: The domain of the user we are impersonating

  2. Domain: The target domain where we intended to access resources

     PsMapExec -Targets All -Domain child.security.local -UserDomain security.local -username Moe -Password Password -method [Method] -Command [Command]

In the command example shown above we are getting all computers in the domain child.security.local and impersonating the user Moe whose account resides in the security.local domain.

As security.local is a parent to the child domain child.security.local there is a trust between them and the user moe can access resources in the child domain.

hashtag
CurrentUser

Alternatively Rubeus or Runas.exe can be used to create a new logon session for a user in an alternative domain and the -CurrentUser switch can be applied to work in the current logon session context.

Simply put, Runas.exe is the most straightforward way of acheiving this if you have a password for the user you wish to impersonate. Otherwise, Rubeus will need to be used if you need to use a Hash or a Kerberos ticket.

Create Logon session

hashtag
Runas.exe

Runas.exe /user:[Domain]\[User] Powershell.exe

hashtag
Rubeus

hashtag
AskTGT and inject in new session

hashtag
Invoke-Rubeus

hashtag
AskTGT and inject in new session

Then load PsMapExec into the new logon session and run with -CurrentUser.

hashtag
Load into memory

PreviousAuthentication MethodsNextTarget Acquisition

Last updated